Wed, 07/22/2009 - 19:26
- Gold, 750 points or more
These are the guidelines and restrictions to configure Switched Port Analyzer (SPAN):
- Use a network analyzer to monitor interfaces.
- Do not mix source VLANs and filter VLANs within a SPAN session. Source VLANs and filter VLANs cannot co-exist.
- Ensure that EtherChannel interfaces are not SPAN destination interfaces. But, EtherChannel interfaces can be SPAN source interfaces.
- Issue the no monitor session number command with no other parameters in order to clear the SPAN session number.
- The no monitor command clears all SPAN sessions.
- When no traffic type is specified for source interfaces, the default value both is applicable. Traffic type can be Transmit (Tx), Receive (Rx), or both.
- If multiple SPAN source interfaces are specified, the interfaces can belong to different VLANs.
- SPAN destinations never participate in any spanning tree instance. SPAN includes Bridge Protocol Data Units (BPDUs) in the monitored traffic. So any BPDUs on the SPAN destination are from the SPAN source.
- SPAN is limited to one destination port per session.
- You can use an IDS to monitor traffic that passes between two devices. Other than the added traffic passed to the span port, the port is a standard port, which means you can manage the IDS by any machine that can route IP packets to the IDS.
A port or interface on any line card of the switch should be on the same VLAN as the sc0 interface of the switch, which is the management interface.
These are the guidelines to configure Remote Switched Port Analyzer (RSPAN):
- RSPAN sessions can coexist with SPAN sessions within the limits.
- RSPAN configuration allows the distribution of source ports and destination ports across multiple switches in the network.
- RSPAN does not support BPDU packet monitoring or other Layer 2 switch protocols.
- The RSPAN VLAN is configured only on trunk ports and not on access ports. In order to avoid unwanted traffic in RSPAN VLANs, make sure that all participant switches support the VLAN remote-span feature. Access ports on the RSPAN VLAN are silently disabled.
- Create an RSPAN VLAN before the configuration of an RSPAN source or destination session.
- If VLAN Trunking Protocol (VTP) and VTP pruning are enabled, RSPAN traffic is pruned in the trunks in order to prevent the unwanted flooding of RSPAN traffic across the network for VLAN IDs that are lower than 1005.
- RSPAN traffic travels across a network on an RSPAN VLAN. Therefore, the original VLAN association of the mirrored packets is lost. As a result, RSPAN can only support forwarding of traffic from an IDS device onto a single user-specified VLAN.
Note: The switch does not support a combination of local SPAN and RSPAN in a single session. In other words, an RSPAN source session cannot have a local destination port, an RSPAN destination session cannot have a local source port, and an RSPAN destination session and an RSPAN source session that use the same RSPAN VLAN cannot run on the same switch.