Local_Span

SPAN and RSPAN (Remote SPAN) are essentially port mirroring or port monitoring, or in even simpler terms they relay all data from their “source” port over to a “destination” port, which will some form of Data Analyzer software on it.

Hence the name SPAN (Switch Port Analyzer) / RSPAN (Remote SPAN) / VSPAN (VLAN SPAN), SPAN being configured locally from one source interface to a destination interface on the same switch or switch stack (as a switch stack is one logical switch), while Remote SPAN sends this information across multiple switches within a multi-switch network – And VSPAN is configured the same just for entire VLANs as a source.

That is about all there is to know about its operation, so I’ll give right into configuration of both SPAN and RSPAN, then I’ll go over the details at the end for exam day details!

Be sure to review the details at the bottom of this post, they are as important as the configuration itself for exam day, and that is not a joke!

Local SPAN Configuration

The configuration could not possible be more straight forward, just remember it is configured at the Global Config level, and you define VLANs / Int’s in the command!

Configuring Source Port for monitoring:

SW1(config)#monitor ?
event-trace Tracing of system events
session Configure a SPAN session

SW1(config)#monitor session ?
<1-66> SPAN session number

SW1(config)#monitor session 1 ?
destination SPAN destination interface or VLAN
filter SPAN filter VLAN
source SPAN source interface, VLAN

SW1(config)#monitor session 1 source ?
interface SPAN source interface
remote SPAN source Remote
vlan SPAN source VLAN

SW1(config)#monitor session 1 source int ?
FastEthernet FastEthernet IEEE 802.3
GigabitEthernet GigabitEthernet IEEE 802.3z
Port-channel Ethernet Channel of interfaces

SW1(config)#monitor session 1 source int fa1/0/8 ?
, Specify another range of interfaces
– Specify a range of interfaces
both Monitor received and transmitted traffic
rx Monitor received traffic only
tx Monitor transmitted traffic only
<cr>

SW1(config)#monitor session 1 source int fa1/0/8

Some things you may have noticed is that Port-Channel is available as an interface type to Source for SPAN monitoring, and that we can also make a VLAN our source rather than an Interface, which we will look at shortly!

Configuring Destination port to receive traffic:

SW1(config)#monitor session 1 ?
destination SPAN destination interface or VLAN
filter SPAN filter VLAN
source SPAN source interface, VLAN

SW1(config)#monitor session 1 dest ?
interface SPAN destination interface
remote SPAN destination Remote

SW1(config)#monitor session 1 dest int fa1/0/1 ?
, Specify another range of interfaces
– Specify a range of interfaces
encapsulation Set encapsulation for destination interface
ingress Enable ingress traffic forwarding
<cr>

SW1(config)#monitor session 1 dest int fa1/0/1
SW1(config)#

Also notice here for our “Source” options that Port-Channel is NOT included, and we cannot “Source” our traffic to a VLAN, only an interface.

So now we should have all traffic from Fa1/0/8 going to Fa1/0/1, lets take a look at the first verification command I have for you, “show monitor” :

SW1(config)#do sh monitor
Session 1
———
Type : Local Session
Source Ports :
Both : Fa1/0/8
Destination Ports : Fa1/0/1
Encapsulation : Native
Ingress : Disabled
SW1(config)#

So the formatting is a little weird again with this output, its actually showing “Both” as sort of a sub-section under Source Ports, because we are monitor both Rx and Tx traffic.

Session #1 is defined up at the top, which both ports in the SPAN session must agree on.

So lets look at the interfaces to see whats up with them if anything new:

SW1(config)#do sh int fa1/0/8
FastEthernet1/0/8 is up, line protocol is up (connected)

Nothing out of the ordinary, let us have a look at the destination port:

SW1(config)#do sh int fa1/0/1
FastEthernet1/0/1 is up, line protocol is down (monitoring)

***VERY IMPORTANT POINT ILLUSTRATED FOR SOURCE PORTS HERE!!!!***

It is expected for the “line-protocol” to be in a Down state on source ports, and we can tell it is indeed a source port by the monitoring next to it, so that is all good to go!

And SPAN is just as easy as that, if you have a PC with a network traffic analyzer plugged into Port 1 you are in good shape.

NOW, to take a quick look at VSPAN!

I want to keep Fa1/0/1 as our Destination Port as its working well so far, and being that a Destination Port in any flavor of SPAN can only be part of one SPAN session at a time, I will first remove interface SPAN then move onto VSPAN.

Remove Interface Monitor / Adding VLAN monitor

SW1(config)#no monitor session 1 source int fa1/0/8
SW1(config)#
SW1(config)#
SW1(config)#monitor session 1 source ?
interface SPAN source interface
remote SPAN source Remote
vlan SPAN source VLAN

SW1(config)#monitor session 1 source vlan ?
<1-4094> SPAN source VLAN

SW1(config)#monitor session 1 source vlan 10 ?
, Specify another range of VLANs
– Specify a range of VLANs
both Monitor received and transmitted traffic
rx Monitor received traffic only
tx Monitor transmitted traffic only
<cr>

SW1(config)#monitor session 1 source vlan 10
SW1(config)#

Note that Fa1/0/1 is in VLAN 1, while Fa1/0/8 is in VLAN 10, so they do not need to reside in the same VLAN locally for VSPAN to work but lets verify that:

SW1(config)#do sh monitor
Session 1
———
Type : Local Session
Source VLANs :
Both : 10
Destination Ports : Fa1/0/1
Encapsulation : Native
Ingress : Disabled
SW1(config)#

I didn’t point this out last time, but also notice how it says “Local Session” in the output, as I believe that will be an indicator we are not using RSPAN but doing it locally here.

