Cisco IOS SPAN and RSPAN

lagapides · December 13, 2016, 12:48pm

Hello Edi

Yes, a SPAN destination port can be configured as trunks or access ports. Keep in mind that by using one or the other, there will be no difference in what is outputted.

Having said that, however, if your source port is a trunk, frames on that trunk will be tagged with the appropriate VLAN ID. Frames that will be outputted from the SPAN destination port will NOT have these tags UNLESS it is configured as a trunk port AND the encapsulation dot1q is enabled.

For example, if you create a SPAN monitor session 1, and you view this session with the commands below, you can see the encapsulation on the destination port is set to Native.

Switch#show monitor session 1
Session 1
&#45;&#45;&#45;&#45;&#45;----
Type                   : Local Session
Source Ports           : 
    Both               : Fa0/24
Destination Ports      : Fa0/1
    Encapsulation      : Native
          Ingress      : Disabled
 
 Switch#

If the destination port Fa0/1 is configured to be a trunk AND is configured with dot1q encapsulation, then the tags will be included.

I hope this has been helpful!

Laz

shantel · December 26, 2016, 10:46pm

19 posts were merged into an existing topic: Cisco IOS SPAN and RSPAN

alcornet · April 13, 2017, 11:04am

Hello,
I have two 3750 trunked with gi ethernchannel.
VTP enabled. SW1 is VTP client and is a source for RSPAN. VLAN 20 is only enabled.

SW2 is the destination for RSPAN source traffic, it is the VTP Server.

I tried VLAN 20 and got expected message: %VTP VLAN configuration not allowed when device is in CLIENT mode.
That prevents me to execute the next command remote span under for VLAN 20 on VTP client. Please add more content to your RSPAN example explaining how to enable RSPAN on VTP client.

Jon · April 18, 2017, 11:24am

Hi @alcornet,

Have you created your RSPAN VLAN(s) on a VTP server? You can apply the “remote-span” parameter as normal that way.
Also do be careful to check VTP pruning; it can remove RSPAN VLANs!

I have placed some example configuration below that I hope is useful.

Kind regards,
Jon

CiscoCat2970#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
CiscoCat2970(config)#vtp ver 2      
VTP mode already in V2.
CiscoCat2970(config)#vtp mode server
Device mode already VTP SERVER.
CiscoCat2970(config)#vlan 20
CiscoCat2970(config-vlan)#remote-span
CiscoCat2970(config-vlan)#exit
CiscoCat2970(config)#exit
CiscoCat2970#show vlan id 20

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
20   VLAN0020                         active    

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
20   enet  100020     1500  -      -      -        -    -        0      0   

Remote SPAN VLAN
----------------
Enabled

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------

CiscoCat2970#

adave1103 · January 2, 2018, 12:47pm

Hi Rene
The example you used , is for a layer2 network. I mean you have not used any IP addresses etc.
what if we have a layer-3 network? For example we have a core router , aggregating lot of access switches and running eigrp routing. if we need to enable port analyzer still need to create vlan ?

Thanks
Abhishek

ReneMolenaar · January 2, 2018, 12:49pm

Hi Abhishek,

SPAN and RSPAN are used to capture on L2 so anything on the upper layers, is also captured. You can use this on an interface that connects to a router to capture whatever you need.

It’s also possible to capture traffic on a router btw:

azmuddincisco · March 3, 2018, 2:19pm

Hello Rene,
I need some help and I am going to use the below topology as the reference.

In this switch I have two VLANs(VLAN 10 and VLAN 20). G1/1 is an access port assigned to VLAN 10 and G2/2 is also an access port assigned to VLAN 20. Now I want to connect two packet sniffing devices on port G3/3 and port G4/4 and they will use IP addresses from VLAN 10.

This will be the configuration:
========================

monitor session 1 source vlan 10 ,  20
monitor session 1 destination interface G3/3
monitor session 1 destination interface G4/4

But the question is How should I configure those two ports(G3/3 and G4/4) that are going to be connected to sniffing devices?

Can I configure them regular access port and assign them to VLAN 10?

interface GigabitEthernet3/3
 switchport access vlan 10
 switchport mode access

interface GigabitEthernet4/4
 switchport access vlan 20
 switchport mode access

Thanks in advance.

Best Regards,
Azm

lagapides · March 5, 2018, 4:12pm

Hello AZM

First of all, it doesn’t really matter what IP addresses you configure on the packet sniffers. These devices will not be able to communicate with the network as their sole purpose is to sniff or detect any and all packets that are sent from the destination ports.

Secondly, the destination ports have all ingress traffic disabled, so even if they were configured with additional parameters, these are all overridden.

Essentially, no additional parameters are necessary on the destination ports.

You can find additional comprehensive information about the destination ports in a SPAN configuration at this Cisco documentation.

I hope this has been helpful!

