Cisco IOS SPAN and RSPAN

Hello,
I have two 3750 trunked with gi ethernchannel.
VTP enabled. SW1 is VTP client and is a source for RSPAN. VLAN 20 is only enabled.

SW2 is the destination for RSPAN source traffic, it is the VTP Server.

I tried VLAN 20 and got expected message: %VTP VLAN configuration not allowed when device is in CLIENT mode.
That prevents me to execute the next command remote span under for VLAN 20 on VTP client. Please add more content to your RSPAN example explaining how to enable RSPAN on VTP client.

Hi @alcornet,

Have you created your RSPAN VLAN(s) on a VTP server? You can apply the “remote-span” parameter as normal that way.
Also do be careful to check VTP pruning; it can remove RSPAN VLANs!

I have placed some example configuration below that I hope is useful.

Kind regards,
Jon

CiscoCat2970#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
CiscoCat2970(config)#vtp ver 2      
VTP mode already in V2.
CiscoCat2970(config)#vtp mode server
Device mode already VTP SERVER.
CiscoCat2970(config)#vlan 20
CiscoCat2970(config-vlan)#remote-span
CiscoCat2970(config-vlan)#exit
CiscoCat2970(config)#exit
CiscoCat2970#show vlan id 20

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
20   VLAN0020                         active    

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
20   enet  100020     1500  -      -      -        -    -        0      0   

Remote SPAN VLAN
----------------
Enabled

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------

CiscoCat2970#

Hi Rene
The example you used , is for a layer2 network. I mean you have not used any IP addresses etc.
what if we have a layer-3 network? For example we have a core router , aggregating lot of access switches and running eigrp routing. if we need to enable port analyzer still need to create vlan ?

Thanks
Abhishek

Hi Abhishek,

SPAN and RSPAN are used to capture on L2 so anything on the upper layers, is also captured. You can use this on an interface that connects to a router to capture whatever you need.

It’s also possible to capture traffic on a router btw:

Hello Rene,
I need some help and I am going to use the below topology as the reference.

image

In this switch I have two VLANs(VLAN 10 and VLAN 20). G1/1 is an access port assigned to VLAN 10 and G2/2 is also an access port assigned to VLAN 20. Now I want to connect two packet sniffing devices on port G3/3 and port G4/4 and they will use IP addresses from VLAN 10.

This will be the configuration:
========================

monitor session 1 source vlan 10 ,  20
monitor session 1 destination interface G3/3
monitor session 1 destination interface G4/4

But the question is How should I configure those two ports(G3/3 and G4/4) that are going to be connected to sniffing devices?

Can I configure them regular access port and assign them to VLAN 10?

interface GigabitEthernet3/3
 switchport access vlan 10
 switchport mode access

interface GigabitEthernet4/4
 switchport access vlan 20
 switchport mode access

Thanks in advance.

Best Regards,
Azm

Hello AZM

First of all, it doesn’t really matter what IP addresses you configure on the packet sniffers. These devices will not be able to communicate with the network as their sole purpose is to sniff or detect any and all packets that are sent from the destination ports.

Secondly, the destination ports have all ingress traffic disabled, so even if they were configured with additional parameters, these are all overridden.

Essentially, no additional parameters are necessary on the destination ports.

You can find additional comprehensive information about the destination ports in a SPAN configuration at this Cisco documentation.

I hope this has been helpful!

Laz

Hello Laz,
Thank you as usual. Here is another question and the below diagram will be used as a reference.

image

  1. What would be the configuration for SW-1?

Azm

Hello AZM

This is a very good question. Essentially, what you want to do with the above topology is to have the destination port receive monitoring information from both SPAN and RSPAN source ports.

According to Cisco:

The switch does not support a combination of local SPAN and RSPAN in a single session. That is,
an RSPAN source session cannot have a local destination port, an RSPAN destination session cannot
have a local source port, and an RSPAN destination session and an RSPAN source session that are
using the same RSPAN VLAN cannot run on the same switch.

So you will need to have two separate destination ports, one for the locally monitored source ports and one for the remotely monitored source ports.

The above text was taken from this Cisco documentation, page 23-4.

I hope this has been helpful!

