Switch Port Analyzer (SPAN) Interfaces

A SPAN interface ties two interfaces together such that packets from one interface (the source) are directly copied to another (the destination). This feature is also known as a “mirror port” on some platforms. SPAN ports are commonly used with IDS/IPS, monitoring systems, and traffic logging/statistical systems. The target interface is typically monitored by a traffic analyzer, such as snort, that receives and processes the packets.

A SPAN port mirrors traffic to another interface which is typically a local receiver. To send SPAN packets to a remote destination, see GRE ERSPAN Example Use Case which can carry mirrored packets across GRE.

SPAN Configuration

SPAN instances are configured from config mode using the span <source-interface> command. That command enters config-span mode. Inside config-span mode, the following commands are available:

onto <destination-interface> <layer> <state>

Specifies a destination for SPAN traffic. May be repeated for multiple destinations. This interface may not be the same as the <source-interface> given to create the span instance.

The available parameters include:

destination-interface

The interface which will receive copies of packets from the source interface. The destination interface can be any interface available to TNSR except for the <source-interface> given to create the span instance.

layer

Sets the layer above which packet information is forwarded to the destination. Can be one of the following choices:

hw

Mirror hardware layer packets.

l2

Mirror Layer 2 packets.

state

Can be one of the following choices:

rx

Enables receive packets

tx

Enables transmit packets

both

Enables both transmit and receive packets

disabled

Disables both transmit and receive

Note

When removing a span instance, the state does not need to be present on the command, and will be ignored.

SPAN Example

This example creates a new span that copies all packets sent and received on GigabitEthernet0/14/0 to memif1/1. The packet copies include hardware level information and above.

tnsr(config)# span GigabitEthernet0/14/0
tnsr(config-span)# onto memif1/1 hw both
tnsr(config-span)# exit

See also

For an example ERSPAN configuration that combines GRE in ERSPAN mode with a span instance, see GRE ERSPAN Example Use Case.