Monitor switchports via span vs rspan vs erspan


I’ve been looking to find a good explanation regarding the three subjected features and apart from the Cisco website where you can find it all written in an extremely technical manner I’ve not been able to find much so I thought I’d make another post this weekend about SPAN cause in the end there’s really not much to it yet however it can be confusing to some besides in case you’re asked to do it in your Lab or at a Customer side , you don’t really want to go and waste time looking it up online 🙂

SPAN copies traffic from one or more CPUs, one or more ports, one or more EtherChannels, or one or more VLANs, and sends the copied traffic to one or more destinations for analysis by a network analyzer such as a SwitchProbe device or other Remote Monitoring (RMON) probe or Wireshark etc …

The port can be configured to be monitored and then the traffic that is sent or received on that port can be redirected to the port on the same switch (SPAN) or on a different switch (RSPAN) or can be directed to different switches, which provides remote monitoring of multiple switches across your network( ERSPAN) (ERSPAN uses a GRE tunnel to carry traffic between switches.)

SPAN_GNS

=============================================================================
=============================================================================
=============================================================================

SPAN

Recently you’ve been having some problems with R1 or IP Phone or the Server or any of the above devices connected to SW1 and for some reason you can’t telnet or ssh to R1 or to the Server etc  …

Wireshark_PC is your PC or a laptop of course 🙂

Let’s say something is up with the IP_PHONE and you want to capture all traffic the phone is sending to SW1 and forward a copy of it to you PC where you have your wireshark running , our Local SPAN config will look like this :

Switch1(config)# monitor session 1 source interface FastEthernet 0/15
Switch1(config)# monitor session 1 destination interface FastEthernet0/30

Or maybe there’s a problem with the phone and the printer at the same time , you can do :

Switch1(config)# monitor session 1 source interface FastEthernet 0/11 –   15 both
Switch1(config)# monitor session 1 destination interface FastEthernet0/30

But personally I would split these two into two separate SPAN sessions because otherwise it will be not so eye-friendly to differentiate the traffic unless you’re a Wireshark Guru 🙂

=============================================================================
=============================================================================
=============================================================================

RSPAN

RSPAN allows you to create a SPAN session on one switch but have the destination of the SPAN be on another switch that is on the same network. Basically you create a special VLAN intended only for transporting SPAN traffic across switches. This comes in handy when the problem you are working on is on a switch in another part of the building or campus that you are in versus where you are at. By doing this type of spanning  you need to be a little more careful than when you SPAN traffic from one port to another on the same switch. The reason is,  it is highly possible that you can saturate the trunk connection between the remote switch and one or more downstream switches that are between you and the switch where the source port resides.

Let’s say R2 this time is playing up and the problem is that R2 is located in a different building or a city to where you’re at so we need to create a VLAN on both switches SW1 and SW2 that will be use for the traffic :

vlan 999
 name RSPAN
 remote-span

switch2(config)# monitor session 1 source interface FastEthernet 0/14
switch2(config)# monitor session 1 destination remote vlan 999

switch1(config)# monitor session 8 source remote vlan 999
switch1(config)# monitor session 8 destination interface FastEthernet0/30

As you can see we’re sending traffic to the remote vlan on SW2 this time and not to the PC because our PC is still connected to SW1 – simple stuff but can get confusing ! 🙂

Remember to allow the Remote SPAN VLAN you’ve created on the trunk link between the switches then once you’re done with capturing you can remove it.

=============================================================================
=============================================================================
=============================================================================

ERSPAN

ERSPAN is RSPAN with much bigger muscles !  You only a few platforms that support this. I believe only 6509 chassis’s running a SUP720 switch fabric can handle it .ERSPAN uses a GRE
tunnel to carry traffic between switches.

I will cover this one when I start posting stuff about Nexus switches , 6500 series and Data Centre environment !

=============================================================================
=============================================================================
=============================================================================

Below you will find a table what platform supports which SPAN

span

Enjoy !

Tom

 

Advertisements

About ccie4all
Hello, and welcome to the first post of my CCIE blog This blog has got one simple goal and that is to improve our skills in Cisco Networking field so we can become best engineers on a job market. Wordpress Blog https://ccie4all.wordpress.com/ information about the changes made to Gns3 BGP , MPLS and R&S CCIE labs. In order to access and download all provided materials and receive important updates from Gns3 BGP , MPLS and R&S CCIE labs under GNS3 tab in the main header please go ahead and subscribe to https://ccie4all.wordpress.com/ ! All other posts have not been affected and can be accessed at any given time. Enjoy ! Tom

3 Responses to Monitor switchports via span vs rspan vs erspan

  1. Another great post Tom!

    Not your doing of course but I have never understood why Cisco do not support all of the features that could be supported on each switch, the approach to functionality seems very disjointed, for example why not support erspan on every L3 switch, why only some switches support RSPAN?

    Was playing with some ME3600X Metro Switches this week and trying to get span/rspan/erspan to work after reading somewhere that 15.3.x support was out there for erspan, but whilst the commands are available on the IOS they simply don’t work and nor does the documented support for local span – which I think is a poor showing for Cisco.

    Too much fragmentation a great platform does not make!

    Anyway enough of my ranting about Cisco – you keep up the great work!!!

    • ccie4all says:

      Hello Ciscomoto!

      I totally agree , especially with features like ERSPAN where the only difference from the other two is that is dedicated for routable traffic which spans over WAN where source and destination sessions live on different switches across networks , it also makes me wonder why Cisco can not get their programmers and IOS developers to do some magic and make it work on other common use platforms software?

      I guess there’s only one logical explanation, it’s all about the money and marketing, make companies to spend more money and force them to do upgrades every couple of years, and make us network chaps learn about everything and more!

      All we can do is accept it, learn it and become the best possible network engineers so we can literally save and protect businesses and enjoy the pay !

      Thanks so much mate, as soon as I find something that’s worth attention , there will be another post!

      Cheers
      Tom

  2. Pingback: Monitor switchports via span vs rspan vs erspan | staniislaus

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: