Tip
This is the documentation for the v21.03 version. Looking for the documentation of the latest version? Have a look here.
Switch Port Analyzer (SPAN) Interfaces¶
A SPAN interface ties two interfaces together such that packets from one interface (the source) are directly copied to another (the destination). This feature is also known as a “mirror port” on some platforms. SPAN ports are commonly used with IDS/IPS, monitoring systems, and traffic logging/statistical systems. The target interface is typically monitored by a traffic analyzer, such as snort, that receives and processes the packets.
A SPAN port mirrors traffic to another interface which is typically a local receiver. To send SPAN packets to a remote destination, see GRE ERSPAN Example Use Case which can carry mirrored packets across GRE.
SPAN Configuration¶
SPAN instances are configured from config
mode using the span
<source-interface>
command. That command enters config-span
mode. Inside
config-span
mode, the following commands are available:
- onto <destination-interface> <layer> <state>:
Specifies a destination for SPAN traffic. May be repeated for multiple destinations. This interface may not be the same as the
<source-interface>
given to create the span instance.The available parameters include:
- destination-interface:
The interface which will receive copies of packets from the source interface. The destination interface can be any interface available to TNSR except for the
<source-interface>
given to create the span instance.- layer:
Sets the layer above which packet information is forwarded to the destination. Can be one of the following choices:
- hw:
Mirror hardware layer packets.
- l2:
Mirror Layer 2 packets.
- state:
Can be one of the following choices:
- rx:
Enables receive packets
- tx:
Enables transmit packets
- both:
Enables both transmit and receive packets
- disabled:
Disables both transmit and receive
Note
When removing a span
instance, the state does not need to be
present on the command, and will be ignored.
SPAN Example¶
This example creates a new span that copies all packets sent and received on
GigabitEthernet0/14/0
to memif1/1
. The packet copies include hardware
level information and above.
tnsr(config)# span GigabitEthernet0/14/0
tnsr(config-span)# onto memif1/1 hw both
tnsr(config-span)# exit
See also
For an example ERSPAN configuration that combines GRE in ERSPAN
mode with a span
instance, see GRE ERSPAN Example Use Case.