30-9
Cisco IE 2000 Switch Software Configuration Guide
OL-25866-01
Chapter 30 Configuring SPAN and RSPAN
Information About SPAN and RSPAN
A secure port cannot be a SPAN destination port.
For SPAN sessions, do not enable port security on ports with monitored egress when ingress
forwarding is enabled on the destination port. For RSPAN source sessions, do not enable port
security on any ports with monitored egress.
An IEEE 802.1x port can be a SPAN source port. You can enable IEEE 802.1x on a port that is a
SPAN destination port; however, IEEE 802.1x is disabled until the port is removed as a SPAN
destination.
For SPAN sessions, do not enable IEEE 802.1x on ports with monitored egress when ingress
forwarding is enabled on the destination port. For RSPAN source sessions, do not enable
IEEE 802.1x on any ports that are egress monitored.
Local SPAN Configuration Guidelines
For SPAN sources, you can monitor traffic for a single port or VLAN or a series or range of ports
or VLANs for each session. You cannot mix source ports and source VLANs within a single SPAN
session.
The destination port cannot be a source port; a source port cannot be a destination port.
You cannot have two SPAN sessions using the same destination port.
When you configure a switch port as a SPAN destination port, it is no longer a normal switch port;
only monitored traffic passes through the SPAN destination port.
Entering SPAN configuration commands does not remove previously configured SPAN parameters.
You m us t en te r t he no monitor session {session_number | all | local | remote} global configuration
command to delete configured SPAN parameters.
For local SPAN, outgoing packets through the SPAN destination port carry the original
encapsulation headers—untagged or IEEE 802.1Q—if the encapsulation replicate keywords are
specified. If the keywords are not specified, the packets are sent in native form. For RSPAN
destination ports, outgoing packets are not tagged.
You can configure a disabled port to be a source or destination port, but the SPAN function does not
start until the destination port and at least one source port or source VLAN are enabled.
You can limit SPAN traffic to specific VLANs by using the filter vlan keyword. If a trunk port is
being monitored, only traffic on the VLANs specified with this keyword is monitored. By default,
all VLANs are monitored on a trunk port.
You cannot mix source VLANs and filter VLANs within a single SPAN session.
RSPAN Configuration Guidelines
All the items in the “Local SPAN Configuration Guidelines” section on page 30-9 apply to RSPAN.
Because RSPAN VLANs have special properties, you should reserve a few VLANs across your
network for use as RSPAN VLANs; do not assign access ports to these VLANs.
You can apply an output ACL to RSPAN traffic to selectively filter or monitor specific packets.
Specify these ACLs on the RSPAN VLAN in the RSPAN source switches.
For RSPAN configuration, you can distribute the source ports and the destination ports across
multiple switches in your network.
RSPAN does not support BPDU packet monitoring or other Layer 2 switch protocols.