Using SPAN/RSPAN to monitor traffic flow

Started by jinxer, January 14, 2015, 06:41:29 AM

Previous topic - Next topic

jinxer

Sometimes its nessesary to be able to see whats happening on the wire. One way to do that is to configure a SPAN or RSPAN session.

I will describe how you can configure a RSPAN session, which is remote SPAN.. Meaning you can monitor a port on one switch and listen to that monitor on a remote switch by sending the monitor session on a VLAN which you configure as a remote-span VLAN.

First off, configure your RSPAN VLAN:

sw1# conf t
sw1# vlan 999
sw1# name RSPAN-VLAN
sw1# remote-span
sw1# exit

Add that VLAN on your remote switch as well and allow that VLAN on your trunk links by adding:

# switchport trunk allowed vlan add 999

Thats assuming you restrict what VLAN's traverse your trunk links.

The next thing to do is to go to the switch on which you want to monitor a port and configure that monitor session:

sw1# conf t
sw1# monitor session 1 source interface GigabitEthernet 0/1

This will start a monitor session on Gigabit interface 0/1 on your switch. The next thing is to send that monitor to your RSPAN VLAN so you can monitor the traffic on your remote switch.

sw1# monitor session 1 destination remote vlan 999

Thats it on the source switch you monitor from, now its time to jump on your destination switch and grab that monitor session:

sw2# conf t
sw2# monitor session 1 source remote vlan 999
sw2# monitor session 1 destination interface GigabitEthernet 0/2

Thats it... The network traffic from switch 1's Gi0/1 will be sent over the wire to switch 2's Gi0/2 interface where you can plug in your network monitor/sniffer to see whats going on.

deanwebb

Just a quick note: guides start in a topic area. When they're cleaned up and ready to stand on their own, we'll move them to the guides section.

This is a good start... can you go into detail about examples of why you would want to look at that traffic from a SPAN port instead of just running Wireshark on a host's own port? What's the difference between spanning a VLAN and spanning a port? When is it good to span a VLAN? Will the device plugged into the SPAN port be able to use the network normally?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Seittit

quick note #2:

Catalyst switches support only two (2) span sessions. This also applies to the big boy Nexus switches.

If you're looking to tap more, you'll need many thousands of dollars to purchase an appliance like Gigamon.

quite note #3:

there are no SPAN sessions on IOS routers, use this link instead: https://supportforums.cisco.com/document/29616/utilizing-new-packet-capture-feature

icecream-guy

might want to put a bit about VACL captures in there also.
:professorcat:

My Moral Fibers have been cut.

Fred

ERSPAN on the nexus is worth investigating, too. It allows you to tunnel the span traffic over GRE to a target host.

If anybody finds a way to strip the GRE headers, I'd like to hear about it.

javentre

[url="http://networking.ventrefamily.com"]http://networking.ventrefamily.com[/url]

Fred

Quote from: javentre on January 15, 2015, 08:24:18 PM
http://bittwist.sourceforge.net/doc/bittwiste.1.html

look at the -L option
Have you tested this?  It reads like the filtering takes place in the wrong direction (e.g. I could filter to see only the GRE headers, not the contents).

wintermute000

Side note, do not attempt to RSPAN across a Q-in-Q tunnel. BAD IDEA

javentre

Quote from: Fred on January 15, 2015, 09:44:29 PM
Have you tested this?  It reads like the filtering takes place in the wrong direction (e.g. I could filter to see only the GRE headers, not the contents).
nope
[url="http://networking.ventrefamily.com"]http://networking.ventrefamily.com[/url]