A guide to port mirroring on Cisco (SPAN) switches

SPAN is the Switched Port Analyzer that is available on some Cisco Catalyst Switches. You can utilize SPAN on:

  • Catalyst Express 500 / 520 Series
  • Catalyst 1900 Series
  • Catalyst 2900XL Series
  • Catalyst 2940 Series
  • Catalyst 2948G-L2, 2948G-GE-TX, 2980G-A
  • Catalyst 2950 Series
  • Catalyst 2955 Series
  • Catalyst 2960 Series
  • Catalyst 2970 Series
  • Catalyst 3500 XL Series
  • Catalyst 3550 Series
  • Catalyst 3560 / 3560E/ 3650X Series
  • Catalyst 3750 / 3750E /3750X Series
  • Catalyst 3750 Metro Series
  • Catalyst 4500/4000 Series
  • Catalyst 4900 Series
  • Catalyst 5500/5000 Series
  • Catalyst 6500/6000 Series

Note: The setup process is different for each model.

What is SPAN?

The SPAN facility lets you connect a packet sniffer to a switch. Without SPAN, the sniffer would only pick up broadcast messages because the switch closes a circuit between two communicating devices, locking out the sniffer attached to a different port. With SPAN, all traffic passing through the port is replicated and sent to the sniffer port. This process is known as “mirroring.”

The SPAN system is able to monitor a single port or many ports. It is also possible to identify the direction of traffic to that port. A variation on SPAN, called RSPAN (Remote Switch Port Analyzer) enables you to monitor traffic between switches. The RSPAN option isn’t available on all Catalyst switches — Express 500 / 520, 5500/5000, 3500 XL, 2940, 2948G-L3, and 2900XL switches don’t have the RSPAN feature.

You can set SPAN to monitor a VLAN port and you can also specify that it should monitor all VLAN traffic. A little terminology needs to be explained. The terms “source” and “destination,” which are commonly used in networking have slightly different meanings within SPAN. Here, the “source” is any port, not the origin of traffic. The term “destination” in SPAN refers to the port that the packet sniffer is connected to; it doesn’t mean the destination of monitored traffic.

Set up SPAN on the switch

Cisco recommends different methods for setting up port mirroring with SPAN according to the version of the Catalyst switch. These steps will just divert copies of traffic packets to the port that to which you connect your device. The port mirroring setup will not store or analyze the traffic. You can use any network analysis software to process the packets that are sent to your device.

Set up SPAN on IOS switches

For these switch models, you need to get to the device’s operating system and issue a command in order to specify the SPAN port and the port to monitor. This task is implemented by two lines of commands. One needs to specify the source, which means the port that will have its traffic replicated, and the other gives the port number that the sniffer is connected to – this is the destination line.

monitor session <number> source [interface | remote | vlan] <port number or range> [rx | tx | both]
monitor session <number> destination  interface <port number>

Once you have finished defining the mirror, you need to press CTRL-Z to end the configuration definition.

The session number just enables you to create several different monitors running simultaneously. If you use the same session number in a subsequent command, you will cancel the original trace and replace it with the new specification. Port ranges are defined by a dash (“-“) and a sequence of ports are separated by commas (“,”).

The last element in the command line for the source port (the port to be monitored) is the specification of whether the switch should replicate packets transmitted from that port, or to that port, or both.

Set up SPAN on CatOS switches

More recent Catalyst ranges are shipped with a newer operating system, called CatOS, instead of the older IOS operating system. The commands used to set up SPAN mirroring in these switches is a little different. With this operating system, you create mirroring with just one command instead of two.

set span <src_mod/src_ports | src_vlans | sc0> <dest_mod/dest_port> [rx|tx|both]
[inpkts <enable|disable>]
[learning <enable|disable>]
[multicast <enable|disable>]
[filter <vlans...>]
[create]

The source ports are defined by the first element in this command, which is the “src_mod/src_ports” part. A second port identifier on the command is automatically read as the destination port – that is, the port to which the packet sniffer is attached. The “rx | tx | both” element tells the switch to replicate the packets transmitted from the port, or to the port, or both.

There is also a set span command to turn off mirroring:

set span disable [dest_mod/dest_port|all]

Set up SPAN on Catalyst Express 500 and Catalyst Express 520 switches

If you have a Catalyst Express 500 or Catalyst Express 520 switch, you don’t enter the SPAN settings at the operating system. In order to communicate with the switch and alter its settings, you need to install the Cisco Network Assistant (CNA). This network management software is free and runs on the Windows environment. Follow these steps to get SPAN active on the switch.

  1. Log into the switch through the CNA interface.
  2. Select the Smartports option in the CNA menu. This will display a graphic representing the port array of the switch.
  3. Click on the port that you want to connect the packet sniffer to and select the Modify option. This will display a pop-up window.
  4. Select Diagnostics in the Role list and select the port that will have its traffic monitored from the Source drop-down list. If you want to specifically monitor a VLAN, select it from the Ingress VLAN list. If you aren’t aiming to just watch traffic for a VLAN, leave this value at its default. Click on OK to save the settings.
  5. Click on OK and then Apply in the Smartports screen.
  6. One problem with the CNA method is that the software only runs on Windows versions up to Windows 7.

Monitoring network traffic

Getting the SPAN port defined on your switch is only half of the task of capturing network traffic. The procedures explained above will get packets replicated and sent to a specific port on the switch. You next need to connect a computer to that port and put some traffic analysis software on it in order to store and analyze these packets.

You can find out more about traffic analysis software in the article 9 best packet sniffers and network analyzers for 2018. You should also be aware that extensive port mirroring can generate a lot of data that will take up storage space, so try to be selective about the ports that you monitor and don’t let the packet capture process run for too long.

Cisco traffic monitoring systems

Full packet capture and storage might run you into problems with data confidentiality. Although most of the traffic passing on your network will be encrypted, if it is destined for external sites, not all in-house traffic will be encrypted. Unless your organization has decided to implement extra security for emails, the mail traffic around your network will not be encrypted by default.

As an alternative traffic analysis technique, you could consider using NetFlow. This is a messaging system that is enabled on all Cisco devices and it will forward just the headers of packets to a central monitor. You can read about network monitors that collect NetFlow data in the article 10 Best Free and Premium NetFlow Analyzers and Collectors.

Once you have all the information at your fingertips about all of the traffic monitoring capabilities of your Cisco switches, you will be in a better position to decide which packet capture method to use.