Thursday 25 May 2023

What is Switch Port Analyzer SPAN, RSPAN? How to configure SPAN and RSPAN?

  What are SPAN and RSPAN?

Cisco Catalyst Switches have a feature called SPAN (Switch Port Analyzer). This feature is used for directing all traffic from a source port or source VLAN to a single port. Or in other words this feature copies all traffic from a source port or source VLAN to a destination interface. sometimes SPAN is referred to as session monitoring because of the commands used to configure SPAN.  

Switch Port Analyzer is very useful for many applications and also a number of reasons:

  • SPAN is useful for data collection purposes.
  • If you want to use Wireshark to capture traffic from an interface that is connected to a workstation, server, phone, or anything else you want to sniff.
  • all traffic from VoIP VLAN can be delivered to a single switch port to so you can record the calls in a VoIP network.
  •  Another common use of this feature is to (IDS/IPS)





SPAN session source can be a port or ports and VLAN. This is why this offers us great flexibility in monitoring traffic. we can be transmitted, received, or both directions to the destination interface.

If the destination port for SPAN is on the Local switch (same switch) this we call SPAN. If the destination SPAN is on a different switch, then we call this remote SPAN or RSPAN.

In RSPAN, a specific VLAN need to be configured across the entire switching path from the source port or VLAN to the RSPAN destination port to carry the traffic that you are copying. So, the traffic can travel from the source switch to the destination switch. This requires that the RSPAN VLAN be included in any trunk in that path too.  

 


 Restriction of SPAN and RSPAN.

  • You can configure the source interface whatever you want switch port, routed port, access port, trunk port, EtherChannel, etc but you can’t mix interfaces and VLANs.
  • Do not overload an interface with the entire VLAN.
  • When you configure the destination interface (port). The previous configuration is overwritten. When you remove the SPAN configuration the original configuration is restored.
  • Destination port do not support any layer 2 protocol like STP, CDP, VTP, DTP, etc.
  • Destination port do not support port security.
  • Destination port do not support private VLAN.

 

 let's configure, the SPAN witch source VLAN. 


Topology: -




  •  configure the topology as per the diagram
  • assign the IP to their port as per the topology 
  • configure monitor session on the switch 
  • configure fa0/2 to 5 as the source port
  • test the lab

  • remove the configuration 
  • configure source VLAN
  • verify the Lab

  • assign the IP to PCs

:\>ipconfig

IP Address......................: 10.1.1.1

Subnet Mask.....................: 255.0.0.0

Default Gateway.................: 0.0.0.0


:\>ipconfig

IP Address......................: 10.1.1.2

Subnet Mask.....................: 255.0.0.0

Default Gateway.................: 0.0.0.0


:\>ipconfig

IP Address......................: 10.1.1.3

Subnet Mask.....................: 255.0.0.0

Default Gateway.................: 0.0.0.0


:\>ipconfig

IP Address......................: 10.1.1.4

Subnet Mask.....................: 255.0.0.0

Default Gateway.................: 0.0.0.0


Switch(config)#monitor session 1 source interface fastEthernet 0/2 - 5

Switch(config)#monitor session 1 source interface fastEthernet 0/2 - 5


Switch#show monitor session 1

Session 1

---------

Type : Local Session

Description : -

Source Ports :

Both : Fa0/2,Fa0/3,Fa0/4,Fa0/5

Destination Ports : Fa0/1

Encapsulation : Native

Ingress : Disabled


Switch#show monitor detail

Session 1

---------

Type : Local Session

Description : -

Source Ports :

RX Only : None

TX Only : None

Both : Fa0/2,Fa0/3,Fa0/4,Fa0/5

Source VLANs :

RX Only : None

TX Only : None

Both : None

Source RSPAN VLAN : None

Destination Ports : Fa0/1

Encapsulation : Native

Ingress : Disabled

Filter VLANs : None

Dest RSPAN VLAN : None



(Now generate some traffic using ping from PCs and then open our sniffer)









(As you can see our sniffer received a copy of the data. now we are going to monitor from VLAN)


Switch(config)#vlan 10

Switch(config-vlan)#name SPAN-TEST

Switch(config-vlan)#

Switch(config-vlan)#EXIT



Switch(config)#monitor session 2 source vlan 10 both

Switch(config)#monitor session 2 destination interface fastEthernet 0/1

Switch(config)#exit


Switch#show monitor session 2

Session 2

---------

Type : Local Session

Description : -

Source VLANs :

Both : 10

Destination Ports : Fa0/1

Encapsulation : Native

Ingress : Disabled



(Generate some traffic using ping from PCs)







now we are going to see how to configure RSPAN.


Topology 






\

SWITCH-1-(config)#VLAN 3

SWITCH-1-(config-vlan)#name RSPAN

SWITCH-1-(config-vlan)#EXIT


SWITCH-1-(config)#monitor session 1 source interface fastEthernet 0/2 - 3

SWITCH-1-(config)#monitor session 1 destination remote vlan 3

SWITCH-1-(config)#end



SWITCH-1-(config)#interface fastEthernet 0/1

SWITCH-1-(config-if)#switchport trunk encapsulation dot1q

SWITCH-1-(config-if)#description trunk port

SWITCH-1-(config-if)#switchport trunk allowed vlan 3

SWITCH-1-(config-if)#switchport mode trunk

SWITCH-1-(config-if)#exit

SWITCH-1-(config)#end


SWITCH-1-#show monitor detail

Session 1

---------

Type : Remote Destination Session

Description : -

Source Ports :

RX Only : None

TX Only : None

Both : Fa0/2,Fa0/3

Source VLANs :

RX Only : None

TX Only : None

Both : None

Source RSPAN VLAN : None

Destination Ports : None

Encapsulation : Native

Ingress : Disabled

Filter VLANs : None

Dest RSPAN VLAN : 3




SWITCH-1-#show monitor

Session 1

---------

Type : Remote Destination Session

Description : -

Source Ports :

Both : Fa0/2,Fa0/3

Dest RSPAN VLAN : 3










SWITCH-2-(config)#VLAN 3

SWITCH-2-(config-vlan)#name RSPAN

SWITCH-2-(config-vlan)#remote-span

SWITCH-2-(config-vlan)#exit


SWITCH-2-(config)#monitor session 1 source remote vlan 3

SWITCH-2-(config)#monitor session 1 destination interface fastEthernet 0/2

SWITCH-2-(config)#exit


SWITCH-2-(config)#interface fastEthernet 0/1

SWITCH-2-(config-if)#switchport trunk encapsulation dot1q

SWITCH-2-(config-if)#switchport mode trunk

SWITCH-2-(config-if)#switchport trunk allowed vlan 3

SWITCH-2-(config-if)#exit

SWITCH-2-(config)#end


SWITCH-2-#show monitor

Session 1

---------

Type : Remote Source Session

Description : -

Source RSPAN VLAN : 3

Destination Ports : Fa0/2

Encapsulation : Native

Ingress : Disabled





(Generate some traffic with ping from PCs)




thank you so much for visiting please visit our YouTube channel at https://youtu.be/D0t29ZdO09I








No comments:

What is RBAC Role Based Access Control? | What are RBAC Views? | What is the Concept behind Role Based Access Control? | How to configure RBAC on gns3?

  What is  Role-Based Access Control? RBAC (Role Based Access Control), is also known as Role-Base security. RBAC assigns access permission ...