Blog

1. Configuring Local SPAN (Cisco Switch)

Here’s an example of how a local SPAN can be configured on a Cisco switch:

Switch#configure terminal
Switch(config)#monitor session 1 source interface ethernet0/1 - 3
Switch(config)#monitor session 1 destination interface ethernet1/0
SWitch#show monitor session 1
Session 1
---------
Type                     : Local Session
Source Ports             : 
    Both                 : Et0/1-3
Destination Ports        : Et1/0
    Encapsulation        : Native

• In this configuration:
  • monitor session 1 source interface ethernet 0/1 – 3 specifies that traffic from port ethernet 0/1 – 3 is the source to be mirrored.
  • monitor session 1 destination interface ethernet 1/0 sets port ethernet 1/0 as the destination for mirrored traffic.
• You can also specify VLANs or use commands to set traffic direction (rx, tx, or both).

2. Configuring Remote SPAN (Cisco Switch)

Remote SPAN (RSPAN) extends the capabilities of SPAN by allowing mirrored traffic to be monitored across multiple switches within the same Layer 2 network. RSPAN achieves this by using a special VLAN (RSPAN VLAN) to carry mirrored traffic from a source switch to a destination switch, enabling centralized monitoring.

Here’s a step-by-step guide to configuring RSPAN on Cisco switches:

Prerequisites

1. Ensure both the source and destination switches support RSPAN.
2. The RSPAN VLAN needs to be allowed on the trunk links connecting the source and destination switches.
3. All participating switches should have the RSPAN VLAN configured and active in the VLAN database.

Steps to Configure RSPAN

Step 1: Create an RSPAN VLAN on All Switches

The RSPAN VLAN is a dedicated VLAN used to carry the mirrored traffic between switches. Configure it on each switch that will participate in the RSPAN session.

SW1(config)#vlan 100
SW1(config-vlan)#name RSPAN
SW1(config-vlan)#remote-span
SW1(config-vlan)#exit

SW2(config)#vlan 100
SW2(config-vlan)#name RSPAN
SW2(config-vlan)#remote-span
SW2(config-vlan)#exit

• Replace 100 with the VLAN ID you’re using for RSPAN.
• The remote-span command specifies that this VLAN will be used for RSPAN traffic.
• Repeat this step on each switch in the path between the source and destination.

Step 2: Configure the Source Session on the Source Switch

Identify the source ports or VLANs from which you want to capture traffic and configure the RSPAN source session.

SW1(config)#monitor session 1 source interface ethernet0/1 - 2
SW1(config)#monitor session 1 destination remote vlan 100
SW1(config-if)#exit

• source interface ethernet 0/1 - 2 specifies the interface from which traffic will be mirrored.
• destination remote vlan 100 specifies that the traffic will be sent to VLAN 100 (the RSPAN VLAN).
• You can also configure multiple source interfaces or entire VLANs as sources if needed.

Step 3: Allow the RSPAN VLAN on Trunk Ports

The RSPAN VLAN must be allowed on the trunk ports that connect the switches participating in the RSPAN session. This ensures that mirrored traffic can traverse from the source switch to the destination switch.

SW1(config)#interface ethernet0/0
SW1(config-if)#switchport trunk allowed vlan add 100
SW1(config-if)#exit

SW2(config)#interface ethernet0/0
SW2(config-if)#switchport trunk allowed vlan add 100
SW2(config-if)#exit

• Replace ethernet0/0 with the trunk interface connecting to the next switch.
• Repeat this step for all trunk ports on each switch along the path.

Step 4: Configure the Destination Session on the Destination Switch

On the destination switch, configure a session to receive traffic from the RSPAN VLAN. The destination port is typically connected to the monitoring device (e.g., a computer running Wireshark).

SW1(config)# monitor session 1 source remote vlan 100
SW1(config)# monitor session 1 destination interface ethernet0/2

• source remote vlan 100 specifies that the RSPAN VLAN (100) is the source for this session.
• destination interface ethernet0/2 sets ethernet0/2 as the port where the mirrored traffic will be output for monitoring.

Step 5: Verify the RSPAN Configuration

Use the following command to verify that the RSPAN session is correctly configured on both the source and destination switches.

SW1#show monitor session 1
Session 1
---------
Type                     : Remote Source Session
Source Ports             : 
    Both                 : Et0/1-2
Dest RSPAN VLAN          : 100

This command displays details about the SPAN or RSPAN session, including source and destination ports, VLANs, and traffic direction (Tx, Rx, or both).

Example Topology Summary

• Source Switch (Switch A):
  • Configure RSPAN VLAN (e.g., VLAN 100).
  • Set source interface(s) and configure RSPAN VLAN as the destination.
• Intermediate Switch (Switch B):
  • Create and allow the RSPAN VLAN on trunk ports.
• Destination Switch (Switch C):
  • Configure RSPAN VLAN and set RSPAN VLAN as the source.
  • Set a local interface as the destination port for mirrored traffic.

Notes

• RSPAN VLAN Configuration: All switches in the path must have the RSPAN VLAN created and set as a remote-span VLAN.
• Performance Impact: Be mindful of traffic volume on the RSPAN VLAN, as excessive mirroring can impact performance, especially if high-traffic source ports are mirrored.
• Traffic Direction: If you need only ingress or egress traffic, specify the direction on the source configuration to reduce bandwidth use.

By following these steps, you can successfully configure RSPAN to monitor traffic across multiple switches in your network.