Transcription

CHAPTER60Configuring SPAN and RSPANThis chapter describes how to configure the Switched Port Analyzer (SPAN) and Remote SPAN(RSPAN) on the Catalyst 4000 family switches. SPAN selects network traffic for analysis by a networkanalyzer, such as a SwitchProbe device or other Remote Monitoring (RMON) probe.This chapter consists of the following sections:Note About SPAN and RSPAN, page 60-1 Configuring SPAN, page 60-7 CPU Port Sniffing, page 60-10 Encapsulation Configuration, page 60-12 Ingress Packets, page 60-12 Access List Filtering, page 60-13 Packet Type Filtering, page 60-14 Configuration Example, page 60-15 Configuring RSPAN, page 60-16 Displaying SPAN and RSPAN Status, page 60-24For complete syntax and usage information for the switch commands used in this chapter, see the CiscoCatalyst 4500 Series Switch Command Reference and related publications at this itches/ps4324/index.htmlIf a command is not in the Catalyst 4500 Series Switch Command Reference, you can locate it in theCisco IOS library. See related publications at this 0/index.htmlAbout SPAN and RSPANThis sections includes the following subsections: SPAN and RSPAN Concepts and Terminology, page 60-3 SPAN and RSPAN Session Limits, page 60-6 Default SPAN and RSPAN Configuration, page 60-6Software Configuration Guide—Release IOS XE 3.7.xE and IOS 15.2(3)Ex60-1

Chapter 60Configuring SPAN and RSPANAbout SPAN and RSPANSPAN mirrors traffic from one or more source interfaces on any VLAN or from one or more VLANs toa destination interface for analysis. In Figure 60-1, all traffic on Ethernet interface 5 (the sourceinterface) is mirrored to Ethernet interface 10. A network analyzer on Ethernet interface 10 receives allnetwork traffic from Ethernet interface 5 without being physically attached to it.For SPAN configuration, the source interfaces and the destination interface must be on the same switch.SPAN does not affect the switching of network traffic on source interfaces; copies of the packets receivedor transmitted by the source interfaces are sent to the destination interface.Figure 60-1 Example SPAN ConfigurationPort 5 traffic mirrored1 2 3 4 5 6 7 8 9 10 11 12 on port 10E5E4E2E6 E7E11E12E8E9E3E10Network analyzerS6884E1RSPAN extends SPAN by enabling remote monitoring of multiple switches across your network. Thetraffic for each RSPAN session is carried over a user-specified RSPAN VLAN that is dedicated for thatRSPAN session in all participating switches. The SPAN traffic from the sources is copied onto theRSPAN VLAN and then forwarded over trunk ports that are carrying the RSPAN VLAN to any RSPANdestination sessions monitoring the RSPAN VLAN, as shown in Figure 60-2.Example of RSPAN ConfigurationSource switchIntermediate switchRSPANVLANRSPANsource portDestination switchRSPANVLAN105028Figure 60-2RSPANdestination portSPAN and RSPAN do not affect the switching of network traffic on source ports or source VLANs; acopy of the packets received or sent by the sources is sent to the destination. Except for traffic that isrequired for the SPAN or RSPAN session, by default, destination ports do not receive or forward traffic.You can use the SPAN or RSPAN destination port to forward transmitted traffic from a network securitydevice. For example, if you connect a Cisco Intrusion Detection System (IDS) sensor appliance to adestination port, the IDS device can send TCP reset packets to close down the TCP session of a suspectedattacker.Software Configuration Guide—Release IOS XE 3.7.xE and IOS 15.2(3)Ex60-2

