SPAN – Switched Port ANalyzer
This feature allows you to do network analysis without going down.
There are three types:
– Local SPAN
– Remote SPAN (RSPAN)
– Encapsulated RSPAN (ERSPAN – via GRE)
This process allows a copy of the frames received and issued to the port of a switch to another POINT SWITCH port to be returned. (or the same switch card)
On the diagram above, we can see that a Local SPAN has been configured on the pc A port. These frames are copied and sent to PC C for analysis (via Wireshark software).
In order to set up this type of monitoring, we will have to define:
– The SPAN session to choose from
– The physical interface we want to analyze
– The destination port
– The flows we want to analyze:
– rx: feed received on this port
– tx: flow from this port
– both: feed received and issued (default)
What gives us:
Switch (config) monitor session 1 source interface fa 0/1 [ rx | tx | both ] Switch (config) - monitor session 1 destination interface fa 0/24
Let's say we want to have traffic coming and going from our Trunk interface but only for vlans from 1 to 10 , 20 to 30, vlan 52 and vlan 65. We'll use the next command
Switch (config) monitor session 1 filter vlan 1-10,20-30,52.65
This feature will allow us to sniff a port from another Switch !!!!
Switch-A (config) vlan 500 Switch-A (config-vlan) remote-span Switch-A (config-vlan) Switch-A (config) monitor session 1 source interface FastEthernet 0/1 Switch-A (config) monitor session 1 destination remote vlan 500
On the Switch A, we created the Vlan RSPAN, and we send a copy of all the frames received by the FastEthernet 0/1 port in the latter.
Switch-B (config) vlan 500 Switch-B (config-vlan) remote-span Switch-B (config-vlan)
On the Switch B, we only need to create the Vlan RSPAN.
Switch-C (config) vlan 500 Switch-C (config-vlan) remote-span Switch-C (config-vlan) Switch-C (config) monitor session 1 source remote vlan 500 Switch-C (config) - monitor session 1 destination interface FastEthernet 0/1
On the C switch, we created the RSPAN vlan, and we send a copy of all the frames received by the Vlan 500 on the FastEthernet 0/1 interface.
Under writing – Not present in the CCNP SWITCH
Hoping this article has been helpful to you! Don't hesitate to let me know!!
This site has other network items, take the opportunity to browse the menu bar!