Cisco RSPAN on 3560/3750

SPAN (Switched Port Analyzer) is also called port-mirroring. It forwards a copy of traffic from one/multiple interfaces to another interface, usually for traffic monitoring.

RSPAN is Remote SPAN, used to forward traffic to a port connected to a remote switch.

ERSPAN can be used to send mirrored traffic across layer-3 boundaries to overcome the limitations of SPAN/RSPAN, but is only supported on a limited set of hardware (Catalyst 6500, Nexus, ASR-series)

In this example we'll be mirroring traffic from an IP phone connected to an access switch, over to a server connected to an upstream switch.

Because we're using RSPAN, we need to create a remote-span VLAN. This is a special VLAN that will be used as the destination for the mirrored traffic, and must exist on all switches in between the source and destination. Traffic to the RSPAN VLAN is flooded out all trunk ports carrying the RSPAN VLAN, so take care to prune the VLAN off inter-switch links where it's not needed if you're going to be mirroring a lot of traffic.

In this example we'll start at the access switch (source switch), by creating the remote-VLAN. Make sure to use the remote-span parameter after creating the VLAN, or the switch will not mirror traffic.

AccessSwitch#conf t
AccessSwitch(config)#vlan 700
AccessSwitch(config-vlan)#name Voice-Monitor

Continue reading