Configuring RSPAN

Configuring RSPAN

The earlier "SPAN Ports and Bridging Loops" sidebar described a situation where in a distributed switch environment an administrator wants to monitor a set of ports or VLANs spread over several switches. While approaches described in a sidebar typically work, the best solution in this case is to use Remote SPAN feature (RSPAN). In short, this approach joins all ports to be monitored in a special RSPAN VLAN and traffic from this VLAN is transferred over trunk ports to the destination port, where an IDS is attached. See Figure 9.7.

Click To expand
Figure 9.7: RSPAN Traffic Forwarding

In Figure 9.7, switches S1 and S2 are called source switches. Currently, a switch can have only one RSPAN VLAN configured (this means it is not possible to have on the same switch two sources for two different RSPAN sessions).

Switch S3 is an intermediary switch. It does not have the preceding restrictions on a number of RSPAN VLANS, because it simply forwards the traffic. Switch S1 also acts as an intermediary switch, forwarding traffic from host B.

Finally, switch S4 is a destination switch. Some of its ports are configured as RSPAN destinations. Catalyst 6000 can currently have up to 24 destination ports for RSPAN sessions. All switches are connected via ISL trunks. STP is running, so loops will be prevented.

The configuration process consists of creating a RSPAN VLAN on source switches, configuring trunks on intermediary switches (if they are not already in place) and specifying destination ports on destination switches. Specific commands used for RSPAN configuration are different in cases of IOS-based and CatOS Catalyst 4000/6000 switches, so we will describe them separately.

Configuring an IOS-Based Switch for RSPAN

The process is different for source and destination switches. Intermediary switches do not need any additional configuration provided that trunking infrastructure is already in place.

A RSPAN VLAN is created first. This is done by creating a VLAN and then using the command remote-span in the config-vlan mode to specify that this VLAN is for Remote SPAN. For example:

R4000(config)# vlan 123
R4000(config-vlan)# remote-span
R4000(config-vlan)# end

configures a VLAN 123 for RSPAN. The command no remote-span turns off the RSPAN feature on this VLAN. This command is entered only on one switch and the knowledge about this VLAN is propagated using VTP to all other participating switches

Source Switch Configuration

Sources of traffic are configured similar to a local SPAN mode. In such cases, the destination of this session is set to a remote SPAN VLAN. For example, on switch S1:

R4000-1(config)# monitor session 1 source interface fa2/1 rx
R4000-1(config)# monitor session 1 destination remote vlan 123

On switch S2:

R4000-2(config)# monitor session 1 source interface fa3/1 rx 
R4000-2(config)# monitor session 1 destination remote vlan 123

Destination Switch Configuration

On a destination switch, the configuration is somewhat reversed compared to the source switch. The source of a session is the RSPAN VLAN and a destination, the port to which IDS is connected. For example, on switch S4

R4000-4(config)# monitor session 1 source remote vlan 123
R4000-4(config)# monitor session 1 destination interface fa4/1

It is also possible to filter traffic further by using VLAN access-lists (VACLs), which is described later in this chapter.

Configuring a SET-Based Switch for RSPAN

Basic steps are the same as with IOS switches. Trunking structure is configured independently of RSPAN and has to be in place before RSPAN is configured. Basically, you need to use the same VTP domain on all switches and configure some ports as trunking-desirable. VTP negotiation will do the rest. For example, running the command:

Sw4000-1(enable) set vtp domain cisco
Sw4000-2(enable) set vtp domain cisco

on all switches, and additionally using the command 

Sw4000-2> (enable) set trunk 5/1 desirable

on switch S2 will result in establishing trunking between them.

Then RSPAN VLANs are created. Using the same numbering as in previous sections, we need to configure the following on a VPT server switch:

Sw4000> (enable) set vlan 123 rspan
      Vlan 123 configuration successful
Sw4000> (enable) show vlan
VLAN   DynCreated   RSPAN
---    -------      ----------
1      static       disabled
2      static       disabled
3      static       disabled
99     static       disabled
123    static       enabled

Source Switch Configuration

In source switch configuration, source ports are again configured similarly to local SPAN sources, with the keyword rspan used instead of span and where a destination using the set rspan command is always an ID of an RSPAN VLAN. For example: 

Sw4000-1> (enable) set rspan 2/1 123 rx
Rspan Type   : Source
Destination  : -
Rspan Vlan   : 123
Admin Source : Port 2/1
Oper Source  : None
Direction    : receive
Incoming Packets: -
Learning     : -
Multicast    : enabled
Filter       : -

This configures ingress traffic from port 2/1 as a source for the RSPAN session associated with RSPAN VLAN 123.


 Note

In this output, admin source are source ports or source VLANs configured from the console. The Oper Source field shows ports that are actually monitored—for example, if the administrative source includes a VLAN, then the operational source will list all ports belonging to this VLAN. The Oper Source field is not updated until the session is active and is never used for RSPAN sources.

It is also possible to use VLANs as sources for RSPAN, for example:

Sw4000-1> (enable) set rspan source 200 123 rx
Rspan Type    : Source
Destination   : -
Rspan Vlan    : 123
Admin Source  : VLAN 200
Oper Source   : None
Direction     : receive
Incoming Packets: -
Learning      : -
Multicast     : enabled
Filter        : -

Destination Switch Configuration

On a destination switch, the destination port is configured this way: 

Sw4000-4> (enable) set rspan destination 4/1 123
Rspan Type : Destination
Destination : Port 4/1
Rspan Vlan : 123
Admin Source : -
Oper Source : -
Direction : -
Incoming Packets: disabled
Learning : enabled
Multicast : -
Filter : -

RSPAN sessions can be disabled on source switches by using:

Sw4000> (enable) set rspan disable source all
This command will disable all remote span source session(s).
Do you want to continue (y/n) [n]? y
Disabled monitoring of all source(s) on the switch for remote span.

Or, for a specific session, identified by RSPAN VLAN number:

Sw4000> (enable) set rspan disable source

Sessions can also be disabled on destination switches using

Sw4000> (enable) set rspan disable destination all
This command will disable all remote span destination session(s).
Do you want to continue (y/n) [n]? y
Disabled monitoring of remote span traffic for all rspan destination ports.

Or, for a specific session identified by a port number:

Sw4000> (enable) set rspan disable destination