Chapter 60Configuring SPAN and RSPANAbout SPAN and RSPANSPAN and RSPAN Concepts and TerminologyThis section describes concepts and terminology associated with SPAN and RSPAN configuration andincludes the following subsections: SPAN Session, page 60-3 Traffic Types, page 60-3 Source Port, page 60-4 Destination Port, page 60-5 VLAN-Based SPAN, page 60-5 SPAN Traffic, page 60-6SPAN SessionA local SPAN session associates a destination port with source ports. You can monitor incoming oroutgoing traffic on a series or range of ports and source VLANs. An RSPAN session associates sourceports and source VLANs across your network with an RSPAN VLAN. The destination source is theRSPAN VLAN.You configure SPAN sessions by using parameters that specify the source of network traffic to monitor.You can configure multiple SPAN or RSPAN sessions with separate or overlapping sets of SPANsources. Both switched and routed ports can be configured as SPAN sources or destination ports.An RSPAN source session associates SPAN source ports or VLANs with a destination RSPAN VLAN.An RSPAN destination session associates an RSPAN VLAN with a destination port.SPAN sessions do not interfere with the normal operation of the switch; however, an oversubscribedSPAN destination (for example, a 10-Mbps port monitoring a 100-Mbps port) results in dropped or lostpackets.You can configure SPAN sessions on disabled ports; however, a SPAN session does not become activeunless you enable the destination port and at least one source port or VLAN for that session.A SPAN session remains inactive after system startup until the destination port is operational.Traffic TypesSPAN sessions include these traffic types: Receive (Rx) SPAN—The goal of receive (or ingress) SPAN is to monitor as much as possible allpackets received by the source interface or VLAN before any modification or processing isperformed by the switch. A copy of each packet received by the source is sent to the destination portfor that SPAN session. You can monitor a series or range of ingress ports or VLANs in a SPANsession.On tagged packets (Inter-Switch Link IEEE 802.1Q), the tagging is removed at the ingress port. Atthe destination port, if tagging is enabled, the packets appear with 802.1Q headers. If no tagging isspecified, packets appear in the native format.Packets that are modified because of routing are copied without modification for Rx SPAN; that is,the original packet is copied. Packets that are modified because of quality of service (QoS)—forexample, modified Differentiated Services Code Point (DSCP)—are copied without modification forRx SPAN.Software Configuration Guide—Release IOS XE 3.7.xE and IOS 15.2(3)Ex60-3

Chapter 60Configuring SPAN and RSPANAbout SPAN and RSPANSome features that can cause a packet to be dropped during receive processing have no effect onSPAN; the destination port receives a copy of the packet even if the actual incoming packet isdropped. These features include IP standard and extended input access control lists (ACLs), IPstandard and extended output ACLs for unicast and ingress QoS policing, VLAN maps, ingress QoSpolicing, and policy-based routing. Switch congestion that causes packets to be dropped also has noeffect on SPAN. Transmit (Tx) SPAN—The goal of transmit (or egress) SPAN is to monitor as much as possible allpackets sent by the source interface after the switch performs all modification and processing. Afterthe packet is modified, the source sends a copy of each packet to the destination port for that SPANsession. You can monitor a range of egress ports in a SPAN session.Packets that are modified because of routing—for example, with a time-to-live (TTL) orMAC-address modification—are duplicated at the destination port. On packets that are modifiedbecause of QoS, the modified packet might not have the same DSCP (IP packet) or CoS (non-IPpacket) as the SPAN source.Some features that can cause a packet to be dropped during transmit processing might also affect theduplicated copy for SPAN. These features include VLAN maps, IP standard and extended outputACLs on multicast packets, and egress QoS policing. In the case of output ACLs, if the SPAN sourcedrops the packet, the SPAN destination would also drop the packet. In the case of egress QoSpolicing, if the SPAN source drops the packet, the SPAN destination might not drop it. If the sourceport is oversubscribed, the destination ports have different dropping behavior. Both—In a SPAN session, you can monitor a single port series or a range of ports for both receivedand sent packets.Source PortA source port (also called a monitored port) is a switched or routed port that you monitor for networktraffic analysis. In a single local SPAN session or RSPAN source session, you can monitor source porttraffic, such as received (Rx), transmitted (Tx), or bidirectional (both). The switch supports any numberof source ports (up to the maximum number of available ports on the switch) and any number of sourceVLANs.A source port has these characteristics: It can be any port type (for example, EtherChannel, Fast Ethernet, Gigabit Ethernet, and so forth). It can be monitored in multiple SPAN sessions. It cannot be a destination port. Each source port can be configured with a direction (ingress, egress, or both) to monitor. ForEtherChannel sources, the monitored direction would apply to all physical ports in the group. Source ports can be in the same or different VLANs. For VLAN SPAN sources, all active ports in the source VLAN are included as source ports.You can configure a trunk port as a source port. By default, all VLANs active on the trunk are monitored.You can limit SPAN traffic monitoring on trunk source ports to specific VLANs by using VLANfiltering. Only switched traffic in the selected VLANs is sent to the destination port. This feature affectsonly traffic forwarded to the destination SPAN port and does not affect the switching of normal traffic.This feature is not allowed in sessions with VLAN sources.Software Configuration Guide—Release IOS XE 3.7.xE and IOS 15.2(3)Ex60-4

Chapter 60Configuring SPAN and RSPANAbout SPAN and RSPANDestination PortEach local SPAN session or RSPAN destination session must have a destination port (also called amonitoring port) that receives a copy of traffic from the source ports and VLANs.A destination port has these characteristics: A destination port must reside on the same switch as the source port (for a local SPAN session). A destination port can be any Ethernet physical port. A destination port can participate in only one SPAN session at a time. (A destination port in oneSPAN session cannot be a destination port for a second SPAN session.) A destination port cannot be a source port. A destination port cannot be an EtherChannel group. A destination port can be a physical port that is assigned to an EtherChannel group, even if theEtherChannel group has been specified as a SPAN source. The port is removed from the group whileit is configured as a SPAN destination port. The port does not transmit any traffic except that traffic required for the SPAN session unlesslearning is enabled. If learning is enabled, the port also transmits traffic directed to hosts that havebeen learned on the destination port. If ingress traffic forwarding is enabled for a network security device, the destination port forwardstraffic at Layer 2. A destination port does not participate in spanning tree while the SPAN session is active. When it is a destination port, it does not participate in any of the Layer 2 protocols (STP, VTP, CDP,DTP, PagP). A destination port that belongs to a source VLAN of any SPAN session is excluded from the sourcelist and is not monitored. A destination port receives copies of sent and received traffic for all monitored source ports. If adestination port is oversubscribed, it could become congested and result in packet drops at thedestination port. This congestion does not affect traffic forwarding on the source ports.VLAN-Based SPANVLAN-based SPAN (VSPAN) is the monitoring of the network traffic in one or more VLANs.Use these guidelines for VSPAN sessions: Traffic on RSPAN VLANs is not monitored by VLAN-based SPAN sessions. Only traffic on the monitored VLAN is sent to the destination port. If a destination port belongs to a source VLAN, it is excluded from the source list and is notmonitored. If ports are added to or removed from the source VLANs, the traffic on the source VLAN receivedby those ports is added to or removed from the sources being monitored. VLAN pruning and the VLAN allowed list have no effect on SPAN monitoring.Software Configuration Guide—Release IOS XE 3.7.xE and IOS 15.2(3)Ex60-5

Chapter 60Configuring SPAN and RSPANAbout SPAN and RSPAN VSPAN monitors only traffic that enters the switch, not traffic that is routed between VLANs. Forexample, if a VLAN is being Rx-monitored, and the multilayer switch routes traffic from anotherVLAN to the monitored VLAN, that traffic is not monitored and is not received on the SPANdestination port. You cannot use filter VLANs in the same session with VLAN sources. You can monitor only Ethernet VLANs.SPAN TrafficYou can use local SPAN to monitor all network traffic, including multicast and bridge protocol data unit(BPDU) packets, Cisco Discovery Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic TrunkingProtocol (DTP), Spanning Tree Protocol (STP), and Port Aggregation Protocol (PAgP) packets. Youcannot use RSPAN to monitor Layer 2 protocols. See the “RSPAN Configuration Guidelines” section onpage 60-16 for more information.)In some SPAN configurations, multiple copies of the same source packet are sent to the SPANdestination port. For example, a bidirectional (both Rx and Tx) SPAN session is configured for thesources a1 Rx monitor and the a2 Rx and Tx monitor to destination port d1. If a packet enters the switchthrough a1 and is switched to a2, both incoming and outgoing packets are sent to destination port d1.Both packets are the same (unless a Layer-3 rewrite occurs, in which case the packets are differentbecause of the added Layer 3 information).SPAN and RSPAN Session LimitsYou can configure a maximum of sixteen SPAN/RSPAN sessions (eight concurrent sessions withingress-only sources and eight concurrent sessions with egress-only sources). Bidirectional sourcescount as both ingress and egress. RSPAN destination sessions count as a session containing an ingresssource.Default SPAN and RSPAN ConfigurationTable 60-1 shows the default SPAN and RSPAN configuration.Table 60-1Default SPAN and RSPAN ConfigurationFeatureDefault SettingSPAN stateDisabled.Source port traffic to monitorBoth received and sent traffic (both).FiltersAll VLANs, all packet types, all address types.Encapsulation type (destination port)Native form (no encapsulation type header).Ingress forwarding (destination port)Disabled.Host learning (destination port)Disabled.Software Configuration Guide—Release IOS XE 3.7.xE and IOS 15.2(3)Ex60-6

Chapter 60Configuring SPAN and RSPANConfiguring SPANConfiguring SPANThe following sections describe how to configure SPAN:Note SPAN Configuration Guidelines and Restrictions, page 60-7 Configuring SPAN Sources, page 60-8 Configuring SPAN Destinations, page 60-9 Monitoring Source VLANs on a Trunk Interface, page 60-9 Configuration Scenario, page 60-10 Verifying a SPAN Configuration, page 60-10Entering SPAN configuration commands does not clear previously configured SPAN parameters. Youmust enter the no monitor session command to clear configured SPAN parameters.SPAN Configuration Guidelines and RestrictionsFollow these guidelines and restrictions when configuring SPAN: You must use a network analyzer to monitor interfaces. You cannot mix source VLANs and filter VLANs within a SPAN session. You can have sourceVLANs or filter VLANs, but not both at the same time. EtherChannel interfaces can be SPAN source interfaces; they cannot be SPAN destination interfaces. When you specify source interfaces and do not specify a traffic type (Tx, Rx, or both), “both” is usedby default. To change from both to either “tx” or “rx,” unconfigure the corresponding other type “rx”or “tx” with the no monitor session {session number} {source {interface interface list {vlanvlan IDs cpu [queue queue ids] } {rx tx} command. If you specify multiple SPAN source interfaces, the interfaces can belong to different VLANs. You must enter the no monitor session number command with no other parameters to clear theSPAN session number. The no monitor command clears all SPAN sessions. SPAN destinations never participate in any spanning tree instance. SPAN includes BPDUs in themonitored traffic, so any BPDUs seen on the SPAN destination are from the SPAN source. SPAN is limited to one destination port per session. When you create a SPAN session, it sets the packet filter to good automatically (default) and henceyou will see another configuration line:monitor session 1 filter packet-type good rxTo remove or change this filter, first enter the no monitor session 1 filter packet-type good rxcommand and then configure the kind of span filter you want to. But do not reload the switch afterthis. Reloading the switch automatically re-creates the default configuration, and does not deleteuser-configuration. Having both good and bad packet types configured, disables the filteringfunction.Software Configuration Guide—Release IOS XE 3.7.xE and IOS 15.2(3)Ex60-7

Chapter 60Configuring SPAN and RSPANConfiguring SPANConfiguring SPAN SourcesTo configure the source for a SPAN session, perform this task:CommandPurposeSwitch(config)# [no] monitor session{session number} {source {interfaceinterface list {vlan vlan IDs cpu[queue queue ids] } [rx tx both]Specifies the SPAN session number (1 through 6),the source interfaces (FastEthernet orGigabitEthernet), VLANs (1 through 4094),whether traffic received or sent from the CPU iscopied to the session destination, and the trafficdirection to be monitored.For session number, specifies the session numberidentified with this RSPAN session (1 through 6).For interface-list, specifies the source port tomonitor. Valid interfaces include physicalinterfaces and port-channel logical interfaces(port-channel port-channel-number).For vlan IDs, specifies the source VLAN.For queue ids, specifies the queue(s) involved.(Optional) [, -] Specifies a series or range ofinterfaces. Enter a space after the comma; enter aspace before and after the hyphen.(Optional) Specifies the direction of traffic tomonitor. If you do not specify a traffic direction,the source interface sends both transmitted (Tx)and received (Rx) traffic. Only received trafficcan be monitored on additional source ports. Rx—Monitor received traffic. Tx—Monitor transmitted traffic. both—Monitor both received and transmittedtraffic (bidirectional).Queues may be identified either by number or byname. Queue names may subsume multiplenumbered queues for convenience.Use the no keyword to restore the defaults.This example shows how to configure SPAN session 1 to monitor bidirectional traffic from sourceinterface Fast Ethernet 5/1:Switch(config)# monitor session 1 source interface fastethernet 5/1This example shows how to configure sources with differing directions within a SPAN session:Switch(config)# monitor session 1 source interface fa2/3 rxSwitch(config)# monitor session 1 source interface fa2/2 txSwitch(config)#Software Configuration Guide—Release IOS XE 3.7.xE and IOS 15.2(3)Ex60-8

Chapter 60Configuring SPAN and RSPANConfiguring SPANConfiguring SPAN DestinationsTo configure the destination for a SPAN session, perform this task:CommandPurposeSwitch(config)# [no] monitor session session number destination interface interface [encapsulation {dot1q}] [ingress[vlan vlan IDs] [learning}]Specifies the SPAN session number (1 through6) and the destination interfaces or VLANs.For session number, specifies the sessionnumber identified with this RSPAN session(1 through 6).For interface, specifies the destinationinterface.For vlan IDs, specifies the destination VLAN.Use the no keyword to restore the defaults.NoteSPAN is limited to one destination port per session.This example shows how to configure interface Fast Ethernet 5/48 as the destination for SPAN session 1:Switch(config)# monitor session 1 destination interface fastethernet 5/48Monitoring Source VLANs on a Trunk InterfaceTo monitor specific VLANs when the SPAN source is a trunk interface, perform this task:CommandPurposeSwitch(config)# [no] monitor session{session number} filter {vlan vlan IDs[, - ]} {packet-type {good bad}} {address-type {unicast multicast broadcast} [rx tx both]}Monitors specific VLANs when the SPAN source is atrunk interface. The filter keyword restrictsmonitoring to traffic that is on the specified VLANs; itis typically used when monitoring a trunk interface.For session number, specifies the session numberidentified with this RSPAN session (1 through 6).For vlan IDs, specifies the VLAN.Monitoring is established through all the ports in thespecified VLANsUse the no keyword to restore the defaults.This example shows how to monitor VLANs 1 through 5 and VLAN 9 when the SPAN source is a trunkinterface:Switch(config)# monitor session 2 filter vlan 1 - 5 , 9Software Configuration Guide—Release IOS XE 3.7.xE and IOS 15.2(3)Ex60-9

