To start a new Switched Port Analyzer
(SPAN) session or Remote SPAN (RSPAN) destination session, to enable ingress
traffic on the destination port for a network security device (such as a Cisco
IDS Sensor Appliance), and to add or delete interfaces or VLANs to or from an
existing SPAN or RSPAN session, use the
monitor session
destination global configuration command. To remove the SPAN or
RSPAN session or to remove destination interfaces from the SPAN or RSPAN
session, use the
no form of this
command.
monitor
session session-number destination { interface interface-id [ , |
-]
[ encapsulation { replicate |
dot1q}
]
{ ingress [ dot1q |
untagged]
}
|
{ remote}
vlan vlan-id
no monitor
session session-number destination { interface interface-id [ ,
|
-]
[ encapsulation { replicate |
dot1q}
]
{ ingress [ dot1q |
untagged]
}
|
{ remote}
vlan vlan-id
Syntax Description
session-number
|
The session number identified with the SPAN or RSPAN session. The range is 1 to 66.
|
interface
interface-id
|
Specifies the destination or
source interface for a SPAN or RSPAN session. Valid interfaces are physical
ports (including type, stack member, module, and port number). For source
interface, port channel is also a valid interface type, and the valid range is
1 to 128.
|
,
|
(Optional) Specifies a
series of interfaces or VLANs, or separates a range of interfaces or VLANs from
a previous range. Enter a space before and after the comma.
|
-
|
(Optional) Specifies a
range of interfaces or VLANs. Enter a space before and after the hyphen.
|
encapsulation
replicate
|
(Optional) Specifies that the
destination interface replicates the source interface encapsulation method. If
not selected, the default is to send packets in native form (untagged).
These keywords are valid only
for local SPAN. For RSPAN, the RSPAN VLAN ID overwrites the original VLAN ID;
therefore, packets are always sent untagged. The
encapsulation options are ignored with the
no form of the command.
|
encapsulation
dot1q
|
(Optional) Specifies that
the destination interface accepts the source interface incoming packets with
IEEE 802.1Q encapsulation.
These keywords are valid
only for local SPAN. For RSPAN, the RSPAN VLAN ID overwrites the original VLAN
ID; therefore, packets are always sent untagged. The
encapsulation options are ignored with the
no form of
the command.
|
ingress
|
Enables ingress traffic
forwarding.
|
dot1q
|
(Optional) Accepts incoming
packets with IEEE 802.1Q encapsulation with the specified VLAN as the default
VLAN.
|
untagged
|
(Optional) Accepts incoming
packets with untagged encapsulation with the specified VLAN as the default
VLAN.
|
isl
|
Specifies ingress forwarding
using ISL encapsulation.
|
remote
|
Specifies the remote VLAN
for an RSPAN source or destination session. The range is 2 to 1001 and 1006 to
4094.
The RSPAN VLAN cannot be
VLAN 1 (the default VLAN) or VLAN IDs 1002 to 1005 (reserved for Token Ring and
FDDI VLANs).
|
vlan
vlan-id
|
Sets the default VLAN for
ingress traffic when used with only the
ingress keyword.
|
Command Default
No monitor sessions are
configured.
If
encapsulation replicate is not specified on a
local SPAN destination port, packets are sent in native form with no
encapsulation tag.
Ingress forwarding is
disabled on destination ports.
You can specify
all ,
local ,
range
session-range , or
remote with the
no monitor
session command to clear all SPAN and RSPAN, all local SPAN, a
range, or all RSPAN sessions.
Command Modes
Global configuration
Command History
Release
|
Modification
|
Cisco IOS XE Everest 16.5.1a
|
This command was introduced.
|
Usage Guidelines
You can set a combined maximum of 8 local SPAN sessions and RSPAN source sessions. You can have a total of 66 SPAN and RSPAN
sessions on a switch or switch stack.
A SPAN or RSPAN destination
must be a physical port.
You can have a maximum of
64 destination ports on a switch or a switch stack.
Each session can include
multiple ingress or egress source ports or VLANs, but you cannot combine source
ports and source VLANs in a single session. Each session can include multiple
destination ports.
When you use VLAN-based
SPAN (VSPAN) to analyze network traffic in a VLAN or set of VLANs, all active
ports in the source VLANs become source ports for the SPAN or RSPAN session.
Trunk ports are included as source ports for VSPAN, and only packets with the
monitored VLAN ID are sent to the destination port.
You can monitor traffic on
a single port or VLAN or on a series or range of ports or VLANs. You select a
series or range of interfaces or VLANs by using the [, |
-] options.
If you specify a series of
VLANs or interfaces, you must enter a space before and after the comma. If you
specify a range of VLANs or interfaces, you must enter a space before and after
the hyphen (- ).
EtherChannel ports can be configured as SPAN or
RSPAN destination ports. A physical port that is a member of an EtherChannel
group can be used as a destination port, but it cannot participate in the
EtherChannel group while it is as a SPAN destination.
A port used as a
destination port cannot be a SPAN or RSPAN source, nor can a port be a
destination port for more than one session at a time.
You can enable IEEE 802.1x
authentication on a port that is a SPAN or RSPAN destination port; however,
IEEE 802.1x authentication is disabled until the port is removed as a SPAN
destination. If IEEE 802.1x authentication is not available on the port, the
switch returns an error message. You can enable IEEE 802.1x authentication on a
SPAN or RSPAN source port.
If ingress traffic
forwarding is enabled for a network security device, the destination port
forwards traffic at Layer 2.
Destination ports can be
configured to function in these ways:
-
When you enter
monitor session
session_number
destination interface
interface-id
with no other keywords, egress encapsulation is
untagged, and ingress forwarding is not enabled.
-
When you enter
monitor session
session_number
destination
interface
interface-id
ingress ,
egress encapsulation is untagged; ingress encapsulation depends on the keywords
that follow—dot1q or
untagged .
-
When you enter
monitor session
session_number
destination
interface
interface-id
encapsulation
replicate
with no other keywords, egress encapsulation replicates the source interface
encapsulation; ingress forwarding is not enabled. (This applies to local SPAN
only; RSPAN does not support encapsulation replication.)
-
When you enter
monitor session
session_number
destination
interface
interface-id
encapsulation
replicate
ingress , egress encapsulation replicates the source interface
encapsulation; ingress encapsulation depends on the keywords that follow—dot1q or
untagged . (This applies to local SPAN only; RSPAN
does not support encapsulation replication.)
You can verify your
settings by entering the
show monitor
privileged EXEC command. You can display SPAN, RSPAN, FSPAN, and FRSPAN
configuration on the switch by entering the
show
running-config privileged EXEC command. SPAN information appears
near the end of the output.
Examples
This example shows how to
create a local SPAN session 1 to monitor both sent and received traffic on
source port 1 on stack member 1 to destination port 2 on stack member 2:
Device(config)# monitor session 1 source interface gigabitethernet1/0/1 both
Device(config)# monitor session 1 destination interface gigabitethernet1/0/2
This example shows how to
delete a destination port from an existing local SPAN session:
Device(config)# no monitor session 2 destination interface gigabitethernet1/0/2
This example shows how to
configure RSPAN source session 1 to monitor a source interface and to configure
the destination RSPAN VLAN 900:
Device(config)# monitor session 1 source interface gigabitethernet1/0/1
Device(config)# monitor session 1 destination remote vlan 900
Device(config)# end
This example shows how to
configure an RSPAN destination session 10 in the switch receiving the monitored
traffic:
Device(config)# monitor session 10 source remote vlan 900
Device(config)# monitor session 10 destination interface gigabitethernet1/0/2
This example shows how to
configure the destination port for ingress traffic on VLAN 5 by using a
security device that supports IEEE 802.1Q encapsulation. Egress traffic
replicates the source; ingress traffic uses IEEE 802.1Q encapsulation.
Device(config)# monitor session 2 destination interface gigabitethernet1/0/2 encapsulation dot1q ingress dot1q vlan 5
This example shows how to
configure the destination port for ingress traffic on VLAN 5 by using a
security device that does not support encapsulation. Egress traffic and ingress
traffic are untagged.
Device(config)# monitor session 2 destination interface gigabitethernet1/0/2 ingress untagged vlan 5