Home > SPAN Questions

SPAN Questions

September 6th, 2017 in SWITCH 300-115 Go to comments

Question 1

Explanation

We can add the “monitor session 1 filter vlan 10” command to limit monitored trafic from VLAN 10 only.

Question 2

Explanation

The network engineer is connecting to the Distribution switch but he wants to monitor an access switch -> remote SPAN must be used. An example of configuring remote SPAN which uses vlan 40 is shown below:

Access-Switch(config)# monitor session 1 source interface FastEthernet 0/1
Access-Switch(config)# monitor session 1 destination remote vlan 40
Distribution-Switch(config)#monitor session 2 source remote vlan 40
Distribution-Switch(config)# monitor session 2 destination interface FastEthernet 0/5

Question 3

Explanation

This command limits the monitored trafic on VLAN 1 to 8, 39, 52 only

Question 4

Explanation

From the output we see the status of gi0/12 is “monitoring”. It means this port is currently the destination of a SPAN session.

Question 5

Explanation

This is how to configure Remote SPAN (RSPAN) feature on two switches. Traffic on FastEthernet0/1 of Switch 1 will be sent to Fa0/10 of Switch2 via VLAN 40.

+ Configure on both switches
Switch1,2(config)#vlan 40
Switch1,2(config-vlan)#remote-span
+ Configure on Switch1
Switch1(config)# monitor session 1 source interface FastEthernet 0/1
Switch1(config)# monitor session 1 destination remote vlan 40
+ Configure on Switch2
Switch2(config)#monitor session 5 source remote vlan 40
Switch2(config)# monitor session 5 destination interface FastEthernet 0/10

So without the command “remote-span” on both switches, RSPAN cannot works properly.

Question 6

Explanation

The first command points out the source interface and the direction to be monitored, which is Gi0/4 and inbound traffic (rx) in this case. The second command tells our device to monitor only VLAN 3 running on Gi0/4 (notice that Gi0/4 is a trunk link). The last command requests monitored traffic to be sent to the destination port Gi0/5.

Question 7

Explanation

A source port can be monitored by some SPAN sessions but a destination port can be used for one session only. A destination port or a reflector port does not participate in STP while its SPAN session is active.

For more limitations of configuring SPAN please visit this link: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/system_management/configuration/guide/sm_nx_os_cg/sm_14span.html#wp1239658

Question 8

Explanation

From the outputs we learn that the SPAN session 1 is incomplete because only source port is configured:

monitor session 1 source remote vlan 50

-> It needs to specify the destination port

while SPAN session 2 is configured correctly with source and destination ports:

monitor session 2 source interface fa0/14 (both)
monitor session 2 destination interface fa0/15

Question 9

Question 10

Question 11

Comments
  1. Aditya
    August 26th, 2015

    @ferry…Q1–(tricky)–d is incorrect because making source vlan 10 will cause all vlan 10 traffic which could be on other ports as well to be mirrored..Q specifies “VLAN 10 on the GigabitEthernet0/1 port”

  2. ccnp
    January 3rd, 2016

    Hi Guys,
    Me too, I don’t understand the answer for Q4. why the port is down ?! Always the destination port for monitoring remain down ?!

  3. jboy
    January 3rd, 2016

    @ccnp

    source: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/10570-41.html

    SPAN Destination Port Up/Down

    When ports are spanned for monitoring, the port state shows as UP/DOWN.
    When you configure a SPAN session to monitor the port, the destination interface shows the state down (monitoring), by design. The interface shows the port in this state in order to make it evident that the port is currently not usable as a production port. The port as up/down monitoring is normal.

    A network engineer investigates a recent network failure and notices that one of the interfaces on the switch is still down. What is causing the line protocol on this interface to be shown as down?
    A. There is a layer 1 physical issue.
    B. There is a speed mismatch on the interface.
    C. The interface is configured as the target of the SPAN session.
    D. The interface is configured as the source of the SPAN session.
    E. There is a duplex mismatch on the interface.

  4. ccnp
    January 3rd, 2016

    @jboy
    thanks you very much :)

  5. poomsa
    January 6th, 2016

    Are these questions still valid ? i heard they have changed the questions anyone can confirm please?

  6. Jovin
    February 9th, 2016

    They have changed the pattern, I attended exam without reading book, and ended up with 711. Please read the book completely. Few questions I will share here.

    1. Minimum Number of DHCP Snooping binding – Hopefully 8000
    2. IP Source Gusrd works with which layer – Hopefully Layer 3
    3. SPAN and RSPAN based questions, scenario based
    4. Etherchannel Load balancing – with requirements of source/destination mac or ip or port

    etc etc.,

  7. wmohammad
    March 5th, 2016

    Hi guys,
    I have scheduled my exam on next Wensda, 09/03.
    I got the “SWITCH_July_2015” dumb

    is this the latest dumb ?

  8. CLE
    March 10th, 2016

    Hi all,

    Can someone send me the latest switch dump to “dooeebear” at hotmail dot com.

  9. Kangas
    June 5th, 2016

    @Veritrini because for that Rspan session 1 it only has source and no destination monitoring. hope it makes sence….

  10. GAlarcon
    July 22nd, 2016

    @perplexed, i agree with you about it of Q2, everything be on DSW….is not necessary make set up on the Access Sw.

    Q2:
    If I have to monitor an interface that is ON the Distribution Switch (connected to the Access Switch, but still on the DSW) and I’m sending the traffic out through another interface of the same switch, why do I need Remote SPAN?
    It’s all on DSW.

  11. fred
    August 30th, 2016

    Q1:

    interface GigabitEthernet0/48
    switchport
    switchport mode access

    For this question, if G0/48 is an access port, and not a trunk – it can only be associated with a single VLAN.

    Why is A not also a correct answer?

  12. z3r0
    September 25th, 2016

    An access switch has been configured with an EtherChannel port. After configuring SPAN to
    monitor this port, the network administrator notices that not all traffic is being replicated to the
    management server. What is a cause for this issue?
    A. VLAN filters are required to ensure traffic mirrors effectively.
    B. SPAN encapsulation replication must be enabled to capture EtherChannel destination traffic.
    C. The port channel can be used as a SPAN source, but not a destination.
    D. RSPAN must be used to capture EtherChannel bidirectional traffic.

    Answer correct is B

    The default configuration for local SPAN session ports is to send all packets untagged. SPAN also does not normally monitor bridge protocol data unit (BPDU) packets and Layer 2 protocols, such as Cisco Discovery Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), Spanning Tree Protocol (STP), and Port Aggregation Protocol (PAgP). However, when you enter the encapsulation replicate keywords when configuring a destination port, these changes occur:

    •Packets are sent on the destination port with the same encapsulation—untagged, Inter-Switch Link (ISL), or IEEE 802.1Q—that they had on the source port.

    •Packets of all types, including BPDU and Layer 2 protocol packets, are monitored.

    Therefore, a local SPAN session with encapsulation replicate enabled can have a mixture of untagged, ISL, and IEEE 802.1Q tagged packets appear on the destination port.

    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_52_se/configuration/guide/3750scg/swspan.html

  1. No trackbacks yet.