Ok, I´ve already configure SPAN (local switch only) and knew about RSPAN, but never did it before! Hmmm ok! Not that difficult, a quick look at the DocCD will be more than enough to figure that out, BUT, there are some tricks you might be aware about!
In order to configure RSPAN we´ll need to have an RSPAN VLAN, those VLANs have special properties and CAN´T be assigned to any access ports! Never!
Also, we can use an Access-List (if desired) to filter the output to monitor, those access-lists should be specified in the RSPAN VLAN in the RSPAN source switch.
You can configure any VLAN as an RSPAN VLAN as long as these conditions are met:
- The same RSPAN VLAN is used for an RSPAN session in all the switches.
- All participating switches support RSPAN.
Ok, so, let´s check a quick example on how to create the RSPAN VLAN:
|vlan 250 |
In the above example VLAN 250 was configured as RSPAN VLAN, remember, to use VLAN IDs that are lower than 1005!
Now, configure the RSPAN Source Session:
monitor session 1 source interface fastethernet0/1 tx
Now the ports FastEthernet0/1 and FastEthernet0/2 are configured to be monitored and the destination is set to the RSPAN VLAN 250.
Finally, we need to create the RSPAN Destination Session:
monitor session 1 source remote vlan 250
That will send ALL traffic from RSPAN VLAN 250 to the fastethernet0/7, where we can plug our sniffer, traffic analyzer, or anything that we may need/want.
Seens pretty simple, right?! In fact it is! Really! BUT, just keep those few things in mind:
- The RSPAN VLAN should be allowed in ALL trunks between the involved switches (Source and Destination switches in this case);
- If you have enabled "pruning" in your network, remove the RSPAN VLAN from the pruning, with the command: switchport trunk pruning vlan remove <RSPAN VLAN ID> under the interface configure as trunk;
And that´s pretty much it! You can check if the RSPAN VLAN is allowed/pruned on the trunk with the command: show interface trunk
If you need more information regarding SPAN/RSPAN, just follow this link at Cisco´s Website: