user manual
• Both—In a SPAN session, you can also monitor a port or VLAN for both received and sent packets.
This is the default.
The default configuration for local SPAN session ports is to send all packets untagged. SPAN also does not
normally monitor bridge protocol data unit (BPDU) packets and Layer 2 protocols, such as Cisco Discovery
Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), Spanning Tree Protocol
(STP), and Port Aggregation Protocol (PAgP). However, when you enter the encapsulation replicate keywords
when configuring a destination port, these changes occur:
•
Packets are sent on the destination port with the same encapsulation (untagged, Inter-Switch Link (ISL),
or IEEE 802.1Q) that they had on the source port.
•
Packets of all types, including BPDU and Layer 2 protocol packets, are monitored.
Therefore, a local SPAN session with encapsulation replicate enabled can have a mixture of untagged, ISL,
and IEEE 802.1Q tagged packets appear on the destination port.
Switch congestion can cause packets to be dropped at ingress source ports, egress source ports, or SPAN
destination ports. In general, these characteristics are independent of one another. For example:
•
A packet might be forwarded normally but dropped from monitoring due to an oversubscribed SPAN
destination port.
•
An ingress packet might be dropped from normal forwarding, but still appear on the SPAN destination
port.
•
An egress packet dropped because of switch congestion is also dropped from egress SPAN.
In some SPAN configurations, multiple copies of the same source packet are sent to the SPAN destination
port. For example, a bidirectional (both Rx and Tx) SPAN session is configured for the Rx monitor on port
A and Tx monitor on port B. If a packet enters the switch through port A and is switched to port B, both
incoming and outgoing packets are sent to the destination port. Both packets are the same unless a Layer 3
rewrite occurs, in which case the packets are different because of the packet modification.
Source Ports
A source port (also called a monitored port) is a switched or routed port that you monitor for network traffic
analysis. In a local SPAN session or RSPAN source session, you can monitor source ports or VLANs for
traffic in one or both directions. The switch supports any number of source ports (up to the maximum number
of available ports on the switch) and any number of source VLANs (up to the maximum number of VLANs
supported). However, the switch supports a maximum of (local or RSPAN) with source ports or VLANs. You
cannot mix ports and VLANs in a single session.
A source port has these characteristics:
•
It can be monitored in multiple SPAN sessions.
•
Each source port can be configured with a direction (ingress, egress, or both) to monitor.
•
It can be any port type (for example, EtherChannel, Gigabit Ethernet, and so forth).
•
For EtherChannel sources, you can monitor traffic for the entire EtherChannel or individually on a
physical port as it participates in the port channel.
•
It can be an access port, trunk port, routed port, or voice VLAN port.
•
It cannot be a destination port.
Catalyst 2960-X Switch Network Management Configuration Guide, Cisco IOS Release 15.0(2)EX
72 OL-29044-01
Configuring SPAN and RSPAN
SPAN and RSPAN