You can control the type of network traffic to be
monitored in SPAN or RSPAN sessions by using flow-based SPAN (FSPAN) or
flow-based RSPAN (FRSPAN), which apply access control lists (ACLs) to the
monitored traffic on the source ports. The FSPAN ACLs can be configured to
filter IPv4, IPv6, and non-IP monitored traffic.
You apply an ACL to a SPAN
session through the interface. It is applied to all the traffic that is
monitored on all interfaces in the SPAN session.The packets that are permitted
by this ACL are copied to the SPAN destination port. No other packets are
copied to the SPAN destination port.
The original traffic
continues to be forwarded, and any port, VLAN, and router ACLs attached are
applied. The FSPAN ACL does not have any effect on the forwarding decisions.
Similarly, the port, VLAN, and router ACLs do not have any effect on the
traffic monitoring. If a security input ACL denies a packet and it is not
forwarded, the packet is still copied to the SPAN destination ports if the
FSPAN ACL permits it. But if the security output ACL denies a packet and it is
not sent, it is not copied to the SPAN destination ports. However, if the
security output ACL permits the packet to go out, it is only copied to the SPAN
destination ports if the FSPAN ACL permits it. This is also true for an RSPAN
session.
You can attach three types of
FSPAN ACLs to the SPAN session:
-
IPv4 FSPAN ACL— Filters only
IPv4 packets.
-
IPv6 FSPAN ACL— Filters only
IPv6 packets.
-
MAC FSPAN ACL— Filters only
non-IP packets.
The
security ACLs have higher priority than the FSPAN ACLs on a
switch.
If FSPAN ACLs are applied, and you later add more security ACLs that cannot fit
in the hardware memory, the FSPAN ACLs that you applied are removed from memory
to allow space for the security ACLs. A system message notifies you of this
action, which is called unloading. When there is again space for the FSPAN ACLs
to reside in memory, they are added to the hardware memory on the
switch.
A system message notifies you of this action, which is called reloading. The
IPv4, IPv6 and MAC FSPAN ACLs can be unloaded or reloaded independently.
If a VLAN-based FSPAN session
configured on a stack cannot fit in the hardware memory on one or more
switches,
it is treated as unloaded on those
switches,
and traffic meant for the FSPAN ACL and sourcing on that
switch
is not copied to the SPAN destination ports. The FSPAN ACL continues to be
correctly applied, and traffic is copied to the SPAN destination ports on the
switches
where the FSPAN ACL fits in the hardware memory.
When an empty FSPAN ACL is
attached, some hardware functions copy all traffic to the SPAN destination
ports for that ACL. If sufficient hardware resources are not available, even an
empty FSPAN ACL can be unloaded.
IPv4 and MAC FSPAN ACLs are
supported on all feature sets. IPv6 FSPAN ACLs are supported only in the
advanced IP Services feature set.