What are SPAN and RSPAN?
Cisco
Catalyst Switches have a feature called SPAN (Switch Port Analyzer). This feature is used for directing all traffic from a source port or source VLAN to a single port.
Or in other words this feature copies all traffic from a source port or source VLAN
to a destination interface. sometimes SPAN is referred to as session monitoring
because of the commands used to configure SPAN.
Switch Port
Analyzer is very useful for many applications and also a number of reasons:
- SPAN is useful for data collection purposes.
- If you want to use Wireshark to capture traffic from an interface that is
connected to a workstation, server, phone, or anything else you want to sniff.
- all traffic from VoIP VLAN can be delivered to a single switch port to so you can record the calls in a VoIP network.
- Another common use of this feature is to (IDS/IPS)
SPAN session source can be a port or ports and VLAN. This is why this offers us great flexibility in monitoring traffic. we can be transmitted, received, or both directions to the destination interface.
If the destination port for SPAN is on the Local switch (same switch) this we call SPAN. If the destination SPAN is on a different switch, then we call this remote SPAN or RSPAN.
In RSPAN, a specific VLAN need to be configured across
the entire switching path from the source port or VLAN to the RSPAN destination
port to carry the traffic that you are copying. So, the traffic can travel
from the source switch to the destination switch. This requires that the RSPAN VLAN
be included in any trunk in that path too.
Restriction of SPAN and RSPAN.
- You can configure the source interface whatever you want switch port, routed port, access port, trunk port, EtherChannel, etc but you can’t mix interfaces and VLANs.
- Do not overload an interface with the entire VLAN.
- When you configure the destination interface (port). The previous configuration is overwritten. When you remove the SPAN configuration the original configuration is restored.
- Destination port do not support any layer 2 protocol like STP, CDP, VTP, DTP, etc.
- Destination port do not support port security.
- Destination port do not support private VLAN.
let's configure, the SPAN witch source VLAN.
Topology: -
- configure the topology as per the diagram
- assign the IP to their port as per the topology
- configure monitor session on the switch
- configure fa0/2 to 5 as the source port
- test the lab
- remove the configuration
- configure source VLAN
- verify the Lab
- assign the IP to PCs
:\>ipconfig
IP Address......................: 10.1.1.1
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 0.0.0.0
:\>ipconfig
IP Address......................: 10.1.1.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 0.0.0.0
:\>ipconfig
IP Address......................: 10.1.1.3
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 0.0.0.0
:\>ipconfig
IP Address......................: 10.1.1.4
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 0.0.0.0
Switch(config)#monitor session 1 source interface fastEthernet 0/2 - 5
Switch(config)#monitor session 1 source interface fastEthernet 0/2 - 5
Switch#show monitor session 1
Session 1
---------
Type : Local Session
Description : -
Source Ports :
Both : Fa0/2,Fa0/3,Fa0/4,Fa0/5
Destination Ports : Fa0/1
Encapsulation : Native
Ingress : Disabled
Switch#show monitor detail
Session 1
---------
Type : Local Session
Description : -
Source Ports :
RX Only : None
TX Only : None
Both : Fa0/2,Fa0/3,Fa0/4,Fa0/5
Source VLANs :
RX Only : None
TX Only : None
Both : None
Source RSPAN VLAN : None
Destination Ports : Fa0/1
Encapsulation : Native
Ingress : Disabled
Filter VLANs : None
Dest RSPAN VLAN : None
(Now generate some traffic using ping from PCs and then open our sniffer)
(As you can see our sniffer received a copy of the data. now we are going to monitor from VLAN)
Switch(config)#vlan 10
Switch(config-vlan)#name SPAN-TEST
Switch(config-vlan)#
Switch(config-vlan)#EXIT
Switch(config)#monitor session 2 source vlan 10 both
Switch(config)#monitor session 2 destination interface fastEthernet 0/1
Switch(config)#exit
Switch#show monitor session 2
Session 2
---------
Type : Local Session
Description : -
Source VLANs :
Both : 10
Destination Ports : Fa0/1
Encapsulation : Native
Ingress : Disabled
(Generate some traffic using ping from PCs)
