Home and ERSPAN cisco RSPAN SPAN SPAN, RSPAN, and ERSPAN
MASIGNASUKAv102
6510051498749449419

SPAN, RSPAN, and ERSPAN

SPAN, RSPAN, and ERSPAN
Ahmed BOUSTA
Add Comments
lundi 1 août 2016


SPAN, RSPAN, and ERSPAN


Cisco Catalyst switches support a method of directing all traffic from a source port or
source VLAN to a single port. This feature, called SPAN (for Switch Port Analyzer) in the
Cisco documentation and sometimes referred to as session monitoring because of the
commands used to configure it, is useful for many applications. These include monitoring
traffic for compliance reasons, for data collection purposes, or to support a particular
application. For example, all traffic from a voice VLAN can be delivered to a single
switch port to facilitate call recording in a VoIP network. Another common use of this
feature is to support intrusion detection/prevention system (IDS/IPS) security solutions.
SPAN sessions can be sourced from a port or ports, or from a VLAN. This provides great
flexibility in collecting or monitoring traffic from a particular source device or an entire
VLAN.

The destination port for a SPAN session can be on the local switch, as in SPAN operation.
Or it can be a port on another switch in the network. This mode is known as
Remote SPAN, or RSPAN. In RSPAN, a specific VLAN must be configured across the
entire switching path from the source port or VLAN to the RSPAN destination port. This
requires that the RSPAN VLAN be included in any trunks in that path, too.
 for the topology of SPAN, for that of RSPAN, and  for that of
Encapsulated Remote SPAN (ERSPAN).
The information in this section applies specifically to the Cisco 3560 switching platform;
the Cisco 3750 and many other platforms use identical or similar rules and configuration
commands.
Core Concepts of SPAN, RSPAN, and ERSPAN
To understand SPAN, RSPAN, and ERSPAN, it helps to break them down into their fundamental
elements. This also helps you understand how to configure these features.
In SPAN, you create a SPAN source that consists of at least one port or at least one
VLAN on a switch. On the same switch, you configure a destination port. The SPAN
source data is then gathered and delivered to the SPAN destination.
In RSPAN, you create the same source type—at least one port or at least one VLAN. The
destination for this session is the RSPAN VLAN, rather than a single port on the switch.
At the switch that contains an RSPAN destination port, the RSPAN VLAN data is delivered
to the RSPAN port.
---------------

Restrictions and Conditions
Destination ports in SPAN, RSPAN, and ERSPAN have multiple restrictions. The key
restrictions include the following:
■ When you configure a destination port, its original configuration is overwritten.
If the SPAN configuration is removed, the original configuration on that port is
restored.
■ When you configure a destination port, the port is removed from any EtherChannel
bundle if it were part of one. If it were a routed port, the SPAN destination configuration
overrides the routed port configuration.
■ Destination ports do not support port security, 802.1x authentication, or private
VLANs. In general, SPAN/RSPAN and 802.1x are incompatible.
■ Destination ports do not support any Layer 2 protocols, including CDP, Spanning
Tree, VTP, DTP, and so on.
A set of similar restrictions for RSPAN destination VLANs also exists. See the references
in the “Further Reading” section at the end of this chapter for more information about
those restrictions.
SPAN, RSPAN, and ERSPAN require compliance with a number of specific conditions to
work. For SPAN, the key restrictions include the following:
■ The source can be either one or more ports or a VLAN, but not a mix of these.
■ Up to 64 SPAN destination ports can be configured on a switch.
■ Switched or routed ports can be configured as SPAN source ports or SPAN destination
ports
Be careful to avoid overloading the SPAN destination port. A 100-Mbps source port
can easily overload a 10-Mbps destination port; it’s even easier to overload a 100-
Mbps destination port when the source is a VLAN.
■ Within a single SPAN session, you cannot deliver traffic to a destination port when
it is sourced by a mix of SPAN, RSPAN, or ERSPAN source ports or VLANs. This
restriction comes into play when you want to mirror traffic to both a local port on a
switch (in SPAN) and a remote port on another switch (in RSPAN or ERSPAN mode).
■ A SPAN destination port cannot be a source port, and a source port cannot be a destination
port.
■ Only one SPAN/RSPAN/ERSPAN session can send traffic to a single destination
port.
■ A SPAN destination port ceases to act as a normal switch port. That is, it passes only
SPAN-related traffic.
■ It’s possible to configure a trunk port as the source of a SPAN or RSPAN session. In
this case, all VLANs on the trunk are monitored by default; the filter vlan command
option can be configured to limit the VLANs being monitored in this situation.
■ Traffic that is routed from another VLAN to a source VLAN cannot be monitored
with SPAN. An easy way to understand this concept is that only traffic that enters or
exits the switch in a source port or VLAN is forwarded in a SPAN session. In other
words, if the traffic comes from another source within the switch (by routing from
another VLAN, for example), that traffic isn’t forwarded through SPAN.
SPAN, RSPAN, and ERSPAN support three types of traffic: transmitted, received, and
both. By default, SPAN is enabled for traffic both entering and exiting the source port
or VLAN. However, SPAN can be configured to monitor just transmitted traffic or just
received traffic. Some additional conditions apply to these traffic types, as detailed in
this list:
For Receive (RX) SPAN, the goal is to deliver all traffic received to the SPAN destination.
As a result, each frame to be transported across a SPAN connection is copied
and sent before any modification (for example, VACL or ACL filtering, QoS modification,
or even ingress or egress policing).
■ For Transmit (TX) SPAN, all relevant filtering or modification by ACLs, VACLs, QoS,
or policing actions are taken before the switch forwards the traffic to the SPAN/
RSPAN destination. As a result, not all transmit traffic necessarily makes it to a
SPAN destination. Also, the frames that are delivered do not necessarily match the
original frames exactly, depending on policies applied before they are forwarded to
the SPAN destination.
■ A special case applies to certain types of Layer 2 frames. SPAN/RSPAN usually
ignores CDP, spanning-tree BPDUs, VTP, DTP, and PAgP frames. However, these traffic
types can be forwarded along with the normal SPAN traffic if the encapsulation
replicate command is configured.


