Skip to content

SPAN Port Configuration

December 30, 2011

SPAN is an acronym for Switched Port Analyzer. SPAN is Cisco’s name for Port Mirroring. Other companies have their own names for it but the purpose is the same. Port Mirroring copies frames to a port for a system to read. Picture it as though it is tapping a phone line. The phone call still goes through but someone else is listening in. This description makes SPAN ports sound very scary but they do provide two very useful features: traffic logging and Intrustion Detection and/or Prevention.

Complete traffic logging is probably not very useful or feasible for most organizations but capturing bits of traffic can be very useful for debugging or training purposes. For example, have you seen two network devices (ex. router and switch) communicate and have it logged in pcap format? There is a good chance this capture was completed using a SPAN port.

The way traditional SPAN works is pretty straight forward. A port is told to send a copy of the traffic when it sends and/or receives a frame to another port called a destination SPAN port. The SPAN port sends the traffic out the line expecting something to hear it.  Note SPAN traffic can be sent from one network device through other devices using an RSPAN configuration. This document does not cover RSPAN.

The actual configuration of SPAN is pretty simple.

Switch1# configure terminal
Switch1(config)# monitor session 1 source interface FastEthernet 0/1 both
Switch1(config)# monitor session 1 destination interface FastEthernet 0/2

That is all there is to configuring a basic SPAN port. Lets break this command down a bit:

monitor session 1 monitor session is the command for SPAN configuration with 1 being the session’s unique identifier.
source interface FastEthernet 0/1 Use this interface as the place to look for traffic which should be redirected. A range can be specified as well.
both Redirect tx (out) and rx (in) traffic. Specify tx if only sent information should be redirected or rx if only received traffic should be redirected.
monitor session 1 monitor session is the command for SPAN configuration with1 being the session’s unique identifier.
destination interface FastEthernet 0/2 Use this interface as where to send traffic which should be redirected. This is where your listening device is connected.

The destination port, in this case FastEthernet 0/2, doesn’t receive any traffic from the listening device. It ignores all traffic it gets from the outside and only accepts from the SPAN source port(s) and a few other places. Because of this, the listening device won’t ever make a real connection and be able to communicate with the switch.

One final idea to keep in mind, is this only works on switches. If you have a dedicated routing device, such as a 2801 router, SPAN won’t work except for on EtherSwitch modules. The internal interfaces cannot be SPAN source or destination ports.


From → Tutorial

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s