Thursday, July 17, 2008

Remote Switched Port Analyzer (RSPAN)

This week I had a task in the IPExpert Workbook Vol 1 to use RSPAN. It can be used to monitor source Ports, VLANs and destination ports on different switches in your network.

Ok, I´ve already configure SPAN (local switch only) and knew about RSPAN, but never did it before! Hmmm ok! Not that difficult, a quick look at the DocCD will be more than enough to figure that out, BUT, there are some tricks you might be aware about!

In order to configure RSPAN we´ll need to have an RSPAN VLAN, those VLANs have special properties and CAN´T be assigned to any access ports! Never!

Also, we can use an Access-List (if desired) to filter the output to monitor, those access-lists should be specified in the RSPAN VLAN in the RSPAN source switch.

You can configure any VLAN as an RSPAN VLAN as long as these conditions are met:

  1. The same RSPAN VLAN is used for an RSPAN session in all the switches.
  2. All participating switches support RSPAN.

Ok, so, let´s check a quick example on how to create the RSPAN VLAN:

vlan 250
remote span
end

In the above example VLAN 250 was configured as RSPAN VLAN, remember, to use VLAN IDs that are lower than 1005!

Now, configure the RSPAN Source Session:

Source Switch:

monitor session 1 source interface fastethernet0/1 tx
monitor session 1 source interface fastethernet0/2 rx
monitor session 1 destination remote vlan 250
end

Now the ports FastEthernet0/1 and FastEthernet0/2 are configured to be monitored and the destination is set to the RSPAN VLAN 250.

Finally, we need to create the RSPAN Destination Session:

Destination Switch:

monitor session 1 source remote vlan 250
monitor session 1 destination interface fastethernet0/7
end

That will send ALL traffic from RSPAN VLAN 250 to the fastethernet0/7, where we can plug our sniffer, traffic analyzer, or anything that we may need/want.

Seens pretty simple, right?! In fact it is! Really! BUT, just keep those few things in mind:

  1. The RSPAN VLAN should be allowed in ALL trunks between the involved switches (Source and Destination switches in this case);
  2. If you have enabled "pruning" in your network, remove the RSPAN VLAN from the pruning, with the command: switchport trunk pruning vlan remove <RSPAN VLAN ID> under the interface configure as trunk;

And that´s pretty much it! You can check if the RSPAN VLAN is allowed/pruned on the trunk with the command: show interface trunk

If you need more information regarding SPAN/RSPAN, just follow this link at Cisco´s Website:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swspan.html#wp1036686

3 comments:

Anonymous said...

very helpful post. well explained mate! A+

Jeffrey said...

This was exactly what I needed. Thank you!

Anonymous said...

Thany you! , this what i am looking for.