Chapter 60Configuring SPAN and RSPANCPU Port SniffingConfiguration ScenarioThis example shows how to use the commands described in this chapter to completely configure andunconfigure a span session. Assume that you want to monitor bidirectional traffic from source interfacesFast Ethernet 4/10, 4/11 and 4/12, Interface 4/10 is configured as a trunk interface carrying VLANs 1through 4094. Interface Fast Ethernet 4/11 is configured as an access port in VLAN 57 and interface FastEthernet 4/12 is configured as an access port in VLAN 58. You want to monitor only traffic in VLAN57 in that session. Using Fast Ethernet 4/15 as your destination interface, you would enter the followingcommands:Switch(config)# monitor session 1 source interface fastethernet 4/10 - 12Switch(config)# monitor session 1 filter vlan 57Switch(config)# monitor session 1 destination interface fastethernet 4/15You are now monitoring traffic from interface Fast Ethernet 4/10 that is on VLAN 57 out of interfaceFastEthernet 4/15. To disable the span session enter the following command:Switch(config)# no monitor session 1Verifying a SPAN ConfigurationThis example shows how to verify the configuration of SPAN session 2:Switch# show monitor session 2Session 2--------Source Ports:RX Only:Fa5/12TX Only:NoneBoth:NoneSource VLANs:RX Only:NoneTX Only:NoneBoth:NoneDestination Ports: Fa5/45Filter VLANs:1-5,9Switch#CPU Port SniffingWhen configuring a SPAN session, you can specify the CPU (or a subset of CPU queues) as a SPANsource. Queues may be specified either by number or by name. When such a source is specified, trafficgoing to the CPU through one of the specified queues is mirrored and sent out of the SPAN destinationport in the session. This traffic includes both control packets and regular data packets that are sent to orfrom the CPU (due to software forwarding).You can mix the CPU source with either regular port sources or VLAN sources.Software Configuration Guide—Release IOS XE 3.7.xE and IOS 15.2(3)Ex60-10

Chapter 60Configuring SPAN and RSPANCPU Port SniffingTo configure CPU source sniffing, perform this task:CommandPurposeSwitch(config)# [no] monitor session{session number} {source {interfaceinterface list {vlan vlan IDs cpu[queue queue ids] } [rx tx both]Specifies that the CPU causes traffic received byor sent from the CPU to be copied to thedestination of the session. The queue identifieroptionally allows sniffing-only traffic (received)on the specified CPU queue(s).For session number, specifies the session numberidentified with this SPAN session (1 through 6).For interface-list, specifies the source port tomonitor. Valid interfaces include physicalinterfaces and port-channel logical interfaces(port-channel port-channel-number).For vlan IDs, specifies the source VLAN.For queue ids, specifies the queue(s) involved.(Optional) [, -] Specifies a series or range ofinterfaces. Enter a space after the comma; enter aspace before and after the hyphen.(Optional) Specifies the direction of traffic tomonitor. If you do not specify a traffic direction,the source interface sends both transmitted (Tx)and received (Rx) traffic. Only received trafficcan be monitored on additional source ports. Rx—Monitor received traffic. Tx—Monitor transmitted traffic. both—Monitor both received and transmittedtraffic (bidirectional).Queues may be identified either by number or byname. Queue names may subsume multiplenumbered queues for convenience.Use the no keyword to restore the defaults.This example shows how to configure a CPU source to sniff all packets received by the CPU:Switch# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# monitor session 1 source cpu rxThis example shows how to use queue names and queue number ranges for the CPU as a SPAN source:Switch(config)# monitor session 2 source cpu queue control-packet rxSwitch(config)# monitor session 3 source cpu queue 10 rxNotecontrol-packet is mapped to queue 10.Software Configuration Guide—Release IOS XE 3.7.xE and IOS 15.2(3)Ex60-11

Chapter 60Configuring SPAN and RSPANEncapsulation ConfigurationEncapsulation ConfigurationWhen configuring a SPAN destination port, you can explicitly specify the encapsulation type used bythe port. Packets sent out the port are tagged in accordance with the specified mode. (The encapsulationmode also controls how tagged packets are handled when the ingress packet option is enabled.) TheCatalyst 4500 series switch supervisor engines support 802.1q encapsulation and untagged packets.NoteOnly 802.1q encapsulation is supported.The “replicate” encapsulation type (in which packets are transmitted from the destination port usingwhatever encapsulation applied to the original packet) is not supported. If no encapsulation mode isspecified, the port default is untagged.Ingress PacketsWhen ingress is enabled, the SPAN destination port accepts incoming packets (potentially taggeddepending on the specified encapsulation mode) and switches them normally. When configuring a SPANdestination port, you can specify whether the ingress feature is enabled and what VLAN to use to switchuntagged ingress packets. Although the port is STP forwarding, it does not participate in the STP, so usecaution when configuring this feature lest a spanning-tree loop be introduced in the network. When bothingress and a trunk encapsulation are specified on a SPAN destination port, the port goes forwarding inall active VLANs. Configuring a non-existent VLAN as an ingress VLAN is not allowed.By default, host learning is disabled on SPAN destination ports with ingress enabled. The port is alsoremoved from VLAN floodsets, so regular traffic is not switched out of the destination port. If learningis enabled, then traffic for hosts learned on the destination port is switched out the destination port. Ahost connected to the SPAN destination port will not receive broadcast ARP requests and will notrespond. You can also configure static host entries (including a static ARP entry and a static entry in theMAC-address table) on SPAN destination ports.NoteThis configuration does not work if the SPAN session does not have a source configured; the session ishalf configured with only the SPAN destination port.To configure ingress packets and encapsulation, perform this task:CommandPurposeSwitch(config)# [no] monitor sessionsession number destination interface interface[encapsulation {dot1q}] [ingress [vlanvlan IDs] [learning]]Specifies the configuration of the ingresspacket and the encapsulation type of thedestination port.For session number, specifies the sessionnumber identified with this SPAN session (1through 6).For interface, specifies the destinationinterface.For vlan IDs, specifies the destination VLAN.Use the no keyword to restore the defaults.Software Configuration Guide—Release IOS XE 3.7.xE and IOS 15.2(3)Ex60-12

Chapter 60Configuring SPAN and RSPANAccess List FilteringThis example shows how to configure a destination port with 802.1q encapsulation and ingress packetsusing native VLAN 7:Switch(config)# monitor session 1 destination interface fastethernet 5/48encapsulation dot1q ingress vlan 7With this configuration, traffic from SPAN sources associated with session 1 would be copied out ofinterface Fast Ethernet 5/48, with 802.1q encapsulation. Incoming traffic would be accepted andswitched, with untagged packets being classified into VLAN 7.Access List FilteringWhen configuring a SPAN session, you can apply access list filtering. Access list filtering applies to allpackets passing through a SPAN destination port that might be sniffed in the egress or ingress direction.Access list filters are allowed on local SPAN sessions only. If the SPAN destination is an RSPAN VLAN,the access list filter is rejected.NoteAccess list filtering is available in Cisco IOS Release 12.2(20)EW and later releases.ACL Configuration GuidelinesYou can configure ACLs on a SPAN session. Use these guidelines for ACL/SPAN sessions: If an ACL is associated with a SPAN session, the rules associated with that ACL are applied againstall packets exiting the SPAN destination interface. Rules pertaining to other VACLs or RACLspreviously associated with the SPAN destination interface are not applied. Only one IP named ACL and one IPv6 ACL can be associated with a SPAN session. When no ACLs are applied to packets exiting a SPAN destination interface, all traffic is permittedregardless of the PACLs, VACLs, or RACLs that have been previously applied to the destinationinterface or VLAN to which the SPAN destination interface belongs. If an ACL is removed from a SPAN session, all traffic is permitted once again. If SPAN configuration is removed from the SPAN session, all rules associated with the SPANdestination interface are applied once again. If a SPAN destination port is configured as a trunk port and the VLANs to which it belongs haveACLs associated with them, the traffic is not subjected to the VACLs.

† SPAN Traffic, page 60-6 SPAN Session A local SPAN session associates a destination port with source ports. You can monitor incoming or outgoing traffic on a series or range of ports and source VLANs. An RSPAN session associates source ports and source VLANs across your network with an RSPAN VLAN. The destination source is the