CCIE 400-101: Layer 2 Technologies - SPAN, RSPAN, ERSPAN

on
  • SPAN = Switch Port Analyzer
  • RSPAN = Remote SPAN
  • ERSPAN = Encapsulated RSPAN
  • A method of directing all traffic from a source port or source VLAN to a single port. 
  • SPAN is sometimes referred to as session monitoring because of the commands used to configure it. 
  • The feature is useful for many applications. For example, all traffic from a voice VLAN can be delivered to a single switch port to facilitate call recording.
  • In a single SPAN session, you can monitor received (Rx), transmitted (Tx), or bidirectional (both) [default] source port traffic.
  • Rx refers to traffic entering the source port or VLAN. The traffic is copied and sent to the SPAN destination before any modifications occur (ACL/VACL, QoS, policing etc.).
  • Tx refers to traffic leaving the source port or VLAN. The traffic is copied and sent to the SPAN destination after any modifications occur (ACL/VACL, QoS, policing etc.). 
  • The destination port can be on the local switch (SPAN) or on another switch in the network (RSPAN). 
  • In RSPAN, a specific VLAN must be configured across the entire switching path from the source port or VLAN to the RSPAN destination port. 
  • Encapsulated Remote SPAN (ERSPAN), as the name implies, creates a GRE tunnel for all captured traffic and allows it to be extended across Layer 3 domains. 
  • Regardless of the type of SPAN, a SPAN source port can be any type of port—a routed port, a physical switch port, an access port, a trunk port, an EtherChannel port (either one physical port or the entire port-channel interface), and so on.  
  • On a SPAN source VLAN, all active ports in that VLAN are monitored.  
  • As ports are added or removed from that VLAN, the sources are dynamically updated to include new ports or exclude removed ports. 
  • When a trunk port is monitored as a source port, all VLANs active on the trunk are monitored by default.  
  • You can use VLAN filtering in order to limit SPAN traffic monitoring on trunk source ports to specific VLANs. 
  • VLAN filtering affects only traffic forwarded to the destination SPAN port and does not affect the switching of normal traffic. 
  • VLAN filtering applies only to port-based sessions and is not allowed in sessions with VLAN sources. 
  • Also, a port configured as a SPAN destination cannot be part of a SPAN source VLAN.
  • The state of the destination port is up/down by design. The interface shows the port in this state in order to make it evident that the port is currently not usable as a production port. 
  • When it is a destination port, it does not participate in any of the Layer 2 protocols (STP, VTP, CDP, DTP, PagP). 
  • SPAN/RSPAN/ERSPAN usually ignores CDP, spanning-tree BPDUs, VTP, DTP, and PAgP frames. However, these traffic types can be forwarded along with the normal SPAN traffic if the encapsulation replicate command is configured.
  • There are a number of restrictions for SPAN/RSPAN/ERSPAN ports, including: 
    • The source can be either one or more ports or a VLAN, but not a mix of these. 
    • A SPAN destination port cannot be a source port, and a source port cannot be a destination port. 
    • Only one SPAN/RSPAN/ERSPAN session can send traffic to a single destination port. 
    • A SPAN destination port ceases to act as a normal switch port. That is, it passes only SPAN-related traffic.
  • For details, see: SPAN, RSPAN, and ERSPAN.

Example:

-- SPAN --

monitor session 1 source interface fa0/12
monitor session 1 destination interface fa0/24


-- RSPAN --

S1#
vlan 199
 remote span
monitor session 3 source vlan 42
monitor session 3 destination remote vlan 199

S2#
vlan 199
 remote span
monitor session 5 source remote vlan 199
monitor session 5 destination interface fa0/19


-- ERSPAN --

R1#
monitor session 1 type erspan-source
 source interface GigabitEthernet0/1/0
 no shutdown
 destination
  erspan-id 101
  ip address 10.1.1.1
  origin ip address 172.16.1.1

R2#
monitor session 2 type erspan-destination
 destination interface GigabitEthernet2/2/1
 no shutdown
 source
  erspan-id 101
  ip address 10.1.1.1 
  

R1# show monitor session 1

Session 1
---------
Type : ERSPAN Source Session
Status : Admin Enabled
Source Ports :
RX Only : Gi0/1/0
Destination IP Address : 10.1.1.1
MTU : 1464
Destination ERSPAN ID : 101
Origin IP Address : 172.16.1.1

References

CCIE Routing and Switching v5.0 Official Cert Guide, Volume 1, 5th Edition
SPAN, RSPAN, and ERSPAN
Catalyst SPAN Configuration Example

Comments

Post a Comment