CCIE or Null!

My journey to CCIE!

Configuring a SPAN session.

with 2 comments

A SPAN session is a way for you to have the traffic that is transmitted and/or received from one port or VLAN and have it forwarded out another port for analysis purposes. It’s very easily configured by a few small statements and the only thing you have to decide on is which port you want to monitor, the traffic flow you want to see from that port (egress, ingress, or both) and the destination port you want the traffic sent to. (See the configuration below)

Note: For this local SPAN session both the source port and destination port must be on the same switch. RSPAN allows SPAN sessions across remote switches, but I will not be covering RSPAN in this post.

Their isn’t much to consider concerning the source port since it will not be effected at all, the destination port however is treated a bit differently. First off the destination port will be put in a “Monitor” mode, meaning traffic received on this port will be dropped. Only traffic from the source port will be transmitted out of the destination port by the switch that’s it.

You can issue the sh monitor session # command to see if their are any active SPAN sessions on the switch, or if you want to see the details of a configured SPAN session. The source port (fa0/1), traffic flow (both), destination port (fa0/2), and the encapsulation, are all shown in the command. To close down a SPAN session simply issue the no monitor session # command.

Now your next question might be, what are you going to use this for or why are you going analyze the traffic? Well, if the station at the destination port is running Wireshark, it’s a real easy way to get a glimpse at the traffic traversing your network. From their you can look through the data and see if anything sticks out. Alternatively you can have a SPAN session provide data to a IDS/IPS system so it can monitor your network for any abnormalities.

Written by Stephen J. Occhiogrosso

April 4, 2011 at 2:21 PM

2 Responses

Subscribe to comments with RSS.

  1. I’m working on a CCNA Security lab and part of the lab consists of configuring a SPAN port. After hours of searching for the correct IOS for my switch (exact model numbers seem to be important) I finally was able to use the monitor session command. Anyway…

    The lab I’m working on had me configure 2 VLANs, one for trunk data back to the router and another VLAN for end users. Well part of the configuration for the end user VLAN was left out so I had to figure out what was going on. After the process of troubleshooting, I got the connections working, yet the SPAN did not seem to work. I issued a “show vlan” on the switch the SPAN was configured on and noticed that the SPAN port was not part of either VLAN, which makes sense as you stated here that the port would be in “monitoring mode” and drops all traffic destined for it.
    I disabled my SPAN configuration and issued the “show vlan” again and noticed that the destination SPAN port was part of the end user VLAN while the source SPAN port was part of the trunking vlan. I moved the destination SPAN port over to the same VLAN, re-enabled SPAN and then it was functioning correctly.

    So what I learned was… even though the destination SPAN port is removed from all VLANs, it must first be part of the same vlan as the SPAN’s source port.

    Mark M.

    May 30, 2012 at 9:13 AM

  2. […] […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: