Unlike Local SPAN, Remote SPAN (RSPAN) allows for the SPAN destination port to be anywhere on the Layer 2 network. This can potentially help save time because the network engineer does not have to worry about placing the sniffer on the same switch as the source. In fact, multiple destination ports can be configured. A Catalyst 6500 can support up to 24 RSPAN destination ports. Sniffers can be strategically placed so that they are readily available if needed. A special VLAN is created for RSPAN to carry the copied source traffic to the destination port. The traffic in RSPAN VLAN is flooded because learning of MAC address is disabled. RSPAN VLAN does not generate bridge protocol data units (BPDUs) on the network.
A source switch is where the monitored ports are located. A source switch can only support one RSPAN VLAN. The steps outline has two switches connected back to back using Inter-Switch Link (ISL) trunking. (See Figure 12-1.)
Switch1 has a source host, and Switch2 has a RSPAN destination port defined, as follows:
Switch1 (enable) set vlan 4 rspan !Cannot use an existing vlan, create a vlan that is currently not used Switch2 (enable) set vlan 4 rspan
Switch1 (enable) set rspan source 10/3 4
Rspan Type : Source
Destination : -
Rspan Vlan : 4
Admin Source : Port 10/3
Oper Source : Port 10/3
Direction : transmit/receive
Incoming Packets: -
Learning : -
Multicast : enabled
Filter : -
Status : active
Switch2 (enable) set rspan destination 3/1 4
Rspan Type : Destination
Destination : Port 3/1
Rspan Vlan : 4
Admin Source : -
Oper Source : -
Direction : -
Incoming Packets: disabled
Learning : enabled
Multicast : -
Filter : -
Status : active
Any subsequent traffic generated or received on port 10/1 on Switch1 will be copied and forwarded to the sniffer on port 3/1 on Switch2.
Table 12-2 shows when the SPAN/RSPAN features became available in Catalyst OS.
Feature | Catalyst 4000 | Catalyst 5000 | Catalyst 6000 |
---|---|---|---|
Inpkts enable/disable option | 4.4 | 4.2 | 5.1 |
Multiple sessions, ports in different VLANs | 5.1 | 5.1 | 5.1 |
Sc0 option | X | 5.1 | 5.1 |
Multicast enable/disable option | X | 5.1 | 5.1 |
Learning enable/disable option | 5.2 | 5.2 | 5.3 |
RSPAN | 6.3 | X | 5.3 |
Table 12-3 illustrates the number of SPAN sessions that can be configured on the appropriate platform.
Feature | Catalyst 4000 Range of Switches | Catalyst 5000 Range of Switches | Catalyst 6000 Range of Switches |
Rx or both SPAN sessions | 5 | 1 | 2 |
Tx SPAN sessions | 5 | 4 | 4 |
Rx, Tx, or both RSPAN source sessions | 5 | Not Supported | 1 |
RSPAN destination | 5 | Not Supported | 24 |
Total Sessions | 5 | 5 | 30 |