Answers: Local SPAN 1

By certskills September 1, 2016 09:10

Configuring local SPAN does not take a lot of commands. The bigger danger is capturing too much, which risks losing some of the messages and also causing you more work to see the content that you want to see. As usual, for these config labs, start by doing the lab for yourself, then check back to this answer post for my suggested answer and some explanation.


Figure 1: Single Switch Topology for Local SPAN Configuration


Example 2: SW1 Config

monitor session 1 source interface GigabitEthernet0/1 both
monitor session 1 destination interface GigabitEthernet1/1



This lab gives you a primary and secondary goal for what you should capture. There are several ways to capture messages with SPAN to meet the primary goal, and of those, more than one answer would meet both the primary and secondary goal. This commentary works through some of those choices, and then looks specifically at the answer listed here.

First, SPAN can monitor for frames being received on the switch port (that is, coming into the switch), frames being transmitted out the switch port, and in both directions. The source can be one (or more) individual ports, or it can reference a VLAN. If referencing a VLAN, the SPAN session performs the capture action for all ports in the VLAN (access ports and trunk ports that support that VLAN).

With the primary goal of capturing messages sent between PC1 and PC2, you have several options to meet that requirement:

  1. Capture all frames both sent and received on port G0/1 (PC1’s port) (as shown in the solution)
  2. Capture all frames both sent and received on port G0/2 (PC2’s port)
  3. Capture all frames sent in the VLAN (which includes all frames sent out ports G0/1 and G0/2)
  4. Capture all frames received in the VLAN (which includes all frame received in ports G0/1 and G0/2)
  5. Capture all frames received on both port G0/1 (which includes frames sent by PC2 to PC1) and frames received on port G0/2 (which includes frames sent by PC1 to PC2)
  6. As with the previous, but capture in the transmit direction

All of these options collect more frames than the frames requested in the primary requirement for this lab. The secondary goal then asks us to capture as few additional frames as possible. For instance, the options that capture all traffic in the VLAN capture frames sent and/or received on the ports connected to PC3 and PC4, and to router R1, none of which is necessary. So the solutions that use individual ports will be a better solution.

The suggested answer captures messages that fit into these general descriptions:

Capture frames entering SW1’s G0/1 interface, which are all frames sent by PC1 (including frames sent by PC1 to PC2)

Capture frames exiting SW1’s G0/1 interface, which are all frames received by PC1 (including frames sent by PC2 to PC1)

As you can see from those descriptions, the configuration meets the primary requirement. It avoids capturing known unicast frames sent between PC2, PC3, PC4, and router R1, which reduces the amount of frames captured. But it still captures some extra frames, for example, it would capture frames sent by PC1 to any other device.

Answers: Protecting CLI Access 2
IPv6 Standard ACL 1
By certskills September 1, 2016 09:10
Notify of

Your e-mail address will not be published.
Required fields are marked*


Newest Most Voted
Inline Feedbacks
View all comments
Peter Arsenault
Peter Arsenault
February 7, 2018 7:22 pm

If I Capture frames in the rx directions only both port G0/1 and G0/2 is that capturing to much frames?

Peter Arsenault
Peter Arsenault
Reply to  certskills
February 9, 2018 6:18 pm