Cisco SPAN port is a SwitchPort ANalyzer on the cisco catalyst that allows to select and span or copy traffic from one or more source switchports or source VLANs onto one or more destination ports. The destination port(s) runs a sniffing or a packet capture program like Ethereal, Wireshark or TCPDump.
Cisco IOS support Local SPAN and Remote SPAN (RSPAN).
A local SPAN is the one where the source VLANs, source switchports and the destination switchports are on the same physical switch.
Remote SPAN (RSPAN) A remote SPAN is the one where the source VLANs, Switchports and Destination ports can be on a different switches on the network.
The following procedure configures a SPAN session with SPAN Source and Destination:
1. Set the Source Interface/Vlan to SPAN from Global Configuration mode:
CiscoSwitch(config)# monitor session 1 source interface fa0/1 both
2. Set the Destination Interface for the SPAN
CiscoSwitch(config)# monitor session 1 destination interface fa0/2
The above configures SPAN Source port on fastethernet0/1 for ingress and egress traffic in step 1. All traffic here will be copied to the SPAN destination port fastEthernet0/2 configured on step 2.
The source can a single interface, a range of interfaces, a list of interfaces or a single VLAN, range of VLANs and list of VLANs.
The destination can be an interface, a range of intrerfaces or a list of interfaces where a sniffer or a packet capture device is capturing traffic.
Traffic copied on the source port can be ingress only, egress only or both.
To verify the setup of SPAN sessions:
CiscoSwitch# show monitor session 1
CiscoSwitch# show monitor session 1 detail
To configure a range of source interfaces for only ingress traffic (traffic received)
CiscoSwitch(config)# monitor session 1 source interface fa0/1-5 rx
To configure a list of source interfaces for egress traffic (traffic outbound):
CiscoSwitch(config)# monitor session 1 source interface fa0/1, 0/7 tx
To configure a list of destination SPAN ports:
CiscoSwitch(config)# monitor session 1 destination interface fa0/11, 0/17
For more information and official cisco documentation, please click here