SPAN Configuration on cisco Switch [IOS]

What is SPAN:

A local SPAN session is an association of source ports and source VLANs with one or more destinations. You configure a local SPAN session on a single switch. Local SPAN does not have separate source and destination sessions.

Each local SPAN session can have either ports or VLANs as sources, but not both.

Local SPAN copies traffic from one or more source ports in any VLAN or from one or more VLANs to a destination for analysis. For example, in the figure below, all traffic on Ethernet port 5 (the source port) is copied to Ethernet port 10. A network analyzer on Ethernet port 10 receives all traffic from Ethernet port 5 without being physically attached to Ethernet port 5.

SPAN Source:

Source Ports and EtherChannels

A source port or EtherChannel is a port or EtherChannel monitored for traffic analysis. You can configure both Layer 2 and Layer 3 ports and EtherChannels as SPAN sources. SPAN can monitor one or more source ports or EtherChannels in a single SPAN session. You can configure ports or EtherChannels in any VLAN as SPAN sources. Trunk ports or EtherChannels can be configured as sources and mixed with nontrunk sources.

Note SPAN does not copy the encapsulation from trunk sources. You can configure SPAN destinations as trunks to tag the monitored traffic before it is transmitted for analysis.

Source VLANs

A source VLAN is a VLAN monitored for traffic analysis. VLAN-based SPAN (VSPAN) uses a VLAN as the SPAN source. All the ports and EtherChannels in the source VLANs become sources of SPAN traffic.

SPAN Destination Considerations:

A SPAN destination is a Layer 2 or Layer 3 port or, with Release 12.2(33)SXH and later releases, an EtherChannel, to which local SPAN, RSPAN, or ERSPAN sends traffic for analysis. When you configure a port or EtherChannel as a SPAN destination, it is dedicated for use only by the SPAN feature.

Destination EtherChannels do not support the Port Aggregation Control Protocol (PAgP) or Link Aggregation Control Protocol (LACP) EtherChannel protocols; only the on mode is supported, with all EtherChannel protocol support disabled.

There is no requirement that the member links of a destination EtherChannel be connected to a device that supports EtherChannels. For example, you can connect the member links to separate network analyzers.

Monitored Traffic Direction

You can configure local SPAN sessions, RSPAN source sessions, and ERSPAN source sessions to monitor the following traffic:

•Ingress traffic

–Copies traffic received by the sources (ingress traffic).

–Ingress traffic is sent to the supervisor engine SPAN ASIC to be copied.

•Egress traffic

–Copies traffic transmitted from the sources (egress traffic).

–Distributed egress SPAN mode—With Release 12.2(33)SXH and later releases, on some fabric-enabled switching modules, egress traffic can be copied locally by the switching module SPAN ASIC and then sent to the SPAN destinations.

–Centralized egress SPAN mode—On all other switching modules, egress traffic is sent to the supervisor engine SPAN ASIC to be copied and is then sent to the SPAN destinations.

•Both

–Copies both the received traffic and the transmitted traffic (ingress and egress traffic).

–Both ingress traffic and egress traffic is sent to the supervisor engine SPAN ASIC to be copied.

Configuration Example:

This example shows the configuration of a local SPAN session that has several VLANs as sources and several trunk ports as destinations, with destination trunk VLAN filtering that filters the SPAN traffic so that each destination trunk port transmits the traffic from one VLAN:

interface GigabitEthernet1/1
description SPAN destination interface for VLAN 10
no ip address
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet1/2
description SPAN destination interface for VLAN 11
no ip address
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 11
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet1/3
description SPAN destination interface for VLAN 12
no ip address
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 12
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet1/4
description SPAN destination interface for VLAN 13
no ip address
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 13
switchport mode trunk
switchport nonegotiate
!
monitor session 1 source vlan 10 - 13
monitor session 1 destination interface Gi1/1 - 4

• To configure a local SPAN session in SPAN configuration mode, perform this task:
  

Command	Purpose
Step 1	Router# configure terminal	Enters global configuration mode.
Step 2	Router(config)# monitor session local_SPAN_session_number type [local | local-tx]	Configures a local SPAN session number and enters local SPAN session configuration mode.Note •Enter the local keyword to configure ingress or egress or both SPAN sessions.•Enter the local-tx keyword to configure egress-only SPAN sessions.
Step 3	Router(config-mon-local)# description session_description	(Optional) Describes the local SPAN session.
Step 4	Router(config-mon-local)# source {{cpu {rp | sp}} | single_interface | interface_list | interface_range | mixed_interface_list | single_vlan | vlan_list | vlan_range | mixed_vlan_list} [rx | tx | both]	Associates the local SPAN session number with the CPU, source ports, or VLANs, and selects the traffic direction to be monitored.Note •When you enter the local-tx keyword, the rx and both keywords are not available and the tx keyword is required.•To make best use of the available SPAN sessions, it is always preferable to configure local-tx sessions instead of local sessions with the tx keyword.
Step 5	Router(config-mon-local)# filter single_vlan | vlan_list | vlan_range | mixed_vlan_list	(Optional) Configures source VLAN filtering when the local SPAN source is a trunk port.
Step 6	Router(config-mon-local)# destination {single_interface | interface_list | interface_range | mixed_interface_list} [ingress [learning]]	Associates the local SPAN session number with the destinations.
Step 7	Router(config-mon-local)# no shutdown	Activates the local SPAN session.Note The no shutdown command and shutdown commands are not supported for local-tx egress-only SPAN sessions.
Step 8	Router(config-mon-local)# end	Exits configuration mode.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/span.html