Home > SPAN Questions

SPAN Questions

September 6th, 2017 in SWITCH 300-115 Go to comments

Question 1

Explanation

We can add the “monitor session 1 filter vlan 10” command to limit monitored trafic from VLAN 10 only.

Question 2

Explanation

The network engineer is connecting to the Distribution switch but he wants to monitor an access switch -> remote SPAN must be used. An example of configuring remote SPAN which uses vlan 40 is shown below:

Access-Switch(config)# monitor session 1 source interface FastEthernet 0/1
Access-Switch(config)# monitor session 1 destination remote vlan 40
Distribution-Switch(config)#monitor session 2 source remote vlan 40
Distribution-Switch(config)# monitor session 2 destination interface FastEthernet 0/5

Question 3

Explanation

This command limits the monitored trafic on VLAN 1 to 8, 39, 52 only

Question 4

Explanation

From the output we see the status of gi0/12 is “monitoring”. It means this port is currently the destination of a SPAN session.

Question 5

Explanation

This is how to configure Remote SPAN (RSPAN) feature on two switches. Traffic on FastEthernet0/1 of Switch 1 will be sent to Fa0/10 of Switch2 via VLAN 40.

+ Configure on both switches
Switch1,2(config)#vlan 40
Switch1,2(config-vlan)#remote-span
+ Configure on Switch1
Switch1(config)# monitor session 1 source interface FastEthernet 0/1
Switch1(config)# monitor session 1 destination remote vlan 40
+ Configure on Switch2
Switch2(config)#monitor session 5 source remote vlan 40
Switch2(config)# monitor session 5 destination interface FastEthernet 0/10

So without the command “remote-span” on both switches, RSPAN cannot works properly.

Question 6

Explanation

The first command points out the source interface and the direction to be monitored, which is Gi0/4 and inbound traffic (rx) in this case. The second command tells our device to monitor only VLAN 3 running on Gi0/4 (notice that Gi0/4 is a trunk link). The last command requests monitored traffic to be sent to the destination port Gi0/5.

Question 7

Explanation

A source port can be monitored by some SPAN sessions but a destination port can be used for one session only. A destination port or a reflector port does not participate in STP while its SPAN session is active.

For more limitations of configuring SPAN please visit this link: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/system_management/configuration/guide/sm_nx_os_cg/sm_14span.html#wp1239658

Question 8

Explanation

From the outputs we learn that the SPAN session 1 is incomplete because only source port is configured:

monitor session 1 source remote vlan 50

-> It needs to specify the destination port

while SPAN session 2 is configured correctly with source and destination ports:

monitor session 2 source interface fa0/14 (both)
monitor session 2 destination interface fa0/15

Question 9

Question 10

Question 11

Comments
  1. Aditya
    August 26th, 2015

    @ferry…Q1–(tricky)–d is incorrect because making source vlan 10 will cause all vlan 10 traffic which could be on other ports as well to be mirrored..Q specifies “VLAN 10 on the GigabitEthernet0/1 port”

  2. ccnp
    January 3rd, 2016

    Hi Guys,
    Me too, I don’t understand the answer for Q4. why the port is down ?! Always the destination port for monitoring remain down ?!

  3. jboy
    January 3rd, 2016

    @ccnp

    source: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/10570-41.html

    SPAN Destination Port Up/Down

    When ports are spanned for monitoring, the port state shows as UP/DOWN.
    When you configure a SPAN session to monitor the port, the destination interface shows the state down (monitoring), by design. The interface shows the port in this state in order to make it evident that the port is currently not usable as a production port. The port as up/down monitoring is normal.

    A network engineer investigates a recent network failure and notices that one of the interfaces on the switch is still down. What is causing the line protocol on this interface to be shown as down?
    A. There is a layer 1 physical issue.
    B. There is a speed mismatch on the interface.
    C. The interface is configured as the target of the SPAN session.
    D. The interface is configured as the source of the SPAN session.
    E. There is a duplex mismatch on the interface.

