Monitor switchports via span vs rspan vs erspan


I’ve been looking to find a good explanation regarding the three subjected features and apart from the Cisco website where you can find it all written in an extremely technical manner I’ve not been able to find much so I thought I’d make another post this weekend about SPAN cause in the end there’s really not much to it yet however it can be confusing to some besides in case you’re asked to do it in your Lab or at a Customer side , you don’t really want to go and waste time looking it up online 🙂

SPAN copies traffic from one or more CPUs, one or more ports, one or more EtherChannels, or one or more VLANs, and sends the copied traffic to one or more destinations for analysis by a network analyzer such as a SwitchProbe device or other Remote Monitoring (RMON) probe or Wireshark etc …

The port can be configured to be monitored and then the traffic that is sent or received on that port can be redirected to the port on the same switch (SPAN) or on a different switch (RSPAN) or can be directed to different switches, which provides remote monitoring of multiple switches across your network( ERSPAN) (ERSPAN uses a GRE tunnel to carry traffic between switches.)

SPAN_GNS

=============================================================================
=============================================================================
=============================================================================

SPAN

Recently you’ve been having some problems with R1 or IP Phone or the Server or any of the above devices connected to SW1 and for some reason you can’t telnet or ssh to R1 or to the Server etc  …

Wireshark_PC is your PC or a laptop of course 🙂

Let’s say something is up with the IP_PHONE and you want to capture all traffic the phone is sending to SW1 and forward a copy of it to you PC where you have your wireshark running , our Local SPAN config will look like this :

Switch1(config)# monitor session 1 source interface FastEthernet 0/15
Switch1(config)# monitor session 1 destination interface FastEthernet0/30

Or maybe there’s a problem with the phone and the printer at the same time , you can do :

Switch1(config)# monitor session 1 source interface FastEthernet 0/11 –   15 both
Switch1(config)# monitor session 1 destination interface FastEthernet0/30

But personally I would split these two into two separate SPAN sessions because otherwise it will be not so eye-friendly to differentiate the traffic unless you’re a Wireshark Guru 🙂

=============================================================================
=============================================================================
=============================================================================

RSPAN

RSPAN allows you to create a SPAN session on one switch but have the destination of the SPAN be on another switch that is on the same network. Basically you create a special VLAN intended only for transporting SPAN traffic across switches. This comes in handy when the problem you are working on is on a switch in another part of the building or campus that you are in versus where you are at. By doing this type of spanning  you need to be a little more careful than when you SPAN traffic from one port to another on the same switch. The reason is,  it is highly possible that you can saturate the trunk connection between the remote switch and one or more downstream switches that are between you and the switch where the source port resides.

Let’s say R2 this time is playing up and the problem is that R2 is located in a different building or a city to where you’re at so we need to create a VLAN on both switches SW1 and SW2 that will be use for the traffic :

vlan 999
 name RSPAN
 remote-span

switch2(config)# monitor session 1 source interface FastEthernet 0/14
switch2(config)# monitor session 1 destination remote vlan 999

switch1(config)# monitor session 8 source remote vlan 999
switch1(config)# monitor session 8 destination interface FastEthernet0/30

As you can see we’re sending traffic to the remote vlan on SW2 this time and not to the PC because our PC is still connected to SW1 – simple stuff but can get confusing ! 🙂

Remember to allow the Remote SPAN VLAN you’ve created on the trunk link between the switches then once you’re done with capturing you can remove it.

=============================================================================
=============================================================================
=============================================================================

ERSPAN

ERSPAN is RSPAN with much bigger muscles !  You only a few platforms that support this. I believe only 6509 chassis’s running a SUP720 switch fabric can handle it .ERSPAN uses a GRE
tunnel to carry traffic between switches.

I will cover this one when I start posting stuff about Nexus switches , 6500 series and Data Centre environment !

=============================================================================
=============================================================================
=============================================================================

Below you will find a table what platform supports which SPAN

span

Enjoy !

Tom