Laz

azmuddincisco · March 5, 2018, 6:20pm

Hello Laz,
Thank you as usual. Here is another question and the below diagram will be used as a reference.

What would be the configuration for SW-1?

Azm

lagapides · March 9, 2018, 7:26am

Hello AZM

This is a very good question. Essentially, what you want to do with the above topology is to have the destination port receive monitoring information from both SPAN and RSPAN source ports.

According to Cisco:

The switch does not support a combination of local SPAN and RSPAN in a single session. That is,
an RSPAN source session cannot have a local destination port, an RSPAN destination session cannot
have a local source port, and an RSPAN destination session and an RSPAN source session that are
using the same RSPAN VLAN cannot run on the same switch.

So you will need to have two separate destination ports, one for the locally monitored source ports and one for the remotely monitored source ports.

The above text was taken from this Cisco documentation, page 23-4.

I hope this has been helpful!

Laz

azmuddincisco · March 9, 2018, 5:30pm

You the man Laz…

lagapides · March 12, 2018, 9:07am

Always happy to help AZM!!

Laz

jmwalker24 · January 9, 2019, 5:44pm

In your example - “Switch(config)#monitor session 1 destination interface fa0/2” I did that on my switch. I could not locate fa0/2 in show vlan or show int trunk. a show int fa0/2 switchport show operation mode : down a show int fa0/2 showed line protocol is down (monitoring). Does configuring fa0/2 as a destination in SPAN create all this?

lagapides · January 10, 2019, 11:55am

Hello Jason

When a port is configured as a destination port for SPAN/RSPAN, it no longer functions as a regular switchport. Indeed, it no longer shows up in the show VLAN or show interface trunk commands because it is neither an access or trunk port. The operation mode is down because the only other options are trunk or access, and it is none of those. The line protocol (Ethernet) is also down because it is not functioning as an Ethernet port. It is in a specialised state where it just sends copies of frames from the appropriate sources.

So to answer your question, yes, all of this is due to the configuration of the port as a monitoring port.

I hope this has been helpful!

Laz

thomas2.ryan · April 1, 2019, 6:03am

Hi

Sorry if this is in the wrong place it is my first post since becoming a member, also sorry if it is not allowed.

I am currently testing some security concerns for VPNs, I am wanting to view traffic going through the routers using Wireshark, In my current placement of this machine all I can see is EIGRP notifications for adjacencies and none of the traffic I am generating via ostinato to check if my packets are encrypted. Screenshot_1

Can I get some recommendations of where I should put this packet sniffing machine running Wireshark?

lagapides · April 1, 2019, 6:10am

Hello Thomas

No problem about your post, if there’s a better location to place the post, then we’ll move it to the appropriate thread. Congratulations on your first post!

As for your question, in order to get meaningful information on a wireshark capture device, you’ll have to configure SPAN or RSPAN on the switch on which you are connecting. You can read more about these in the lesson of this thread, however, suffice it to say that SPAN and RSPAN allow you to copy traffic (frames and packets) of particular ports or VLANs to a monitoring port (simply a switchport with a specialized configuration) so that the wireshark software can collect and store the data. Concerning the physical placement of wireshark, it’s a good idea to connect it to the switch that is directly connected to the device that you want to monitor. For example, if you want to monitor traffic going through R3, then the placement of the wireshark device is good, but you’ll have to configure SPAN.

If you want to capture all traffic that is traversing the link between Ethernetswitch-3 and R3 for example, then you will have to configure SPAN on Ethernetswitch-3 to copy all incoming and outgoing data on the E1 port to the E2 port.

Review the lesson of this thread for further details, and if you have any more questions, you know where to find us!

I hope this has been helpful!

Laz

xmanvu · June 19, 2019, 6:57am

Hi Rene,

If you using Wireshark to capturing traffic on destination port , So which case using allow ingress traffic from destination port ?

And other question : Can RSPAN with different vendors , ect : I have two switch , one is Cisco, one is DELL or HP.

lagapides · June 20, 2019, 5:51am

Hello Nguyen

If you have a SPAN configuration where you are capturing packets from several source ports and sending them to the destination port, and you have a computer running wireshark that is connected to that destination port, then that computer won’t have network access. It can only capture packets. By issuing the command that Rene mentioned, you can cause that port to also send and receive normal data from the computer so it can be used as any other connection device while still capturing packets from the monitored source ports. You would do this in the event that you require network access on that device while capturing packets at the same time.

As for interoperability, I know of situations where RSPAN was implemented between a Cisco switch and a Hewlett Packard Procurve switch, but it may be that not all vendors are compatible. You should check on some examples that others may have shared online, but unless you try it out yourself to find out, there’s no guarantee that it will work.

I hope this has been helpful!

Laz

xmanvu · June 20, 2019, 7:25am

Thank Laz !!!

gaby.ochoa · June 28, 2019, 3:04am

Does this also work on routers? I am about to try…