Using SPAN/RSPAN to monitor traffic flow

jinxer · January 14, 2015, 06:41:29 AM

Sometimes its nessesary to be able to see whats happening on the wire. One way to do that is to configure a SPAN or RSPAN session.

I will describe how you can configure a RSPAN session, which is remote SPAN.. Meaning you can monitor a port on one switch and listen to that monitor on a remote switch by sending the monitor session on a VLAN which you configure as a remote-span VLAN.

First off, configure your RSPAN VLAN:

sw1# conf t
sw1# vlan 999
sw1# name RSPAN-VLAN
sw1# remote-span
sw1# exit

Add that VLAN on your remote switch as well and allow that VLAN on your trunk links by adding:

# switchport trunk allowed vlan add 999

Thats assuming you restrict what VLAN's traverse your trunk links.

The next thing to do is to go to the switch on which you want to monitor a port and configure that monitor session:

sw1# conf t
sw1# monitor session 1 source interface GigabitEthernet 0/1

This will start a monitor session on Gigabit interface 0/1 on your switch. The next thing is to send that monitor to your RSPAN VLAN so you can monitor the traffic on your remote switch.

sw1# monitor session 1 destination remote vlan 999

Thats it on the source switch you monitor from, now its time to jump on your destination switch and grab that monitor session:

sw2# conf t
sw2# monitor session 1 source remote vlan 999
sw2# monitor session 1 destination interface GigabitEthernet 0/2

Thats it... The network traffic from switch 1's Gi0/1 will be sent over the wire to switch 2's Gi0/2 interface where you can plug in your network monitor/sniffer to see whats going on.

deanwebb · January 14, 2015, 08:45:16 AM

Just a quick note: guides start in a topic area. When they're cleaned up and ready to stand on their own, we'll move them to the guides section.

This is a good start... can you go into detail about examples of why you would want to look at that traffic from a SPAN port instead of just running Wireshark on a host's own port? What's the difference between spanning a VLAN and spanning a port? When is it good to span a VLAN? Will the device plugged into the SPAN port be able to use the network normally?

Seittit · January 14, 2015, 09:19:18 AM

quick note #2:

Catalyst switches support only two (2) span sessions. This also applies to the big boy Nexus switches.

If you're looking to tap more, you'll need many thousands of dollars to purchase an appliance like Gigamon.

quite note #3:

there are no SPAN sessions on IOS routers, use this link instead: https://supportforums.cisco.com/document/29616/utilizing-new-packet-capture-feature

icecream-guy · January 14, 2015, 11:00:21 AM

might want to put a bit about VACL captures in there also.

Fred · January 15, 2015, 08:11:55 PM

ERSPAN on the nexus is worth investigating, too. It allows you to tunnel the span traffic over GRE to a target host.

If anybody finds a way to strip the GRE headers, I'd like to hear about it.

javentre · January 15, 2015, 08:24:18 PM

Quote from: Fred on January 15, 2015, 08:11:55 PM
If anybody finds a way to strip the GRE headers, I'd like to hear about it.

http://bittwist.sourceforge.net/doc/bittwiste.1.html

look at the -L option

Fred · January 15, 2015, 09:44:29 PM

Quote from: javentre on January 15, 2015, 08:24:18 PM
http://bittwist.sourceforge.net/doc/bittwiste.1.html

look at the -L option

Have you tested this? It reads like the filtering takes place in the wrong direction (e.g. I could filter to see only the GRE headers, not the contents).

wintermute000 · January 16, 2015, 03:05:55 AM

Side note, do not attempt to RSPAN across a Q-in-Q tunnel. BAD IDEA

javentre · January 16, 2015, 05:05:53 AM

Quote from: Fred on January 15, 2015, 09:44:29 PM
Have you tested this? It reads like the filtering takes place in the wrong direction (e.g. I could filter to see only the GRE headers, not the contents).

nope

Using SPAN/RSPAN to monitor traffic flow

Seittit