Basic SPAN Configuration
The goal for the configuration in Example  is to mirror traffic sent to or received from
interface fa0/12 to interface fa0/24. All traffic sent or received on fa0/12 is sent to fa0/24.
This configuration is typical of a basic traffic-monitoring application.
Example  Basic SPAN Configuration Example
MDF-ROC1# configure terminal
MDF-ROC1(config)# monitor session 1 source interface fa0/12
MDF-ROC1(config)# monitor session 1 destination interface fa0/24
------------

Complex SPAN Configuration
In Example  , we configure a switch to send the following traffic to interface fa0/24,
preserving the encapsulation from the sources:
■ Received on interface fa0/18
■ Sent on interface fa0/9
■ Sent and received on interface fa0/19 (which is a trunk)
We also filter (remove) VLANs 1, 2, 3, and 229 from the traffic coming from the fa0/19
trunk port.
Example  Complex SPAN Configuration Example
MDF-ROC3# config term
MDF-ROC3(config)# monitor session 11 source interface fa0/18 rx
MDF-ROC3(config)# monitor session 11 source interface fa0/9 tx
MDF-ROC3(config)# monitor session 11 source interface fa0/19
MDF-ROC3(config)# monitor session 11 filter vlan 1 - 3 , 229
MDF-ROC3(config)# monitor session 11 destination interface fa0/24 encapsulation
replicate

RSPAN Configuration
In Example  , we configure two switches, IDF-SYR1 and IDF-SYR2, to send traffic to
RSPAN VLAN 199, which is delivered to port fa0/24 on switch MDF-SYR9 as follows:
■ From IDF-SYR1, all traffic received on VLANs 66–68
■ From IDF-SYR2, all traffic received on VLAN 9
■ From IDF-SYR2, all traffic sent and received on VLAN 11
Note that all three switches use a different session ID, which is permissible in RSPAN.
The only limitation on session numbering is that the session number must be 1 to 66.



IDF-SYR1# config term
IDF-SYR1(config)# vlan 199
IDF-SYR1(config-vlan)# remote span
IDF-SYR1(config-vlan)# exit
IDF-SYR1(config)# monitor session 3 source vlan 66 – 68 rx
IDF-SYR1(config)# monitor session 3 destination remote vlan 199
-----------------
!Now moving to IDF-SYR2:
IDF-SYR2# config term
IDF-SYR2(config)# vlan 199
IDF-SYR2(config-vlan)# remote span
IDF-SYR2(config-vlan)# exit
IDF-SYR2(config)# monitor session 23 source vlan 9 rx
IDF-SYR2(config)# monitor session 23 source vlan 11
IDF-SYR2(config)# monitor session 23 destination remote vlan 199
----------------
!Now moving to MDF-SYR9
MDF-SYR9# config term
MDF-SYR9(config)# vlan 199
MDF-SYR9(config-vlan)# remote span
MDF-SYR9(config-vlan)# exit
MDF-SYR9(config)# monitor session 63 source remote vlan 199
MDF-SYR9(config)# monitor session 63 destination interface fa0/24
MDF-SYR9(config)# end

ERSPAN Configuration

In Example 1-6 , we will configure ASR 1002 to capture received traffic and send to it
to Catalyst 6509 Gig2/2/1. This traffic will simply be captured, encapsulated in GRE by
ASR 1002 natively, and routed over to the Catalyst 6509. A sniffing station on the 6500
attached to GE2/2/1 will see the complete Ethernet frame (L2 to L7) information.

ERSPAN Configuration Example

ASR1002(config)# monitor session 1 type erspan-source
ASR1002(config-mon-erspan-src)# source interface gig0/1/0 rx
ASR1002(config-mon-erspan-src)# no shutdown
ASR1002(config-mon-erspan-src)# destination
ASR1002(config-mon-erspan-src-dst)# erspan-id 101
ASR1002(config-mon-erspan-src-dst)# ip address 10.1.1.1
ASR1002(config-mon-erspan-src-dst)# origin ip address 172.16.1.1
!Now for the configuration of the Catalyst 6500
SW6509(config)# monitor session 2 type erspan-destination
SW6509(config-mon-erspan-dst)# destination interface gigabitEthernet2/2/1
SW6509(config-mon-erspan-dst)# no shutdown
SW6509(config-mon-erspan-dst)# source
SW6509(config-mon-erspan-dst-src)# erspan-id 101
SW6509(config-mon-erspan-dst-src)# ip address 10.1.1.1

You can verify SPAN, RSPAN, or ERSPAN operation using the show monitor session
command,
ERSPAN Verification Example
ASR1002# show monitor session 1
Session 1
---------
Type : ERSPAN Source Session
Status : Admin Enabled
Source Ports :
RX Only : Gi0/1/0
Destination IP Address : 10.1.1.1
MTU : 1464
Destination ERSPAN ID : 101
Origin IP Address : 172.16.1.1


Ahmed BOUSTA

comment 0 Comments

more_vert