Implement Switch Port Analyzer (SPAN), Remote SPAN (RSPAN)

SPAN (Switch Port Analyzer)

SPAN copies network traffic from a VLAN or group of ports to a selected port. This port is
usually connected to a network analyzer, such as a SwitchProbe device, a workstation running a packetcapturing application, or a remote monitoring (RMON) probe. SPAN does not affect the switching of network traffic on source ports or VLANs.

Local SPAN involves configuring source ports, source VLANs, and destination ports on the same switch. Local SPAN, which involves configuring one or more VLANs as the source of the SPAN session, is also called VSPAN. All ports in the source VLANs become source ports in a VSPAN.

SPAN sessions support the monitoring of ingress network traffic (ingress SPAN), egress network traffic (egress SPAN), or traffic flowing in both directions. Ingress SPAN copies network traffic received by the source ports and VLANs for analysis to the destination port. Egress SPAN copies network traffic transmitted from the source ports and VLANs to the destination port. When the both keyword is used, SPAN copies the network traffic received and transmitted by the source ports and VLANs to the destination port. By default, local SPAN monitors all network traffic, including multicast and bridge protocol data unit (BPDU) frames.

Configuring source ports in any VLAN is allowed. Trunk ports are valid source ports mixed with nontrunk source ports. Guidelines or restrictions when applying to local SPAN;

  • Both Layer 2 switched ports and Layer 3 ports can be configured as source or destination ports in Cisco IOS–based switches.
  • The source can be either one or more ports or a VLAN, but not a mix of these.
  • Up to 64 SPAN destination ports can be configured on a switch.
  • When you configure a destination port, its original configuration is overwritten. If the SPAN configuration is removed, the original configuration on that port is restored.
  • When you configure a destination port, the port is removed from any EtherChannel bundle if it were part of one. If it were a routed port, the SPAN destination configuration overrides the routed port configuration.
  • Destination ports do not support port security, 802.1x authentication, or private VLANs.
  • A port can act as the destination port for only one SPAN session.
  • A port cannot be configured as a destination port if it is a source port of a span session
  • Port channel interfaces (EtherChannel) can be configured as source ports but not a destination port for SPAN.
  • Traffic direction is “both” by default for SPAN sources.
  • Destination ports never participate in a spanning-tree instance. Local SPAN includes BPDUs in the monitored traffic, so any BPDUs seen on the destination port are from the source port. So for this reason you should never connect a switch to this type of SPAN as it could cause a network loop.
  • Destination ports get a copy of all packets switched through the switch port.

Guidelines or restrictions when applying to VSPAN;

  • With both ingress and egress options configured, forward duplicate packets from the source port only if the packets get switched in the same VLAN. One copy of the packet is from the ingress traffic on the ingress port, and the other copy of the packet is from the egress traffic on the  egress port.
  • VSPAN monitors only traffic that leaves or enters Layer 2 ports in the VLAN.

Setting up basic SPAN on a Cisco switch;

Switch(config)#monitor session 1 source interface fastEthernet 0/1

Switch(config)#monitor session 2 destination interface fastEthernet 0/5

Switch#show monitor
Session 1
———
Type                   : Local Session
Source Ports           :
Both               : Fa0/1

Destination Ports      : Fa0/5
Encapsulation      : Native
Ingress : Disabled

Setting up basic VSPAN on a Cisco switch;

Switch(config)#monitor session 1 source vlan 10 rx
Switch(config)#monitor session 1 source vlan 20 rx
Switch(config)#monitor session 1 destination interface fastEthernet 0/5

Switch#sh monitor
Session 1
———
Type                   : Local Session
Source VLANs           :
RX Only            : 10,20
Destination Ports      : Fa0/5
Encapsulation      : Native
Ingress : Disabled

RSPAN (Remote Switch Port Analyzer)

Remote SPAN (RSPAN) is similar to SPAN, but it supports source ports, source VLANs, and destination ports on different switches, which provide remote monitoring of multiple switches across a switched network. Each RSPAN session carries the SPAN traffic over a user-specified RSPAN VLAN. This VLAN is dedicated for that RSPAN session in all participating switches.

Remote SPAN (RSPAN) is similar to SPAN, but it supports source ports, source VLANs, and destination ports on different switches, which provide remote monitoring of multiple switches across a switched network. Each RSPAN session carries the SPAN traffic over a user-specified RSPAN VLAN. This VLAN is dedicated for that RSPAN session in all participating switches.

RSPAN consists of an RSPAN source session, an RSPAN VLAN, and an RSPAN destination session. It is advisable to configure separate RSPAN source sessions and destination sessions on different network devices. To configure an RSPAN source session on one network device, associate a set of source ports and VLANs with an RSPAN VLAN. To configure an RSPAN destination session on another device, associate the destination port with the RSPAN VLAN.

Guidelines applied to RSPAN;

  • Configure the RSPAN VLANs in all source, intermediate, and destination network devices.
  • Switches impose no limit on the number of RSPAN VLANs configured.
  • Configure any VLAN as an RSPAN VLAN as long as all participating network devices support configuration of RSPAN VLANs, and use the same RSPAN VLAN for each RSPAN session.

Configurations of RSPAN on the source switch;

Switch1(config)#monitor session 2 source interface fastEthernet 0/10

Switch1(config)#monitor session 2 destination remote vlan 900

Configuration of RSPAN on destination switch;

Switch2(config)#monitor session 2 source remote vlan 900

Switch2(config)#monitor session 2 destination interface fastEthernet 0/20

On all switches, from the source to the destination switch, they need to have a remote VLAN configured on them. This can be done by going to each switch along the path and configuring the reomte VLAN or if you are running VTP on your network, simply add the remote VLAN to the VTP server.

Switch(config)#vlan 900

Switch(config-if)#remote-span