Peter Lindstrom

• How-Tos
• Programs
• Webcams
• Web Stats

Setup Port Monitoring (SPAN) on Cisco Catalyst Switches

Please note that this documentation has only been tested on a 2950 series switch, so I cannot vouch for compatibility with other Cisco switches. For more detailed information about SPAN and configuration with different Cisco switches, please see Cisco's Catalyst Switched Port Analyzer (SPAN) Configuration Example.

What is SPAN

SPAN (Switched Port Analyzer) is Cisco's version of Port Monitoring—a setting that sends copies of data packets passing through the switch to a specific port on the switch. A probe can then intercept those packets and search for malicious activity across the network.

3Com refers to Port Monitoring as a Roving Analysis Port. For more information on configuring a Roving Analysis Port on a 3Com SuperStack switch, please see 3Com's Switch Management Setup Guide.

Command Line Setup

Before making changes on the switch, you will first need to designate a port on the switch as a dedicated monitoring port (also known as the destination port). The monitoring port will receive a copy of the data packets from the source port(s). It is important to keep in mind that a monitoring port can only be used as a monitoring port. The monitoring port cannot transmit data (other than data required by port monitoring), and the port itself cannot be monitored.

To setup a basic SPAN that will copy traffic on all ports across the switch, execute the following commands in the command line. These commands will set the SPAN to copy all data packets from ports 1-23 and will set port 24 as the destination port.

Step 1

sw2950#enable
		

Enable priviledged commands. The administrator password is required to enable priviledged commands.

Step 2

sw2950#configure terminal
		

Enter global configuration mode, necessary to configure any feature on the switch.

Step 3

sw2950(config)#monitor session 1 source interface fastethernet0/1 - 23
		

Specify the SPAN session and source ports. In the command above, the SPAN session is 1 (in my experience the session number is usually 1) and the source ports are ports 1 - 23.

Step 4

sw2950(config)#monitor session 1 destination interface fastethernet0/24
		

Specify the SPAN session and destination port. In this command, the SPAN session is 1, same as before, and the destination port is port 24.

Step 5

sw2950(config)#end
		

Exit global configuration mode.

Step 6

sw2950#show monitor session 1
		

To verify that everything is working correctly, this command will show details about SPAN session 1. Desired output should match:

Session 1
---------
Type              : Local Session
Source Ports      :
    Both          : Fa0/1-23
Destination Ports : Fa0/24
    Encapsulation : Native
          Ingress : Disabled
		

Step 7

sw2950#disable
		

Leave global configuration mode.

Remove SPAN sessions

To remove an existing SPAN session, use the no monitor command. The command in the following example will remove SPAN session 1.

sw2950(config)#no monitor session 1
		

To remove all SPAN sessions, run the command no monitor session all.

SPAN Configuration

SPAN supports a variety of settings and options, too many to cover within the scope of this article. Please see the Cisco Switch Software Configuration Guide for your switch to view additional settings and options, as well as features unique to your specific switch. Here are a few common Cisco switches and associated SPAN documentation:

• Catalyst 1200, Catalyst 1600, Catalyst 1700, Catalyst 1800, Catalyst 1900, Catalyst 2820, Catalyst 3000, IOS Desktop Switching Software, 11.2(8)SA6
• Catalyst 2950 and Catalyst 2955, 12.1(19)EA1
• Catalyst 3550, 12.1(19)EA1
• Catalyst 3560, 12.1(19)EA1
• Catalyst 3750, 12.2(52)SE
• Catalyst 4500, 8.1
• Catalyst 5000, 6.3/6.4