As part of the CCNP Switch you get introduced to a topic called SPAN and Remote SPAN. This feature allows Network Engineers to capture packets flowing to and from a Interface or VLAN and mirror or forward those packets to a Packet Capture Analyzer software such as Wireshark.
Things to be aware of when setting SPAN and RSPAN up:
- Make sure you destination port is of equivalent speed to the Source port otherwise you could drop packets.
- A source port cannot be the same as a destination port
- A destination port can only be a part of one SPAN session
- Source ports can be part of a EtherChannel but destinations ports cannot
- Trunk ports can be setup as source and destination and the default behavior will monitor all active VLAN’s on that port
- Destination Ports will not participate in STP, CDP, VTP, DTP or LACP
- The number of SPAN sessions can vary on different switch models
The source can be set to entire VLAN’s (VSPAN) or individual ports. The Source is the port or VLAN you want to monitor.
Here is what the basic SPAN topology would look like:
Here is how to setup the Source SPAN interface.
tpw-sw1(config)#monitor session 1 source interface GigabitEthernet 1/1
The Destination is the port you have the network analyzer connected to.
tpw-sw1(config)#monitor session 1 destination interface GigabitEthernet 1/2
Verify your SPAN port setup.
tpw-sw1#show monitor Session 1 --------- Type : Local Session Source Ports : Both : Gi1/1 Destination Ports : Gi1/2
The behavior is expected on a SPAN port:
tpw-sw1#sh int Gi1/1 FastEthernet1/1 is down, line protocol is down (monitoring)
However SPAN isn’t always going to be local, so luckily for us there is Remote SPAN (RSPAN). This feature allows the mirrored packets to traverse the trunk port to another switch via a separate VLAN. The configuration is fairly straightforward however there are a couple of caveats:
- All switches have to be RSPAN capable.
- VTP does treat the RSPAN VLAN like a regular VLAN and will propagate that through the VTP domain, but if its not you will have to add them manually to each switch
- VTP will prune the VLANS like a regular VLAN
- MAC address learning is disabled on the RSPAN VLAN
- Source and Destinations will be slightly different on each switch so don’t just copy the commands on each switch.
The topology would look something like this:
Here is the configuration for RSPAN tpw-sw1 – be aware the destination RSPAN VLAN
tpw-sw1(config)#vlan 4000 tpw-sw1(config-vlan)#remote-span tpw-sw1(config)#monitor session 1 source interface GigabitEthernet 1/1 tpw-sw1(config)#monitor session 1 destination remote vlan 4000
Verify your work.
tpw-sw1#show monitor Session 1 --------- Type : Local Session Source Ports : Both : Gi1/1 Dest RSPAN VLAN : 4000
Here is the configuration for RSPAN tpw-sw2 – be aware the source is the RSPAN VLAN
tpw-sw2(config)#vlan 4000 tpw-sw2(config-vlan)#remote-span tpw-sw2(config)#monitor session 1 source remote vlan 4000 tpw-sw2(config)#monitor session 1 destination interface GigabitEthernet 1/2
Verify your work.
tpw-sw2#show monitor Session 1 --------- Type : Local Session Source RSPAN VLAN : 4000 Destination Ports : Gi1/2
If you have a setup similar to below you have to name Remote SPAN VLAN 4000 on all intermediate switches.
Happy SPANNING 🙂