1
00:00:00,900 --> 00:00:08,220
So that was an example of basic span, there are multiple options when you configure span, so let's remove

2
00:00:08,220 --> 00:00:09,180
our current session

3
00:00:11,190 --> 00:00:20,370
`and then specify monitor session. Let's create a new one of one source port is going to be interface

4
00:00:21,450 --> 00:00:22,240
FastEthernet

5
00:00:23,190 --> 00:00:30,900
103 in this example, and I'm only going to do receiving of traffic.

6
00:00:33,050 --> 00:00:34,850
One intersession destination,

7
00:00:37,750 --> 00:00:40,330
interface 105

8
00:00:44,310 --> 00:00:47,820
rather 105 and hit enter.

9
00:00:48,440 --> 00:00:57,860
Now I purposely are only creating one session with the same number to keep it simple, but be aware

10
00:00:57,860 --> 00:01:00,650
that you can create multiple span sessions.

11
00:01:01,460 --> 00:01:08,930
There are some dependencies and rules with regards to span, a span destination port can only be used with

12
00:01:08,930 --> 00:01:10,820
one span session at a time.

13
00:01:11,510 --> 00:01:16,100
A span destination port can also not be a span source port.

14
00:01:16,670 --> 00:01:19,580
When you create a span destination port

15
00:01:19,580 --> 00:01:23,750
the switch no longer treats that port as a standard Ethernet port.

16
00:01:24,140 --> 00:01:30,380
As I demonstrated, Mac addresses are not learned on that port and traffic received on that port is

17
00:01:30,380 --> 00:01:32,210
not accepted by default.

18
00:01:32,930 --> 00:01:41,450
You can remove a span destination port by using the no monitor session and a number and the destination

19
00:01:41,450 --> 00:01:45,520
interface and then add it to a different monetization.

20
00:01:45,860 --> 00:01:48,770
So in other words, you can move it from one session to another.

21
00:01:49,490 --> 00:01:53,210
Multiple span sources can be used within a single-span session.

22
00:01:53,960 --> 00:02:01,070
One span session cannot mix interfaces and VLAN sources, so you must either look at multiple interfaces

23
00:02:01,280 --> 00:02:03,080
or multiple VLANs.

24
00:02:03,920 --> 00:02:07,360
One span session can use any combination of directions.

25
00:02:07,360 --> 00:02:09,560
So transmit, receive or both.

26
00:02:10,250 --> 00:02:16,130
Ether channel can be used as a source port in port monitoring or span.

27
00:02:16,880 --> 00:02:19,930
Trunks can also be used as source ports if required.

28
00:02:20,630 --> 00:02:28,220
So in this example, we've only got a single interface, but we could change that to FastEthernet

29
00:02:28,220 --> 00:02:34,310
103 and then specify a range of interfaces if required.

30
00:02:35,000 --> 00:02:37,700
So let's say 101

31
00:02:39,180 --> 00:02:43,830
and typical Cisco fashion, the command is different here to other commands.

32
00:02:44,900 --> 00:02:52,310
So I'll do receive on both those interfaces, so do show run pipe include monitor or in our example

33
00:02:52,320 --> 00:02:59,330
span ports, we're going to look at traffic received on 101 as well as 103.

34
00:03:00,280 --> 00:03:02,920
So I'll restart the Wireshark capture.

35
00:03:03,900 --> 00:03:12,300
On router 1, I'm going to send a single ping to router 2 what you'll notice, even though we're only

36
00:03:12,300 --> 00:03:19,100
looking at receiving of traffic, we captured both ping, echo as well as echo reply.

37
00:03:19,590 --> 00:03:26,640
So the echo would have been received on this port when router 1 transmitted traffic to router 2 and

38
00:03:26,640 --> 00:03:29,510
the echo reply would have been received on this port.

39
00:03:30,060 --> 00:03:34,200
So hence we received both the echo and echo reply.

40
00:03:34,980 --> 00:03:41,820
If we had only configured this port, we would only have received the echo and not the echo reply.

41
00:03:42,570 --> 00:03:44,400
So let's do that.

42
00:03:44,410 --> 00:03:46,710
So no monitor session 1,

43
00:03:51,340 --> 00:03:58,930
we're only going to capture the traffic received on this port and then we'll send it out of port 10

44
00:03:58,930 --> 00:03:59,380
5.

45
00:04:00,720 --> 00:04:03,270
So now when I clear the session

46
00:04:04,460 --> 00:04:05,540
and do a ping.

47
00:04:06,690 --> 00:04:09,210
Notice we only receive half the traffic.

48
00:04:10,480 --> 00:04:16,690
So be careful which ports are the source of your capture and be careful of the direction of traffic,

49
00:04:17,230 --> 00:04:20,110
both will allow you to capture traffic in and out of that port, 

50
00:04:20,589 --> 00:04:25,750
receive is only traffic received on that port, transmit is traffic sent out of that port.

