monitor session destination
To start a new Switched Port Analyzer (SPAN) session , to enable ingress traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance), and to add or delete interfaces or VLANs to or from an existing SPAN session, use the monitor session destination global configuration command. To remove the SPAN session or to remove destination interfaces from the SPAN session, use the no form of this command.
monitor session session-number destination { interface interface-id [ encapsulation { replicate | dot1q } ] { ingress [ dot1q | untagged ] } | { } vlan vlan-id
no monitor session session-number destination { interface interface-id [ encapsulation { replicate | dot1q } ] { ingress [ dot1q | untagged ] } | { } vlan vlan-id
Syntax Description
session-number |
The session number identified with the SPAN session. The range is 1 to 4. |
interface interface-id |
Specifies the destination or source interface for a SPAN session. Valid interfaces are physical ports (including type, stack member, module, and port number). For source interface, port channel is also a valid interface type, and the valid range is 1 to 6. |
encapsulation replicate |
(Optional) Specifies that the destination interface replicates the source interface encapsulation method. If not selected, the default is to send packets in native form (untagged). These keywords are valid only for local SPAN. The encapsulation options are ignored with the no form of the command. |
encapsulation dot1q |
(Optional) Specifies that the destination interface accepts the source interface incoming packets with IEEE 802.1Q encapsulation. These keywords are valid only for local SPAN. The encapsulation options are ignored with the no form of the command. |
ingress |
Enables ingress traffic forwarding. |
dot1q |
(Optional) Accepts incoming packets with IEEE 802.1Q encapsulation with the specified VLAN as the default VLAN. |
untagged |
(Optional) Accepts incoming packets with untagged encapsulation with the specified VLAN as the default VLAN. |
isl |
Specifies ingress forwarding using ISL encapsulation. |
vlan vlan-id |
Sets the default VLAN for ingress traffic when used with only the ingress keyword. |
Command Default
No monitor sessions are configured.
If encapsulation replicate is not specified on a local SPAN destination port, packets are sent in native form with no encapsulation tag.
Ingress forwarding is disabled on destination ports.
You can specify all , local , range session-range , or remote with the no monitor session command to clear all SPAN, all local SPAN, a range or sessions.
Command Modes
Global configuration (config)
Command History
Release |
Modification |
---|---|
Cisco IOS Release 15.2(7)E1 |
This command was introduced. |
Usage Guidelines
You can set a maximum of four SPAN sessions.
A SPAN destination must be a physical port.
You can have a maximum of 1 destination port per session.
Each session can include multiple ingress or egress source ports or VLANs, but you cannot combine source ports and source VLANs in a single session.
You can monitor traffic on a single port or VLAN or on a series or range of ports or VLANs. You select a series or range of interfaces or VLANs by using the [, | -] options.
If you specify a series of VLANs or interfaces, you must enter a space before and after the comma. If you specify a range of VLANs or interfaces, you must enter a space before and after the hyphen (- ).
EtherChannel ports cannot be configured as SPAN destination ports. A physical port that is a member of an EtherChannel group can be used as a destination port, but it cannot participate in the EtherChannel group while it is as a SPAN destination.
A private-VLAN port cannot be configured as a SPAN destination port.
A port used as a destination port cannot be a SPAN source, nor can a port be a destination port for more than one session at a time.
You can enable IEEE 802.1x authentication on a port that is a SPAN destination port; however, IEEE 802.1x authentication is disabled until the port is removed as a SPAN destination. If IEEE 802.1x authentication is not available on the port, the switch returns an error message. You can enable IEEE 802.1x authentication on a SPAN source port.
If ingress traffic forwarding is enabled for a network security device, the destination port forwards traffic at Layer 2.
Destination ports can be configured to function in these ways:
-
When you enter monitor session session_number destination interface interface-id with no other keywords, egress encapsulation is untagged, and ingress forwarding is not enabled.
-
When you enter monitor session session_number destination interface interface-id ingress , egress encapsulation is untagged; ingress encapsulation depends on the keywords that follow—dot1q or untagged .
-
When you enter monitor session session_number destination interface interface-id encapsulation replicate with no other keywords, egress encapsulation replicates the source interface encapsulation; ingress forwarding is not enabled. (This applies to local SPAN only.)
-
When you enter monitor session session_number destination interface interface-id encapsulation replicate ingress , egress encapsulation replicates the source interface encapsulation; ingress encapsulation depends on the keywords that follow—dot1q or untagged . (This applies to local SPAN only.)
You can verify your settings by entering the show monitor privileged EXEC command. You can display SPAN configuration on the switch by entering the show running-config privileged EXEC command. SPAN information appears near the end of the output.
Examples
This example shows how to create a local SPAN session 1 to monitor both sent and received traffic on source port 1 on stack member 1 to destination port 2 on stack member 2:
Device(config)# monitor session 1 source interface gigabitethernet1/0/1 both
Device(config)# monitor session 1 destination interface gigabitethernet2/0/2
This example shows how to delete a destination port from an existing local SPAN session:
Device(config)# no monitor session 2 destination interface gigabitethernet1/0/2
This example shows how to configure the destination port for ingress traffic on VLAN 5 by using a security device that supports IEEE 802.1Q encapsulation. Egress traffic replicates the source; ingress traffic uses IEEE 802.1Q encapsulation.
Device(config)# monitor session 2 destination interface encapsulation dot1q ingress dot1q vlan 5
This example shows how to configure the destination port for ingress traffic on VLAN 5 by using a security device that does not support encapsulation. Egress traffic and ingress traffic are untagged.
Device(config)# monitor session 2 destination interface ingress untagged vlan 5