To start a new Switched Port Analyzer (SPAN) session or Remote SPAN (RSPAN) destination session, to enable ingress traffic
on the destination port for a network security device (such as a Cisco IDS Sensor Appliance), and to add or delete interfaces
or VLANs to or from an existing SPAN or RSPAN session, use the monitor session destination global configuration command. To remove the SPAN or RSPAN session or to remove destination interfaces from the SPAN or RSPAN
session, use the no form of this command.
monitor session session-number destination { interface interface-id [ , | -] [ encapsulation { replicate | dot1q} ] { ingress [ dot1q | untagged] } | { remote} vlan vlan-id
no monitor session session-number destination { interface interface-id [ , | -] [ encapsulation { replicate | dot1q} ] { ingress [ dot1q | untagged] } | { remote} vlan vlan-id
Syntax Description
session-number
|
|
interface
interface-id
|
Specifies the destination or source interface for a SPAN or RSPAN session. Valid interfaces are physical ports (including
type, stack member, module, and port number). For source interface, port channel is also a valid interface type, and the valid
range is 1 to 128.
|
,
|
(Optional) Specifies a series of interfaces or VLANs, or separates a range of interfaces or VLANs from a previous range. Enter
a space before and after the comma.
|
-
|
(Optional) Specifies a range of interfaces or VLANs. Enter a space before and after the hyphen.
|
encapsulation replicate
|
(Optional) Specifies that the destination interface replicates the source interface encapsulation method. If not selected,
the default is to send packets in native form (untagged).
These keywords are valid only for local SPAN. For RSPAN, the RSPAN VLAN ID overwrites the original VLAN ID; therefore, packets
are always sent untagged. The encapsulation options are ignored with the no form of the command.
|
encapsulation dot1q
|
(Optional) Specifies that the destination interface accepts the source interface incoming packets with IEEE 802.1Q encapsulation.
These keywords are valid only for local SPAN. For RSPAN, the RSPAN VLAN ID overwrites the original VLAN ID; therefore, packets
are always sent untagged. The encapsulation options are ignored with the no form of the command.
|
ingress
|
Enables ingress traffic forwarding.
|
dot1q
|
(Optional) Accepts incoming packets with IEEE 802.1Q encapsulation with the specified VLAN as the default VLAN.
|
untagged
|
(Optional) Accepts incoming packets with untagged encapsulation with the specified VLAN as the default VLAN.
|
isl
|
Specifies ingress forwarding using ISL encapsulation.
|
remote
|
Specifies the remote VLAN for an RSPAN source or destination session. The range is 2 to 1001 and 1006 to 4094.
The RSPAN VLAN cannot be VLAN 1 (the default VLAN) or VLAN IDs 1002 to 1005 (reserved for Token Ring and FDDI VLANs).
|
vlan
vlan-id
|
Sets the default VLAN for ingress traffic when used with only the ingress keyword.
|
Command Default
No monitor sessions are configured.
If encapsulation replicate is not specified on a local SPAN destination port, packets are sent in native form with no encapsulation tag.
Ingress forwarding is disabled on destination ports.
You can specify all , local , range
session-range , or remote with the no monitor session command to clear all SPAN and RSPAN, all local SPAN, a range, or all RSPAN sessions.
Command Modes
Global configuration
Command History
Release
|
Modification
|
Cisco IOS XE Everest 16.6.1
|
This command was introduced.
|
Usage Guidelines
A SPAN or RSPAN destination must be a physical port.
You can have a maximum of 64 destination ports on a switch or a switch stack.
Each session can include multiple ingress or egress source ports or VLANs, but you cannot combine source ports and source
VLANs in a single session. Each session can include multiple destination ports.
When you use VLAN-based SPAN (VSPAN) to analyze network traffic in a VLAN or set of VLANs, all active ports in the source
VLANs become source ports for the SPAN or RSPAN session. Trunk ports are included as source ports for VSPAN, and only packets
with the monitored VLAN ID are sent to the destination port.