51
00:04:27,200 --> 00:04:32,960
You could, as an example, capture on the VLAN, so let's get rid of session 1 

52
00:04:34,380 --> 00:04:38,550
and what I'll do is say VLAN 1

53
00:04:40,280 --> 00:04:41,480
received traffic

54
00:04:42,390 --> 00:04:44,940
and the destination will be port 5, 

55
00:04:46,490 --> 00:04:48,470
I'll clear the Wireshark capture

56
00:04:51,310 --> 00:04:59,020
and do a single ping again and notice here we see both the echo and echo reply message, so there's

57
00:04:59,020 --> 00:04:59,950
echo reply, 

58
00:05:01,000 --> 00:05:02,350
here's echo request

59
00:05:03,690 --> 00:05:11,730
because this port and this port on VLAN 1, this port 102 is actually shut down in this

60
00:05:11,730 --> 00:05:12,390
topology.

61
00:05:13,380 --> 00:05:16,950
So we could delete that port from the topology.

62
00:05:18,270 --> 00:05:20,790
So show commands again, show the monitor.

63
00:05:21,540 --> 00:05:24,020
We can see that we've got one session enabled.

64
00:05:24,720 --> 00:05:25,860
It's a local session.

65
00:05:26,370 --> 00:05:31,400
We were receiving traffic on VLAN 1 destination port is 105.

66
00:05:32,250 --> 00:05:35,520
We're using a native encapsulation and ingress is disabled,

67
00:05:36,000 --> 00:05:37,670
so traffic will be dropped

68
00:05:38,220 --> 00:05:39,660
that's received on this port.

69
00:05:41,390 --> 00:05:44,210
We can also look at detailed information.

70
00:05:46,590 --> 00:05:47,790
So it's a local session.

71
00:05:49,170 --> 00:05:50,850
There are no source ports configured.

72
00:05:51,820 --> 00:05:55,660
We only have a source VLAN configured

73
00:05:56,540 --> 00:06:03,470
and we're capturing traffic received on VLAN 1 not transmitted on VLAN 1 a remote span session

74
00:06:03,470 --> 00:06:04,460
is not configured,

75
00:06:04,940 --> 00:06:09,410
the destination port for the span session is 105, 

76
00:06:11,150 --> 00:06:12,860
other options are not configured.

77
00:06:14,710 --> 00:06:20,110
So let's have a look at some of the options, show, monitor session

78
00:06:21,490 --> 00:06:29,890
all at the moment, no span configuration is present on the system, we can look at local span, we

79
00:06:29,890 --> 00:06:38,130
can even look at remote span, remote span is used where you have a different source and destination switch.

80
00:06:38,860 --> 00:06:45,250
So the source port could be this port on switch 2 and the destination could be this port on switch

81
00:06:45,250 --> 00:06:45,620
1.

82
00:06:46,030 --> 00:06:53,740
So traffic will be captured on this port and sent to the capturing device on this switch, 

83
00:06:53,860 --> 00:06:54,520
switch 1.

84
00:06:55,480 --> 00:07:05,830
So I'll configure a monitor session, so monitor session, pick a number like 1, source interface Fast

85
00:07:05,830 --> 00:07:08,200
Ethernet 101.

86
00:07:08,890 --> 00:07:15,580
The destination in our example is going to be 105.

87
00:07:16,930 --> 00:07:19,990
So do show run, pipe include monitor.

88
00:07:21,440 --> 00:07:30,080
That's what we've done if we try to configure another session using the same destination port of interface,

89
00:07:31,430 --> 00:07:40,250
f105 notice, we're told that, that port is already being used, so we configured this port

90
00:07:40,250 --> 00:07:47,810
as the destination of session 1, we can't now configure it to be the destination for session 2

91
00:07:48,290 --> 00:07:54,450
but we could, as an example, configure session 2 and specify a different source.

92
00:07:54,620 --> 00:07:55,400
So 1

93
00:07:57,450 --> 00:08:03,720
01 as an example, so do show run, pipe include monitor.

94
00:08:05,250 --> 00:08:11,280
We've got two sources configured, but only one destination, so show

95
00:08:12,680 --> 00:08:14,750
monitor session all.

96
00:08:15,980 --> 00:08:21,930
We've got session 1 configured and session 2 configured, but only session 1 is configured with

97
00:08:21,950 --> 00:08:22,640
the destination

98
00:08:22,640 --> 00:08:25,270
port session 2 is not currently being used.

99
00:08:26,330 --> 00:08:33,860
On our Wireshark device, we should be able to capture traffic from router 1 to router 2 which we can.

100
00:08:34,100 --> 00:08:39,230
So unicast traffic sent from router 1 to router 2 is being forwarded out of this port

101
00:08:40,710 --> 00:08:42,929
because of this monitoring session.

102
00:08:43,900 --> 00:08:51,550
Traffic sent and received on F1/1 is going to be sent out of 105

103
00:08:52,590 --> 00:08:58,440
and hence, we see the ICMP echo request and echo reply messages.

104
00:09:02,280 --> 00:09:09,120
Now, there's nothing stopping us moving the destination port from one session to another, so we could

105
00:09:09,600 --> 00:09:11,430
put a no in front of that command.

106
00:09:13,910 --> 00:09:17,250
We'll now move it to session 2, so that's accepted.

107
00:09:18,050 --> 00:09:23,660
So what we've done now is move the destination port from session 1 to session 2.

108
00:09:24,730 --> 00:09:29,530
I'll clear that Wireshark capture do the ping again

109
00:09:31,340 --> 00:09:37,940
and notice we're capturing the traffic because we are capturing similar kind of traffic, but in a different

110
00:09:37,940 --> 00:09:38,450
session.