  4. ccnp
    January 3rd, 2016

    @jboy
    thanks you very much :)

  5. poomsa
    January 6th, 2016

    Are these questions still valid ? i heard they have changed the questions anyone can confirm please?

  6. Jovin
    February 9th, 2016

    They have changed the pattern, I attended exam without reading book, and ended up with 711. Please read the book completely. Few questions I will share here.

    1. Minimum Number of DHCP Snooping binding – Hopefully 8000
    2. IP Source Gusrd works with which layer – Hopefully Layer 3
    3. SPAN and RSPAN based questions, scenario based
    4. Etherchannel Load balancing – with requirements of source/destination mac or ip or port

    etc etc.,

  7. wmohammad
    March 5th, 2016

    Hi guys,
    I have scheduled my exam on next Wensda, 09/03.
    I got the “SWITCH_July_2015” dumb

    is this the latest dumb ?

  8. CLE
    March 10th, 2016

    Hi all,

    Can someone send me the latest switch dump to “dooeebear” at hotmail dot com.

  9. Kangas
    June 5th, 2016

    @Veritrini because for that Rspan session 1 it only has source and no destination monitoring. hope it makes sence….

  10. GAlarcon
    July 22nd, 2016

    @perplexed, i agree with you about it of Q2, everything be on DSW….is not necessary make set up on the Access Sw.

    Q2:
    If I have to monitor an interface that is ON the Distribution Switch (connected to the Access Switch, but still on the DSW) and I’m sending the traffic out through another interface of the same switch, why do I need Remote SPAN?
    It’s all on DSW.

  11. fred
    August 30th, 2016

    Q1:

    interface GigabitEthernet0/48
    switchport
    switchport mode access

    For this question, if G0/48 is an access port, and not a trunk – it can only be associated with a single VLAN.

    Why is A not also a correct answer?

  12. z3r0
    September 25th, 2016

    An access switch has been configured with an EtherChannel port. After configuring SPAN to
    monitor this port, the network administrator notices that not all traffic is being replicated to the
    management server. What is a cause for this issue?
    A. VLAN filters are required to ensure traffic mirrors effectively.
    B. SPAN encapsulation replication must be enabled to capture EtherChannel destination traffic.
    C. The port channel can be used as a SPAN source, but not a destination.
    D. RSPAN must be used to capture EtherChannel bidirectional traffic.

    Answer correct is B

    The default configuration for local SPAN session ports is to send all packets untagged. SPAN also does not normally monitor bridge protocol data unit (BPDU) packets and Layer 2 protocols, such as Cisco Discovery Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), Spanning Tree Protocol (STP), and Port Aggregation Protocol (PAgP). However, when you enter the encapsulation replicate keywords when configuring a destination port, these changes occur:

    •Packets are sent on the destination port with the same encapsulation—untagged, Inter-Switch Link (ISL), or IEEE 802.1Q—that they had on the source port.

    •Packets of all types, including BPDU and Layer 2 protocol packets, are monitored.

    Therefore, a local SPAN session with encapsulation replicate enabled can have a mixture of untagged, ISL, and IEEE 802.1Q tagged packets appear on the destination port.

    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_52_se/configuration/guide/3750scg/swspan.html

  13. Rizy22
    October 19th, 2017

    IP source guard provides source IP address filtering on a Layer 2 port to prevent a malicious host from
    impersonating a legitimate host by assuming the legitimate host’s IP address. The feature uses dynamic
    DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted Layer 2 access
    ports.

  14. Switch
    December 21st, 2017

    I agree with z3ro. In that question no one mentions that the EtherChannel is the destination. It says “After configuring SPAN to monitor this port” so looks like Etherchannel is the source.

  15. Marcus
    December 21st, 2017

    Why answer E (You can mix individual source ports and source VLANs within a single session) is not correct in Q7?

    “A single SPAN session can include mixed sources in any combination of Ethernet ports, VLANs, or the inband interface to the control plane CPU.”

    https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/system_management/configuration/guide/sm_nx_os_cg/sm_14span.html#wp1239658

  16. Lunchi
    January 15th, 2018

    @FYI thanks for the links.

    Congratulations on clearing your exam.

  17. Lunchi
    January 15th, 2018

    What is correct answer for below question ? Why ?

    Question about the difference between RSPAN and SPAN.
    A. Monitor port
    B. access port
    C. forwarding Port
    D. destination port

    Answer: A

  18. Lunchi
    January 15th, 2018

    info regarding q 7

    copied from cisco switch book

    The SPAN source must be a physical switch interface or a Layer 2 VLAN, not a logical VLAN interface or SVI.
    However, you cannot mix both interfaces and VLANs in the same SPAN session. Instead,
    you can create separate sessions to monitor each type of source.

  19. Khan
    January 19th, 2018

    Hello Everyone

  20. 1WAY
    February 14th, 2018

    Q10. This is a new question but does anyone have a clue what it’s trying to ask?

  21. Archangel
    March 3rd, 2018

    Q10 asking about difference between RSPAN and SPAN, so turning point is which source port need to monitor, whether it is local port or remote port. so best match is ANS – A

  22. Raito
    June 9th, 2018

    @Archangel:

    Seems like a legit answer, but couldn’t I use the same logic and say: In SPAN the destination port is local, in RSPAN the destination port is on a remote switch => D is the answer

  23. Insence8
    August 13th, 2018

    @GAlarcon If the Q2 you mean is this:
    A network engineer wants to analyze all incoming and outgoing packets for an interface
    that is connected to an access switch. Which three items must be configured to mirror
    traffic to a packet sniffer that is connected to the distribution switch? (Choose three.)

    I agree, its all on DSW1, but the question require three answers, so we have to adjust to it. And only theres only 3 (BCD in my case) combination will work correctly.

    Wdyt?

  24. RED1
    August 15th, 2018

    Q.10 the destination port in SPAN is local to the switch, but on RSPAN it is not, it is on another switch.
    I think that D.Destination port seems to be a better choice than A.Monitor port.
    The source port is called monitored port, the destination port is called monitoring port.
    But Monitor Port??? what does it mean???

  25. Anonymous
    August 15th, 2018

    To Z3RO:
    There are two correct sentences:
    It is true that etherchannel cannot be a destination.
    But in the question they said this:

    1- An access switch has been configured with an EtherChannel port. After configuring SPAN to
    monitor this port.
    So here we can understand that the Etherchannel is the source (to monitor this port).

    2- the network administrator notices that not all traffic is being replicated to the
    management server. What is a cause for this issue?

    So here we can understand that it works, but not all trafic is captured,
    It works, that means it works as the default configuration capabilities (Tagued frames are modified by removing the tag part, and, add to this, traffic like STP, CDP, … is not monitored).

    With this command:
    monitor session 1 destination interface Gi0/0 encapsulation replicate

    Tagued frames remain untagued when monitoring, and trafic like STP, CDP, LACP, PAGP… is replicated (monitored).

    The best choice is
    B.SPAN encapsulation replication must be enabled to capture EtherChannel destination traffic.

  26. RED1
    August 15th, 2018

    To Anonymous August 15th, 2018

    Good explanation, just when you said:
    With this command:
    monitor session 1 destination interface Gi0/0 encapsulation replicate
    Tagued frames remain untagued when monitoring, and trafic like STP, CDP, LACP, PAGP… is replicated (monitored).

    I think that you did a mistake, whith this command, taggued traffic remain tagued.

    ;)

  27. Anonymous
    August 15th, 2018

    Yes it is a mistake, thank you, sory:

    Pay attention the encapsulation replication goal is to capture traffic as it is in origin, even if we have QinQ frame, it remain double taggued.

  1. No trackbacks yet.