Cisco : SPAN and Remote SPAN

As part of the CCNP Switch you get introduced to a topic called SPAN and Remote SPAN. This feature allows Network Engineers to capture packets flowing to and from a Interface or VLAN and mirror or forward those packets to a Packet Capture Analyzer software such as Wireshark.

Things to be aware of when setting SPAN and RSPAN up:

  • Make sure you destination port is of equivalent speed to the Source port otherwise you could drop packets.
  • A source port cannot be the same as a destination port
  • A destination port can only  be a part of one SPAN session
  • Source ports can be part of a EtherChannel but destinations ports cannot
  • Trunk ports can be setup as source and destination and the default behavior will monitor all active VLAN’s on that port
  • Destination Ports will not participate in STP, CDP, VTP, DTP or LACP
  • The number of SPAN sessions can vary on different switch models

The source can be set to entire VLAN’s (VSPAN) or individual ports. The Source is the port or VLAN you want to monitor.

Here is what the basic SPAN topology would look like:

 

Here is how to setup the Source SPAN interface.

 

tpw-sw1(config)#monitor session 1 source interface GigabitEthernet 1/1

The Destination is the port you have the network analyzer connected to.

tpw-sw1(config)#monitor session 1 destination interface GigabitEthernet 1/2

Verify your SPAN port setup.

tpw-sw1#show monitor

Session 1

---------

Type                   : Local Session

Source Ports           :

    Both               : Gi1/1

Destination Ports      : Gi1/2


The behavior is expected on a SPAN port:

tpw-sw1#sh int Gi1/1
FastEthernet1/1 is down, line protocol is down (monitoring)

 

However SPAN isn’t always going to be local, so luckily for us there is Remote SPAN (RSPAN). This feature allows the mirrored packets to traverse the trunk port to another switch via a separate VLAN. The configuration is fairly straightforward however there are a couple of caveats:

  1. All switches have to be RSPAN capable.
  2. VTP does treat the RSPAN VLAN like a regular VLAN and will propagate that through the VTP domain, but if its not you will have to add them manually to each switch
  3. VTP will prune the VLANS like a regular VLAN
  4. MAC address learning is disabled on the RSPAN VLAN
  5. Source and Destinations will be slightly different on each switch so don’t just copy the commands on each switch.

The topology would look something like this:


Here is the configuration for RSPAN tpw-sw1 – be  aware the destination RSPAN VLAN

tpw-sw1(config)#vlan 4000

tpw-sw1(config-vlan)#remote-span

tpw-sw1(config)#monitor session 1 source interface GigabitEthernet 1/1

tpw-sw1(config)#monitor session 1 destination remote vlan 4000

Verify your work.

tpw-sw1#show monitor

Session 1

---------

Type                   : Local Session

Source Ports           :

    Both               : Gi1/1

Dest RSPAN VLAN     : 4000

Here is the configuration for RSPAN tpw-sw2 – be aware the source is the RSPAN VLAN

tpw-sw2(config)#vlan 4000

tpw-sw2(config-vlan)#remote-span

tpw-sw2(config)#monitor session 1 source remote vlan 4000

tpw-sw2(config)#monitor session 1 destination interface GigabitEthernet 1/2

Verify your work.

tpw-sw2#show monitor

Session 1

---------

Type                   : Local Session

Source RSPAN VLAN        : 4000

Destination Ports     : Gi1/2


If you have a setup similar to below you have to name Remote SPAN VLAN 4000 on all intermediate switches.

Happy SPANNING 🙂

 

Common Port Numbers

Common TCP/IP Protocols and Ports

Protocol TCP/UDP Port Number
File Transfer Protocol (FTP)

(RFC 959)

TCP 20/21
Secure Shell (SSH)

(RFC 4250-4256)

TCP 22
Telnet

(RFC 854)

TCP 23
Simple Mail Transfer Protocol (SMTP)

(RFC 5321)

TCP 25
Domain Name System (DNS)

(RFC 1034-1035)

TCP/UDP 53
Dynamic Host Configuration Protocol (DHCP)

(RFC 2131)

UDP 67/68
Trivial File Transfer Protocol (TFTP)

(RFC 1350)

UDP 69
Hypertext Transfer Protocol (HTTP)

(RFC 2616)

TCP 80
Post Office Protocol (POP) version 3

(RFC 1939)

TCP 110
Network Time Protocol (NTP)

(RFC 5905)

UDP 123
NetBIOS

(RFC 1001-1002)

TCP/UDP 137/138/139
Internet Message Access Protocol (IMAP)

(RFC 3501)

TCP 143
Simple Network Management Protocol (SNMP)

(RFC 1901-1908, 3411-3418)

TCP/UDP 161/162
Border Gateway Protocol (BGP)

(RFC 4271)

TCP 179
Lightweight Directory Access Protocol (LDAP)

(RFC 4510)

TCP/UDP 389
Hypertext Transfer Protocol over SSL/TLS (HTTPS)

(RFC 2818)

TCP 443
Lightweight Directory Access Protocol over TLS/SSL (LDAPS)

(RFC 4513)

TCP/UDP 636
FTP over TLS/SSL

(RFC 4217)

TCP 989/990
The complete list of assigned ports and their assigned services can be seen at http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml.