How to configure SPAN and RSPAN in Cisco Catalyst switches
Switched Port Analyzer (SPAN) allows you to send a copy of traffic passing through ports to another port on the switch. SPAN is important to mirror received or transmitted (or both) traffic on one or more source ports to a destination port for analysis. While SPAN is mirroring ports in the same switch, RSPAN(Remote SPAN) is mirroring ports in one switch to a port in different switch.
This post describes how to configure SPAN and RSPAN on Cisco Catalyst switches. On this example I use Cisco 2970.
1. SPAN
See the figure below, you would like to monitor the incoming traffic on port Gi0/1 using Wireshark connected to port Gi0/2.
Here is the config you should have in the Switch
Switch#conf t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#monitor session 1 source interface Gi0/1 rx Switch(config)#monitor session 1 destination interface Gi0/2 Switch(config)#end
Incoming traffic passing through port Gi0/1 will be mirrored to port Gi0/2 and captured by Wireshark on Laptop connectedd to port Gi0/2.
2. RSPAN (Remote SPAN)
See the image below for sample topology. You would like to monitor traffic on port Gi0/1 in Switch1 using a Laptop connected to port Gi0/2 in Switch2. Both switches must be able to run RSPAN to work properly.
Create a VLAN that will be used as an RSPAN-VLAN on both switches. On this example we use vlan id 30 as the RSPAN-VLAN. Then allow the RSPAN-VLAN on the trunk port between Switch1 and Switch2.
Here is the config you should have:
Switch1 (Source switch)
Switch1#conf t Enter configuration commands, one per line. End with CNTL/Z. Switch1(config)#vlan 30 Switch1(config-vlan)#name RSPAN-Vlan Switch1(config-vlan)#remote-span Switch1(config-vlan)#exit Switch1(config)#monitor session 1 source interface Gi0/1 rx Switch1(config)#monitor session 1 destination remote vlan 30 Switch1(config)#end
Allow vlan id 30 on the trunk port Gi0/2
Switch1#sh run int g0/2 Building configuration... Current configuration : 175 bytes ! interface GigabitEthernet0/2 description To-Switch2-port-Gi0/1 switchport trunk encapsulation dot1q switchport trunk allowed vlan 10,20,30 switchport mode trunk end
Switch2 (destination switch)
Switch2#conf t Enter configuration commands, one per line. End with CNTL/Z. Switch2(config)#vlan 30 Switch2(config-vlan)#name RSPAN-Vlan Switch2(config-vlan)#remote-span Switch2(config-vlan)#exit Switch2(config)#monitor session 1 destination interface Gi0/2 Switch2(config)#monitor session 1 source remote vlan 30 Switch2(config)#end
Allow vlan id 30 on the trunk port Gi0/1
Switch2#sh run int g0/1 Building configuration... Current configuration : 175 bytes ! interface GigabitEthernet0/1 description To-Switch1-port-Gi0/2 switchport trunk encapsulation dot1q switchport trunk allowed vlan 10,20,30 switchport mode trunk end
With the config above, incoming traffic passing through port Gi0/1 on Switch1 will be mirrored to port Gi0/2 onSwitch2 and captured by a traffic analyzer on Laptop connected to port Gi0/2.
No comments:
Post a Comment