Tip

This is the documentation for the 19.02 version. Looking for the documentation of the latest version? Have a look here.

Switch Port Analyzer (SPAN) Interfaces

A SPAN interface ties two interfaces together such that packets from one interface (the source) are directly copied to another (the destination). This feature is also known as a “mirror port” on some platforms. SPAN ports are commonly used with IDS/IPS, monitoring systems, and traffic logging/statistical systems. The target interface is typically monitored by a traffic analyzer, such as snort, that receives and processes the packets.

A SPAN port mirrors traffic to another interface which is typically a local receiver. To send SPAN packets to a remote destination, see GRE ERSPAN Example Use Case which can carry mirrored packets across GRE.

SPAN instances are configured from config mode using the span <source interface> command. Upon entering that command, TNSR enters config-span mode, as in the following example:

tnsr(config)# span GigabitEthernet0/14/0
tnsr(config-span)# onto memif1/1 hw both
tnsr(config-span)# exit

A SPAN instance may have one or more destinations, configured with the onto <destination interface> <layer> <state> command from within config-span mode. The parameters to the onto command are:

destination interface

The interface which will receive copies of packets from the source interface. The destination interface can be any interface available to TNSR.

layer

Sets the layer above which packet information is forwarded to the destination. Can be one of the following choices:

hw

Mirror hardware layer packets.

l2

Mirror Layer 2 packets.

state

Can be one of the following choices:

rx

Enables receive packets

tx

Enables transmit packets

both

Enables both transmit and receive packets

disabled

Disables both transmit and receive