Laz

You the man Laz…

1 Like

Always happy to help AZM!!

Laz

In your example - “Switch(config)#monitor session 1 destination interface fa0/2” I did that on my switch. I could not locate fa0/2 in show vlan or show int trunk. a show int fa0/2 switchport show operation mode : down a show int fa0/2 showed line protocol is down (monitoring). Does configuring fa0/2 as a destination in SPAN create all this?

Hello Jason

When a port is configured as a destination port for SPAN/RSPAN, it no longer functions as a regular switchport. Indeed, it no longer shows up in the show VLAN or show interface trunk commands because it is neither an access or trunk port. The operation mode is down because the only other options are trunk or access, and it is none of those. The line protocol (Ethernet) is also down because it is not functioning as an Ethernet port. It is in a specialised state where it just sends copies of frames from the appropriate sources.

So to answer your question, yes, all of this is due to the configuration of the port as a monitoring port.

I hope this has been helpful!

Laz

Hi

Sorry if this is in the wrong place it is my first post since becoming a member, also sorry if it is not allowed.

I am currently testing some security concerns for VPNs, I am wanting to view traffic going through the routers using Wireshark, In my current placement of this machine all I can see is EIGRP notifications for adjacencies and none of the traffic I am generating via ostinato to check if my packets are encrypted.Screenshot_1

Can I get some recommendations of where I should put this packet sniffing machine running Wireshark?

Hello Thomas

No problem about your post, if there’s a better location to place the post, then we’ll move it to the appropriate thread. Congratulations on your first post!

As for your question, in order to get meaningful information on a wireshark capture device, you’ll have to configure SPAN or RSPAN on the switch on which you are connecting. You can read more about these in the lesson of this thread, however, suffice it to say that SPAN and RSPAN allow you to copy traffic (frames and packets) of particular ports or VLANs to a monitoring port (simply a switchport with a specialized configuration) so that the wireshark software can collect and store the data. Concerning the physical placement of wireshark, it’s a good idea to connect it to the switch that is directly connected to the device that you want to monitor. For example, if you want to monitor traffic going through R3, then the placement of the wireshark device is good, but you’ll have to configure SPAN.

If you want to capture all traffic that is traversing the link between Ethernetswitch-3 and R3 for example, then you will have to configure SPAN on Ethernetswitch-3 to copy all incoming and outgoing data on the E1 port to the E2 port.

Review the lesson of this thread for further details, and if you have any more questions, you know where to find us!

I hope this has been helpful!

Laz

Hi Rene,

If you using Wireshark to capturing traffic on destination port , So which case using allow ingress traffic from destination port ?

And other question : Can RSPAN with different vendors , ect : I have two switch , one is Cisco, one is DELL or HP.

Hello Nguyen

If you have a SPAN configuration where you are capturing packets from several source ports and sending them to the destination port, and you have a computer running wireshark that is connected to that destination port, then that computer won’t have network access. It can only capture packets. By issuing the command that Rene mentioned, you can cause that port to also send and receive normal data from the computer so it can be used as any other connection device while still capturing packets from the monitored source ports. You would do this in the event that you require network access on that device while capturing packets at the same time.

As for interoperability, I know of situations where RSPAN was implemented between a Cisco switch and a Hewlett Packard Procurve switch, but it may be that not all vendors are compatible. You should check on some examples that others may have shared online, but unless you try it out yourself to find out, there’s no guarantee that it will work.

I hope this has been helpful!

Laz

1 Like

Thank Laz !!!

1 Like

Does this also work on routers? I am about to try…

Hello Martha

Cisco IOS routers don’t typically support SPAN, although the Cisco CRS router does, which is a special case. This makes sense because if you have a routed port, and you plug in a monitoring workstation there, there will be no traffic on the port itself, since it’s no longer connected to the network.

There are a couple of things that you can do to capture packets that traverse a router port. Typically, a router’s port will be connected to a switch, so you can configure that switch port as a source for a SPAN session on the switch itself. Another option is to use Netflow which provides detailed flow based statistics rather then replicating traffic to a port for monitoring. You can get more meaningful information in this way.

I hope this has been helpful!

Laz

Thank you so much! Absolutely. Your input is helpful.

1 Like