You can monitor traffic on a single port or VLAN or on a series or range of ports or VLANs. You select a series or range of
interfaces or VLANs by using the [, | -] options.
If you specify a series of VLANs or interfaces, you must enter a space before and after the comma. If you specify a range
of VLANs or interfaces, you must enter a space before and after the hyphen (- ).
EtherChannel ports can be configured as SPAN or RSPAN destination ports. A physical port that is a member of an EtherChannel
group can be used as a destination port, but it cannot participate in the EtherChannel group while it is as a SPAN destination.
A port used as a destination port cannot be a SPAN or RSPAN source, nor can a port be a destination port for more than one
session at a time.
You can enable IEEE 802.1x authentication on a port that is a SPAN or RSPAN destination port; however, IEEE 802.1x authentication
is disabled until the port is removed as a SPAN destination. If IEEE 802.1x authentication is not available on the port, the
switch returns an error message. You can enable IEEE 802.1x authentication on a SPAN or RSPAN source port.
If ingress traffic forwarding is enabled for a network security device, the destination port forwards traffic at Layer 2.
Destination ports can be configured to function in these ways:
-
When you enter monitor session
session_number
destination interface
interface-id with no other keywords, egress encapsulation is untagged, and ingress forwarding is not enabled.
-
When you enter monitor session
session_number
destination
interface
interface-id ingress , egress encapsulation is untagged; ingress encapsulation depends on the keywords that follow—dot1q or untagged .
-
When you enter monitor session
session_number
destination
interface
interface-id encapsulation
replicate with no other keywords, egress encapsulation replicates the source interface encapsulation; ingress forwarding is not enabled.
(This applies to local SPAN only; RSPAN does not support encapsulation replication.)
-
When you enter monitor session
session_number
destination
interface
interface-id encapsulation
replicate ingress , egress encapsulation replicates the source interface encapsulation; ingress encapsulation depends on the keywords that follow—dot1q or untagged . (This applies to local SPAN only; RSPAN does not support encapsulation replication.)
You can verify your settings by entering the show monitor privileged EXEC command. You can display SPAN, RSPAN, FSPAN, and FRSPAN configuration on the switch by entering the show running-config privileged EXEC command. SPAN information appears near the end of the output.
Examples
This example shows how to create a local SPAN session 1 to monitor both sent and received traffic on source port 1 on stack
member 1 to destination port 2 on stack member 2:
Device(config)# monitor session 1 source interface gigabitethernet1/0/1 both
Device(config)# monitor session 1 destination interface gigabitethernet1/0/2
This example shows how to delete a destination port from an existing local SPAN session:
Device(config)# no monitor session 2 destination interface gigabitethernet1/0/2
This example shows how to configure RSPAN source session 1 to monitor a source interface and to configure the destination
RSPAN VLAN 900:
Device(config)# monitor session 1 source interface gigabitethernet1/0/1
Device(config)# monitor session 1 destination remote vlan 900
Device(config)# end
This example shows how to configure an RSPAN destination session 10 in the switch receiving the monitored traffic:
Device(config)# monitor session 10 source remote vlan 900
Device(config)# monitor session 10 destination interface gigabitethernet1/0/2
This example shows how to configure the destination port for ingress traffic on VLAN 5 by using a security device that supports
IEEE 802.1Q encapsulation. Egress traffic replicates the source; ingress traffic uses IEEE 802.1Q encapsulation.
Device(config)# monitor session 2 destination interface gigabitethernet1/0/2 encapsulation dot1q ingress dot1q vlan 5
This example shows how to configure the destination port for ingress traffic on VLAN 5 by using a security device that does
not support encapsulation. Egress traffic and ingress traffic are untagged.
Device(config)# monitor session 2 destination interface gigabitethernet1/0/2 ingress untagged vlan 5