Cisco Catalyst Switch Port Mirroring (SPAN) Technology

1) What is a port image?

To mirror the data of one or more ports (VLANs) of a vswitch to one or more ports.

2) Why do I need a port image?

In the process of network troubleshooting and network data traffic analysis, sometimes you need to monitor and analyze the data traffic on some ports of the network node or backbone switch, and set the image (SPAN) in the switch) port, which can monitor some suspicious ports without affecting the data exchange of the monitored ports.
Generally, you need to listen to network traffic to deploy IDS, but it is quite difficult to listen to all traffic in the widely used switching network, therefore, you must configure a vswitch to forward data from one or more ports (VLANs) to a specific port for network listening.
 
3) SPAN Classification
 
SPAN (Switched Port Analyzer) is mainly used to provide network data flow for a network Analyzer. It can mirror data from several source ports in a VLAN to a monitoring port, or mirror data from several VLANs to a monitoring port. The SPAN task does not affect the normal operation of the switch. After a SPAN task is created, the task is in the active or inactive status based on the status or operation of the switch, and the system logs the task. The "show monitor session" command can be used to display the current status of a SPAN.

SPAN data streams are classified into three types:
(1) input data stream (Ingress SPAN): refers to the data stream received by the source port, and its data copy is sent to the monitoring port;
(2) output data stream (Egress SPAN): refers to the data stream sent from the source port, and its data copy is sent to the monitoring port;
(3) bidirectional data stream (Both SPAN): This is the combination of the above two types.
 
4) principles to be followed in a SPAN task:
(1) The equipment for monitoring and analysis of data should be overlapped on the monitoring port;
(2) redundant link ports can only be used as the source port of the SPAN task;
(3) All source ports in the SPAN task must be monitored in the same direction;
(4) When the port is set as the source port, if the monitoring direction of the data stream is not specified, the default value is bidirectional;
(5) When the SPAN task contains multiple source ports, these ports can come from different VLANs;
(6) The command to cancel a SPAN task is: no monitor session task number;
(7) The command to cancel all SPAN tasks is: no monitor;
(8) The target port of the SPAN task cannot be included in the distance calculation of the spanning tree, but because the BPDU package of the source port can be mirrored, therefore, the SPAN destination port can monitor the BPDU data packets that come from the source port.
 
5) configure the image (SPAN) port on the Cisco Catalyst Series Switch
 
The command format for configuring the source port of SPAN for Cisco 2950, Cisco 3550, and Cisco 3750 series switches is as follows:
Switch (config) # [no] monitorsession {session_number} {source (interface type/num) | {vlan ID} [, |-| rx | tx | both]

The following example shows how to configure a SPAN task whose source port is FastEthernet 5/l, and its monitoring object is a bidirectional data stream:
Switch (config) # monitor session 1 source interface fastethrnet 5/l

Configure the target port of SPAN. The command format is as follows:
Switch (config) # [no] monitor session (session_number) {destination {interface type/num }}

The following example shows how to configure a SPAN task with the destination port FastEthernet 5/48:
Switch (config) # monitor session l destination interface fastethernet 5/48

When the source port of the SPAN task is the Trunk port, the command format is as follows:
Switch (config) # [no] monitor session {session_number} {filter vlan {vlan_ID} [, |-]}

The following example shows how to configure the VLANl ~ VLAN5 and VLAN9:
Switch (config) # monitor session 2 filter vlan 1-5, 9

The following is a comprehensive example that uses the commands mentioned above:

Monitors bidirectional data streams on the Trunk port FastEtheraet4/10 (the port carries VLANl ~ VLANl005 data streams), only monitoring the data streams in VLAN57, Port

FastEthernet4/15 is the destination port. The specific configuration method is as follows:

Switch (config) # monitor session 1 source interface fastethernet 4/10
Switch (config) # monitor session 1 filter vlan 57
Switch (config) # monitor session 1 destination interface fastethernet 4/15

To release the SPAN task, run the following command:
Switch (config) # no monitor session 1

The following statement shows how to check the configuration results of a SPAN task:
Switch # show monitor session 2

When configuring the Image Port (SPAN), you should also consider the processing speed of the device and the port data cache when the data traffic is too large, and minimize the loss of the monitored data packets.

Author's Blog"