Implementing and Troubleshooting SPAN
Please let me first begin with some personal updates. First of all, I’ve chosen to move in a new direction in my career. That may come as a surprise to those of you who know me personally and know how highly I’ve spoken of the team that I’ve worked with for the last year and a half. That hasn’t changed – I still have nothing but positive things to say about them. But life as a consultant leads to many hours needing to be worked. It’s something we were ok with as a family because we knew that if we worked really hard now, then the day could come when we could provide the kind of life for our family that we do now without having to work so many hours. I never thought that opportunity would come so soon, but it has. I am incredibly excited to be taking on an opportunity with a company that has a large global footprint, an incredible reputation, and offers a work-life balance that is second to none. I’m sad to leave my last team behind, but am really looking forward to the new relationships I’ll have the chance to form with my new team. But I’d like to use this public forum to take one more opportunity to say “Thank You” to the IP Consulting team for the incredible experience I’ve had working there. You guys deserve every last bit of success that comes your way, and I’m overwhelmingly grateful to you for the chance to work there.
Ok, now we can start to talk about technical stuff!
Whew! After covering Spanning-tree so extensively in our last series, the idea of covering a concept like SPAN seems like a walk in the park! This should be far more straight-forward, not to mention a far less novel-tastic post. Here is today’s exam blueprint topic:
2.1.g Implement and troubleshoot other LAN switching technologies
2.1.g [i] SPAN, RSPAN, ERSPAN
SPAN is often referred to as port-mirroring. Chances are that you’ve used SPAN before. Sometimes, you just need to hijack another port’s traffic. Common reasons for using SPAN are Call Recording on a Voice VLAN, IDS/IPS sniffing, the need to view traffic in a protocol analyzer like Wireshark, or to see if you can read a pretty girl’s emails. (Note: That is a joke. Do NOT try to read a pretty girl’s emails. It’s encrypted and you’ll just get frustrated. I mean… “It’s wrong, therefore, you shouldn’t do it.”)
One thing that should be said before jumping in too deep: We’re covering concepts here. Just because a concept exists though, doesn’t necessarily mean that your hardware supports every feature. With SPAN, this is especially true. SPAN features and capacity tend to be extremely platform-specific. Especially in cases where you are preparing to deploy a new application that uses SPAN, you should consult your product documentation to ensure that your switching environment can handle everything you’re preparing to do.
SPAN and RSPAN are very similar concepts. The only difference between the two is that with SPAN, you are simply taking traffic on one port on a switch, and mirroring it onto another port on the same switch. With RSPAN, the source and destination are on different switches, and they are carried by an RSPAN VLAN. ERSPAN (E = Encapsulated) is a variation of SPAN that encapsulates the traffic in GRE tunnels toward the destination. ERSPAN is far more flexible, but is supported on far fewer platforms.
Keep in mind that when you configure a port as a SPAN destination, it overwrites the original configuration of that port, making the port (and thereby, it’s connected host) useless for most normal functions. Some platforms allow you to still use the port as a standard port, by giving you the option of defining ingress traffic VLAN # and such, but this is not always the case. Also, SPAN destination ports will not run many common Layer 2 protocols like CDP, Spanning-Tree and such. You may see traffic from these protocols, but that is only because it is coming from the SPAN source port, not from the destination. Also, keep in mind that a SPAN source port can only send traffic to one destination port. That may sound like a minor limitation, but I had a customer thunk their head on that restriction recently, as they wanted to run multiple call recording applications that used SPAN, but discovered mid-implementation that this was not an option for them.
SPAN configuration is straight-forward. First, define the source port(s) with the monitor session # source interface name command. Then define the destination with the monitor session # destination interface name command. For RSPAN, the concept grows a little – you simple have to dump the traffic into a VLAN that is dedicated to the RSPAN process. First, define the transit VLAN by creating it with the VLAN # command, and then using the remote span command in VLAN configuration. Then, source ports can be added with the monitor session # source source command, and the monitor session # destination vlan # command. On the destination side, you’ll need to create the VLAN and define it as an RSPAN VLAN with the same process, then define the destination port by using the monitor session # source remote VLAN # command, and then the monitor session # destination interface name command.
ERSPAN is configured slightly differently. First, you define a SPAN session with the monitor session # type erspan-source command. This brings you into ERSPAN configuration mode. From here, define the source interface with the source interface name command, activate it with the no shutdown command, then define the destination with the destination command. This brings you down another level into the ERSPAN destination config mode. You must now configure a session ID with the erspan-id # command, a destination with the ip address # command, and a source address with the origin ip address # command. On the remote end, configure the destination with the monitor session # type erspan-destination command, then the destination interface # command, activate it with the no shutdown command, and define the source with the source command to drop into ERSPAN-source configuration mode. Once here, use the erspan-id # command and the ip address # command. You are now capturing using ERSPAN!