Scribd
Upload
27 views5 pages

SPAN and RSPAN Configuration Guide

Uploaded by

upendramax52
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
27 views5 pages

SPAN and RSPAN Configuration Guide

Uploaded by

upendramax52
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

Cisco IOS SPAN and RSPAN

Cisco Catalyst Switches have a feature called SPAN (Switch Port Analyzer)
that lets you copy all traffic from a source port or source VLAN to a
destination interface. This is very useful for a number of reasons:

 If you want to use wireshark to capture traffic from an interface that is


connected to a workstation, server, phone or anything else you want to
sniff.
 Redirect all traffic from a VLAN to an IDS / IPS.
 Redirect all VoIP calls from a VLAN so you can record the calls.

The source can be an interface or a VLAN, the destination is an interface. You


can choose if you want to forward transmitted, received or both
directions to the destination interface.

When you use a destination interface on the same switch as your switch we
call it SPAN, when the destination is a remote interface on another switch we
call it RSPAN (Remote SPAN). When using RSPAN you need to use a VLAN
for your RSPAN traffic so that traffic can travel from the source switch to the
destination switch.
When you use RSPAN you need to use a VLAN that carries the traffic that you
are copying. In the picture above you see SW1 which will copy the traffic from
the computer onto a “RSPAN VLAN”. SW2 doesn’t do anything with it while
SW3 receives the traffic and forwards it to a computer that has wireshark
running. Make sure the trunks between the switches allow the RSPAN
VLAN.

SPAN and RSPAN are great but there are a couple of things you need to keep
in mind…

Restrictions
Both SPAN and RSPAN have some restrictions, I’ll give you an overview of the
most important ones:

 The source interface can be anything…switchport, routed port, access


port, trunk port, etherchannel, etc.
 When you configure a trunk as the source interface it will copy traffic
from all VLANs, however there is an option to filter this.
 You can use multiple source interfaces or multiple VLANs, but you can’t
mix interfaces and VLANs.
 It’s very simple to overload an interface. When you select an entire
VLAN as the source and use a 100Mbit destination interface…it might
be too much.
 When you configure a destination port you will “lose” its configuration.
By default, the destination interface will only be used to forward SPAN
traffic to. However, it can be configured to permit incoming traffic from
a device that is connected to the destination interface.
 Layer 2 frames like CDP, VTP, DTP and spanning-tree BPDUs are not
copied by default but you can tell SPAN/RSPAN to copy them anyway.

This should give you an idea of what SPAN / RSPAN are capable of. The
configuration is pretty straight-forward so let me give you some examples…

SPAN Configuration
Let’s start with a simple configuration. I will use the example I showed you
earlier:

Switch(config)#monitor session 1 source interface fa0/1

Switch(config)#monitor session 1 destination interface fa0/2

You can verify the configuration like this:

Switch#show monitor session 1

Session 1

---------

Type : Local Session

Source Ports :

Both : Fa0/1
Destination Ports : Fa0/2

Encapsulation : Native

Ingress : Disabled

As you can see, by default it will copy traffic that is transmitted and received
(both) to the destination port. If you only want the capture the traffic going in
one direction you have to specify it like this:

Switch(config)#monitor session 1 source interface fa0/1 ?

, Specify another range of interfaces

- Specify a range of interfaces

both Monitor received and transmitted traffic

rx Monitor received traffic only

tx Monitor transmitted traffic only

Just add rx or tx and you are ready to go. If interface FastEthernet 0/1 were a
trunk you could add a filter to select the VLANs you want to forward:

Switch(config)#monitor session 1 filter vlan 1 - 100

This filter above will only forward VLAN 1 – 100 to the destination. If you don’t
want to use an interface as the source but a VLAN, you can do it like this:

Switch(config)#monitor session 2 source vlan 1

Switch(config)#monitor session 2 destination interface fa0/3

I am unable to use session 1 for this because I am already using source


interfaces for that session. It’s also impossible to use the same destination
interface for another session. This is why I created another session number
and picked FastEthernet 0/3 as a destination.

 Configurations
 Switch
Want to take a look for yourself? Here you will find the final configuration of
each device.

So far so good? Let’s look at RSPAN!


RSPAN Configuration
To demonstrate RSPAN I will use a topology with two switches:

The idea is to forward traffic from FastEthernet 0/1 on SW1 to FastEthernet


0/1 on SW2. There are a couple of things we have to configure here:

SW1(config)#vlan 100

SW1(config-vlan)#remote-span

SW2(config)#vlan 100

SW2(config-vlan)#remote-span

First we need to create the VLAN and tell the switches that it’s a RSPAN vlan.
This is something that is easily forgotten. Secondly we will configure the link
between the two switches as a trunk:

You might also like