Chapter 2
Catalyst 3550 Switch Cisco IOS Commands
monitor session
You can monitor only received traffic on a VLAN; you cannot monitor transmitted traffic.
You can monitor traffic on a single port or VLAN or on a series or range of ports (ingress traffic only)
or VLANs. You select a series or range of interfaces or VLANs by using the [, | -] options.
If you specify a series of VLANs or interfaces, you must enter a space before and after the comma. If
you specify a range of VLANs or interfaces, you must enter a space before and after the hyphen (-).
EtherChannel ports cannot be configured as SPAN or RSPAN destination or reflector ports. A physical
port that is a member of an EtherChannel group can be used as a source or destination port. It cannot
participate in the EtherChannel group while it is configured for SPAN or RSPAN.
A port used as a reflector port cannot be a SPAN or RSPAN source or destination port, nor can a port be
a reflector port for more than one session at a time.
A port used as a destination port cannot be a SPAN or RSPAN source or reflector port, nor can a port be
a destination port for more than one session at a time.
You can enable IEEE 802.1x authentication on a port that is a SPAN or RSPAN destination port;
however, IEEE 802.1x authentication is disabled until the port is removed as a SPAN destination. (If
IEEE 802.1x authentication is not available on the port, the switch will return an error message.) You
can enable IEEE 802.1x authentication on a SPAN or RSPAN source port.
If ingress forwarding is enabled, you can use the SPAN or RSPAN destination port to inject traffic from
a network security device. For example, if you connect a Cisco Intrusion Detection System (IDS) Sensor
Appliance to a destination port, the IDS device can send TCP Reset packets to close down the TCP
session of a suspected attacker.
VLAN monitoring and VLAN filtering are mutually exclusive. If a VLAN is a source, VLAN filtering
cannot be enabled. If VLAN filtering is configured, a VLAN cannot become a source.
VLAN-based SPAN (VSPAN) refers to analyzing network traffic in a set of VLANs. All active ports in
the source VLANs become source ports for the SPAN or RSPAN session. Trunk ports are included as
source ports for VSPAN, and only packets with the monitored VLAN ID are sent to the destination port.
Trunk VLAN filter refers to analyzing network traffic on a selected set of VLANs on trunk source ports.
By default, all VLANs are monitored on trunk source ports. You can use the monitor session
session_number filter vlan vlan-id command to limit SPAN traffic on the trunk source port to only the
specified VLANs.
Examples
This example shows how to create SPAN session 1 to monitor both sent and received traffic on a source
interface and on a destination interface:
Switch(config)# monitor session 1 source interface fastEthernet0/1 both
Switch(config)# monitor session 1 destination interface fastEthernet0/8
This example shows how to delete a destination port from an existing SPAN session:
Switch(config)# no monitor session 2 destination fastEthernet0/4
This example shows how to limit SPAN traffic only to specific VLANs:
Switch(config)# monitor session 1 filter vlan 100 - 304
This example shows how to configure RSPAN session 1 to monitor multiple source interfaces and a
VLAN and to configure the destination RSPAN VLAN and the reflector-port:
Switch(config)# monitor session 1 source interface fastethernet0/10 tx
Switch(config)# monitor session 1 source interface fastethernet0/2 rx
Switch(config)# monitor session 1 source interface port-channel 102 rx
Switch(config)# monitor session 1 source vlan 5 rx
Catalyst 3550 Multilayer Switch Command Reference
2-263
OL-8566-02