Remote Switched Port Analyzer
Unlike Local SPAN, Remote SPAN (RSPAN) allows for the SPAN destination port to be anywhere on the Layer 2 network. This can potentially help save time because the network engineer does not have to worry about placing the sniffer on the same switch as the source. In fact, multiple destination ports can be configured. A Catalyst 6500 can support up to 24 RSPAN destination ports. Sniffers can be strategically placed so that they are readily available if needed. A special VLAN is created for RSPAN to carry the copied source traffic to the destination port. The traffic in RSPAN VLAN is flooded because learning of MAC address is disabled. RSPAN VLAN does not generate bridge protocol data units (BPDUs) on the network.
A source switch is where the monitored ports are located. A source switch can only support one RSPAN VLAN. The steps outline has two switches connected back to back using Inter-Switch Link (ISL) trunking. (See Figure 12-1.)
Figure 12-1. Original Setup of a Router Connected to a Switch
Switch1 has a source host, and Switch2 has a RSPAN destination port defined, as follows:
- Step 1. Define the VLAN used for RSPAN on the appropriate switches. Here, VLAN 4 is used:
Switch1 (enable) set vlan 4 rspan !Cannot use an existing vlan, create a vlan that is currently not used Switch2 (enable) set vlan 4 rspan
- Step 2. Configure source port, 10/3, for RSPAN on Switch1:
Switch1 (enable) set rspan source 10/3 4 Rspan Type : Source Destination : - Rspan Vlan : 4 Admin Source : Port 10/3 Oper Source : Port 10/3 Direction : transmit/receive Incoming Packets: - Learning : - Multicast : enabled Filter : - Status : active - Step 3. Associate a destination port, 3/1, for RSPAN VLAN 4 on Switch2:
Switch2 (enable) set rspan destination 3/1 4 Rspan Type : Destination Destination : Port 3/1 Rspan Vlan : 4 Admin Source : - Oper Source : - Direction : - Incoming Packets: disabled Learning : enabled Multicast : - Filter : - Status : active
Any subsequent traffic generated or received on port 10/1 on Switch1 will be copied and forwarded to the sniffer on port 3/1 on Switch2.
Table 12-2 shows when the SPAN/RSPAN features became available in Catalyst OS.
Feature | Catalyst 4000 | Catalyst 5000 | Catalyst 6000 |
|---|---|---|---|
Inpkts enable/disable option | 4.4 | 4.2 | 5.1 |
Multiple sessions, ports in different VLANs | 5.1 | 5.1 | 5.1 |
Sc0 option | X | 5.1 | 5.1 |
Multicast enable/disable option | X | 5.1 | 5.1 |
Learning enable/disable option | 5.2 | 5.2 | 5.3 |
RSPAN | 6.3 | X | 5.3 |
Table 12-3 illustrates the number of SPAN sessions that can be configured on the appropriate platform.
Feature | Catalyst 4000 Range of Switches | Catalyst 5000 Range of Switches | Catalyst 6000 Range of Switches |
Rx or both SPAN sessions | 5 | 1 | 2 |
Tx SPAN sessions | 5 | 4 | 4 |
Rx, Tx, or both RSPAN source sessions | 5 | Not Supported | 1 |
RSPAN destination | 5 | Not Supported | 24 |
Total Sessions | 5 | 5 | 30 |
