Cisco RSPAN on 3560/3750

SPAN (Switched Port Analyzer) is also called port-mirroring. It forwards a copy of traffic from one/multiple interfaces to another interface, usually for traffic monitoring.

RSPAN is Remote SPAN, used to forward traffic to a port connected to a remote switch.

ERSPAN can be used to send mirrored traffic across layer-3 boundaries to overcome the limitations of SPAN/RSPAN, but is only supported on a limited set of hardware (Catalyst 6500, Nexus, ASR-series)

In this example we'll be mirroring traffic from an IP phone connected to an access switch, over to a server connected to an upstream switch.

Because we're using RSPAN, we need to create a remote-span VLAN. This is a special VLAN that will be used as the destination for the mirrored traffic, and must exist on all switches in between the source and destination. Traffic to the RSPAN VLAN is flooded out all trunk ports carrying the RSPAN VLAN, so take care to prune the VLAN off inter-switch links where it's not needed if you're going to be mirroring a lot of traffic.

In this example we'll start at the access switch (source switch), by creating the remote-VLAN. Make sure to use the remote-span parameter after creating the VLAN, or the switch will not mirror traffic.

AccessSwitch#conf t
AccessSwitch(config)#vlan 700
AccessSwitch(config-vlan)#name Voice-Monitor
AccessSwitch(config-vlan)#remote-span

In this deployment, the trunk ports have VLANs explicitly configured, so we need to add the remote-VLAN to the allowed list. If your trunk ports are passing all VLANs, this isn't necessary (though you should still verify the new VLAN is being passed correctly with commands like show int trunk and show spanning-tree.)

AccessSwitch#sh run int g0/52
!
interface GigabitEthernet0/52
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,110,200,250,260
 switchport mode trunk
!
AccessSwitch#conf t
AccessSwitch(config)#int g0/52
AccessSwitch(config-if)#switchport trunk allowed vlan add 700

Take care to include the add parameter. If add is left out, the VLAN list will be replaced instead of updated, and ONLY VLAN 700 would be allowed.

Next we configure the actual monitoring session. The IP phone we need to monitor is connected to interface GigabitEthernet0/36, and is sitting in voice VLAN 200. The phone is also connected in-line with a PC, and we don’t need to monitor the PC traffic in this instance. We can apply a filter so only the traffic from the voice VLAN is mirrored, and traffic from the PC connected to the phone is left alone.

We’re using session 1 here – the number of sessions you can configure will vary between hardware platforms.

AccessSwitch(config)#monitor session 1 source interface g0/36
AccessSwitch(config)#monitor session 1 filter vlan 200
AccessSwitch(config)#monitor session 1 destination remote vlan 700

We can define multiple source interfaces here if there were several devices on the switch we had to monitor:

(config)#monitor session 1 source interface g0/11, g0/15, g0/16

 We can also specify if we only need to mirror traffic inbound/outbound on the interface (the default option if left undefined is to capture both ingress and egress traffic):

monitor session 1 source interface g0/15, g0/16 rx

Now that we have the source switch configured for remote-VLAN and the monitor session added, we move to the upstream switch.

Creating the span VLAN and adding it to the trunk link (Gig2/0/7) are the same process as before.

CoreSwitch#conf t   
CoreSwitch (config)#vlan 700   
CoreSwitch (config-vlan)#name Voice-Monitor
CoreSwitch (config-vlan)#remote-span
CoreSwitch (config-vlan)#do show run int g1/0/1
!
interface GigabitEthernet1/0/1
 description Link AccessSwitch G0/52
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,110,200,250,260
 switchport mode trunk
!
CoreSwitch (config)#int g1/0/1
CoreSwitch (config-if)#switchport trunk allowed vlan add 700

The monitoring server for the phone system is connected to Gig2/0/7, which will become the destination when we define the monitoring session. By defining the remote-span VLAN as the source, the switch will take any traffic it received over its trunk links and deliver them to the destination interface.

CoreSwitch (config)#monitor session 1 destination interface Gi2/0/7
CoreSwitch (config)#monitor session 1 source remote vlan 700

We can verify our configuration on both switches using show commands:

CoreSwith#show monitor session ?
 <1-66>             SPAN session number
 all                 Show all SPAN sessions
 erspan-destination Show only Destination ERSPAN sessions
 erspan-source       Show only Source ERSPAN sessions
 local               Show only Local SPAN sessions
 range               Show a range of SPAN sessions in the box
 remote             Show only Remote SPAN sessions
CoreSwitch #show monitor session 1 detail
Session 1
---------
Type                   : Remote Destination Session
Description           : -
Source Ports           :
   RX Only           : None
   TX Only           : None
   Both               : None
Source VLANs           :
   RX Only           : None
   TX Only           : None
   Both               : None
Source RSPAN VLAN     : 700
Destination Ports     : Gi2/0/7
   Encapsulation     : Native
         Ingress     : Disabled
Filter VLANs           : None
Dest RSPAN VLAN       : None

 

We can also view all VLANs designated as remote-span to verify it was added correctly.

CoreSwitch#show vlan remote-span
Remote SPAN VLANs
------------------------------------------------------------------------------
700

 

This information is also displayed at the bottom of the output when viewing the VLAN database (some output truncated):

CoreSwitch#show vlan
 VLAN Name                             Status   Ports
---- -------------------------------- --------- -------------------------------
100 SERVER_VLAN                     active   Gi1/0/1, Gi1/0/2, Gi1/0/4
110 CLIENT_VLAN                     active   Gi1/0/5, Gi1/0/16
200 VOICE_VLAN                      active   Gi1/0/5
700 Voice-Monitor                   active

 VLAN Type SAID       MTU   Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
100 enet 100100     1500 -     -     -       -   -       0     0
110 enet 100110     1500 -     -     -       -   -       0     0
200 enet 100200     1500 -     -     -       -   -       0     0
700 enet 100700     1500 -     -     -       -   -       0     0
 Remote SPAN VLANs
-----------------------------------------------------------------------------
700

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>