- SPAN = Switch Port Analyzer
- RSPAN = Remote SPAN
- ERSPAN = Encapsulated RSPAN
- A method of directing all traffic from a source port or source VLAN to a single port.
- SPAN is sometimes referred to as session monitoring because of the commands used to configure it.
- The feature is useful for many applications. For example, all traffic from a voice VLAN can be delivered to a single switch port to facilitate call recording.
- In a single SPAN session, you can monitor received (Rx), transmitted (Tx), or bidirectional (both) [default] source port traffic.
- Rx refers to traffic entering the source port or VLAN. The traffic is copied and sent to the SPAN destination before any modifications occur (ACL/VACL, QoS, policing etc.).
- Tx refers to traffic leaving the source port or VLAN. The traffic is copied and sent to the SPAN destination after any modifications occur (ACL/VACL, QoS, policing etc.).
- The destination port can be on the local switch (SPAN) or on another switch in the network (RSPAN).
- In RSPAN, a specific VLAN must be configured across the entire switching path from the source port or VLAN to the RSPAN destination port.
- Encapsulated Remote SPAN (ERSPAN), as the name implies, creates a GRE tunnel for all captured traffic and allows it to be extended across Layer 3 domains.
- Regardless of the type of SPAN, a SPAN source port can be any type of port—a routed port, a physical switch port, an access port, a trunk port, an EtherChannel port (either one physical port or the entire port-channel interface), and so on.
- On a SPAN source VLAN, all active ports in that VLAN are monitored.
- As ports are added or removed from that VLAN, the sources are dynamically updated to include new ports or exclude removed ports.
- When a trunk port is monitored as a source port, all VLANs active on the trunk are monitored by default.
- You can use VLAN filtering in order to limit SPAN traffic monitoring on trunk source ports to specific VLANs.
- VLAN filtering affects only traffic forwarded to the destination SPAN port and does not affect the switching of normal traffic.
- VLAN filtering applies only to port-based sessions and is not allowed in sessions with VLAN sources.
- Also, a port configured as a SPAN destination cannot be part of a SPAN source VLAN.
- The state of the destination port is up/down by design. The interface shows the port in this state in order to make it evident that the port is currently not usable as a production port.
- When it is a destination port, it does not participate in any of the Layer 2 protocols (STP, VTP, CDP, DTP, PagP).
- SPAN/RSPAN/ERSPAN usually ignores CDP, spanning-tree BPDUs, VTP, DTP, and PAgP frames. However, these traffic types can be forwarded along with the normal SPAN traffic if the encapsulation replicate command is configured.
- There are a number of restrictions for SPAN/RSPAN/ERSPAN ports, including:
- The source can be either one or more ports or a VLAN, but not a mix of these.
- A SPAN destination port cannot be a source port, and a source port cannot be a destination port.
- Only one SPAN/RSPAN/ERSPAN session can send traffic to a single destination port.
- A SPAN destination port ceases to act as a normal switch port. That is, it passes only SPAN-related traffic.
- For details, see: SPAN, RSPAN, and ERSPAN.
-- SPAN --
monitor session 1 source interface fa0/12
monitor session 1 destination interface fa0/24
-- RSPAN --
monitor session 3 source vlan 42
monitor session 3 destination remote vlan 199
monitor session 5 source remote vlan 199
monitor session 5 destination interface fa0/19
-- ERSPAN --
monitor session 1 type erspan-source
source interface GigabitEthernet0/1/0
ip address 10.1.1.1
origin ip address 172.16.1.1
monitor session 2 type erspan-destination
destination interface GigabitEthernet2/2/1
ip address 10.1.1.1
R1# show monitor session 1
Type : ERSPAN Source Session
Status : Admin Enabled
Source Ports :
RX Only : Gi0/1/0
Destination IP Address : 10.1.1.1
MTU : 1464
Destination ERSPAN ID : 101
Origin IP Address : 172.16.1.1
ReferencesCCIE Routing and Switching v5.0 Official Cert Guide, Volume 1, 5th Edition
SPAN, RSPAN, and ERSPAN
Catalyst SPAN Configuration Example