Otherwise, the output is the same, you will all the traffic generated by that VLAN #.

Now onto RSPAN which has just a few extra details here

To start off, this will roughly be our Topology, Source Fa1/0/1 on SW1 and Destination Fa1/0/8 on SW3:

Remote_Span

The major difference between SPAN and RSPAN, is that a common VLAN is needed to carry SPAN traffic across all switches in the Path from Source to Destination.

Speaking of which, lets setup our RSPAN VLAN on SW1:

SW1(config)#vlan 50
SW1(config-vlan)#remote-span
SW1(config-vlan)#exit
SW1(config)#

Literally, so easy a caveman could configure it.

Now given our Destination interface is on a Remote switch, we will use the “remote-span” VLAN we just created as our Destination to carry our SPAN traffic.

So to configure first the “Source” (not it can still be VLAN or Interface):

SW1(config)#monitor session ?
<1-66> SPAN session number

SW1(config)#monitor session 2 ?
destination SPAN destination interface or VLAN
filter SPAN filter VLAN
source SPAN source interface, VLAN

SW1(config)#monitor session 2 source ?
interface SPAN source interface
remote SPAN source Remote
vlan SPAN source VLAN

SW1(config)#monitor session 2 source int ?
FastEthernet FastEthernet IEEE 802.3
GigabitEthernet GigabitEthernet IEEE 802.3z
Port-channel Ethernet Channel of interfaces

SW1(config)#monitor session 2 source int fa1/0/1 ?
, Specify another range of interfaces
– Specify a range of interfaces
both Monitor received and transmitted traffic
rx Monitor received traffic only
tx Monitor transmitted traffic only
<cr>

SW1(config)#monitor session 2 source int fa1/0/1
SW1(config)#

Now the syntax for a Remote Destination:

SW1(config)#monitor session 2 ?
destination SPAN destination interface or VLAN
filter SPAN filter VLAN
source SPAN source interface, VLAN

SW1(config)#monitor session 2 dest ?
interface SPAN destination interface
remote SPAN destination Remote

SW1(config)#monitor session 2 dest remote ?
vlan Remote SPAN destination RSPAN VLAN

SW1(config)#monitor session 2 dest remote vlan ?
<1006-4094> Remote SPAN destination extended RSPAN VLAN number
<2-1001> Remote SPAN destination RSPAN VLAN number

SW1(config)#monitor session 2 dest remote vlan 50 ?
<cr>

SW1(config)#monitor session 2 dest remote vlan 50
SW1(config)#

I mean it just really couldn’t get any easier! Where are all the confusing sub-commands??

Now onto SW2 configuration, being in the Path of our SPAN Source and Destination

The entire configuration required:

SW2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW2(config)#vlan 50
SW2(config-vlan)#remote-span
SW2(config-vlan)#exit
SW2(config)#

Only needs a common VLAN # for all SPAN traffic configured, and remote-span configured on it, and it is off to the races!

Configuration the Destination for RSPAN on SW3 Fa1/0/8

Configuring the Destination for RSPAN:

SW3(config)#vlan 50
SW3(config-vlan)#remote-span
SW3(config-vlan)#exit
SW3(config)#monitor session 2 source remote vlan 50
SW3(config)#monitor session 2 dest int fa1/0/8
SW3(config)#

So easy a cave man can do it! One important note – You must configure the source as remote vlan 50 and not just “source vlan 50”, this is an easy mistake to make!

Now a quick verification:

SW3(config)#do sh monitor
Session 2
———
Type : Remote Destination Session
Source RSPAN VLAN : 50
Destination Ports : Fa1/0/8
Encapsulation : Native
Ingress : Disabled
SW3(config)#

Perfection! That is exactly what we want to see, both sides show RSPAN in their verification output, with the same VLAN configured (remember session # is locally significant only) so that is all there is to it!

Details for exam day, though a lot of them were explained during config!

Misc Notes:

  • RSPAN can be Pruned by VTP over Trunks
  • The monitor session # is locally significant only, it can be completely different #’s on different switches across RSPAN
  • “show monitor” to view SPAN / RSPAN info on switch
  • To change what type of traffic is mirrored / monitored, add rx / tx / both on the monitor session statements issued
  • Speed of Ports for Source or Destination will not make or break anything, but if the Source has a much higher speed then your destination, may drop traffic!

Source Port information:

  • A source port can be monitored by multiple SPAN sessions
  • A source port cannot also be a destination port
  • EtherChannels can be the source for SPAN by Port-Channel#, or individual interfaces within the Port-Channel
  • Trunk Ports can be Source Ports, however you get data from all VLANs traversing the Trunk interface
  • An entire VLAN can be configured as a Source Port, commonly reffered to as VSPAN

Destination Port information:

  • A destination port can be part of only a single SPAN session
  • An EtherChannel cannot be used as a Destination port (though it can be used as a source)
  • Destination ports do not participate in any normal protocols – STP, CDP, VTP, DTP, PaGP, LACP
  • Trunks can be configured as both Source and Destination, resulting in all traffic going over the Trunk being monitored

I hope that was as good for you as it was for me, now I am outta here til next time!