Cisco: Packet Capture: SPAN, RSPAN

Blueprint

CCIE Enterprise Infrastructure v1.0
- Qualifying Exam ENCOR 350-401
  - 4.0 Network Assurance
    - 4.4 Configure and verify SPAN/RSPAN/ERSPAN
- Lab v1.0
  - 4.0 Infrastructure Security and Services
    - 4.7 Network operations
      - 4.7.a Traffic capture
        
        4.7.a i SPAN
        
        4.7.a ii RSPAN
CCIE R&S v5
- Written v5.1
  - 2.0 Layer 2 Technologies
    - 2.1 LAN switching technologies
      - 2.1.g Implement and troubleshoot other LAN switching technologies
        
        2.1.g [i] SPAN, RSPAN, ERSPAN
- Lab v5.0
  - 1.0 Layer 2 Technologies
    - 1.1 LAN switching technologies
      - 1.1.g Implement and troubleshoot other LAN switching technologies
        
        1.1.g [i] SPAN, RSPAN, ERSPAN

Base Configuration

Physical Lab

R1

configure terminal
!
interface FastEthernet 0/0.1
 encapsulation dot1q 1 native
 ip address 10.0.1.1 255.255.255.0
interface FastEthernet 0/0.128
 encapsulation dot1q 128
 ip address 10.0.128.1 255.255.255.0
interface FastEthernet 0/0.129
 encapsulation dot1q 129
 ip address 10.0.129.1 255.255.255.0
interface FastEthernet 0/0.130
 encapsulation dot1q 130
 ip address 10.0.130.1 255.255.255.0
interface FastEthernet 0/0
 no shutdown
!
end

R2 Lab Base Configuration

R2

configure terminal
!
interface FastEthernet 0/0.1
 encapsulation dot1q 1 native
 ip address 10.0.1.2 255.255.255.0
interface FastEthernet 0/0.128
 encapsulation dot1q 128
 ip address 10.0.128.2 255.255.255.0
interface FastEthernet 0/0.129
 encapsulation dot1q 129
 ip address 10.0.129.2 255.255.255.0
interface FastEthernet 0/0.130
 encapsulation dot1q 130
 ip address 10.0.130.2 255.255.255.0
interface FastEthernet 0/0
 no shutdown
!
end

R3 Lab Base Configuration

R3

configure terminal
!
interface FastEthernet 0/0.1
 encapsulation dot1q 1 native
 ip address 10.0.1.3 255.255.255.0
interface FastEthernet 0/0.128
 encapsulation dot1q 128
 ip address 10.0.128.3 255.255.255.0
interface FastEthernet 0/0.129
 encapsulation dot1q 129
 ip address 10.0.129.3 255.255.255.0
interface FastEthernet 0/0.130
 encapsulation dot1q 130
 ip address 10.0.130.3 255.255.255.0
interface FastEthernet 0/0
 no shutdown
!
end

SW1 Lab Base Configuration

SW1

configure terminal
!
vtp mode transparent
!
vlan 128-130
exit
!
interface FastEthernet 1/0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
interface FastEthernet 1/0/2
 switchport trunk encapsulation dot1q
 switchport mode trunk
interface FastEthernet 1/0/23
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
end

SW2 Lab Base Configuration

SW2

configure terminal
!
vtp mode transparent
!
vlan 128-130
exit
!
interface FastEthernet 1/0/3
 switchport trunk encapsulation dot1q
 switchport mode trunk
interface FastEthernet 1/0/23
 switchport trunk encapsulation dot1q
 switchport mode trunk
interface FastEthernet 1/0/24
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
end

SW3 Lab Base Configuration

SW3

configure terminal
!
vtp mode transparent
!
vlan 128-130
exit
!
interface FastEthernet 1/0/24
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
end

Local SPAN Lab

✔SW1

configure terminal
!
monitor session 1 source interface FastEthernet 1/0/1
monitor session 1 destination interface FastEthernet 1/0/12
!
end

✔SW1

configure terminal
!
monitor session 1 source interface FastEthernet 1/0/1 tx
monitor session 1 destination interface FastEthernet 1/0/12
!
end

✔SW1

configure terminal
!
monitor session 1 source interface FastEthernet 1/0/1 rx
monitor session 1 destination interface FastEthernet 1/0/12
!
end

to monitor 802.1Q tag, see Capture IEEE802.1Q Frame with Wireshark

✔SW1

configure terminal
!
monitor session 1 source interface FastEthernet 1/0/1
monitor session 1 destination interface FastEthernet 1/0/12 encapsulation replicate
!
end

✔SW1

configure terminal
!
monitor session 1 source vlan 128
monitor session 1 destination interface FastEthernet 1/0/12
!
end

✔SW1

configure terminal
!
monitor session 1 source interface FastEthernet 1/0/1
monitor session 1 destination interface FastEthernet 1/0/11, FastEthernet 1/0/12
!
end

✔SW1

configure terminal
!
monitor session 1 source interface FastEthernet 1/0/1
monitor session 1 destination interface FastEthernet 1/0/11, FastEthernet 1/0/12 encapsulation replicate
!
end

✔SW1(filter vlan)

configure terminal
!
monitor session 1 source interface FastEthernet 1/0/1
monitor session 1 filter vlan 1 , 128 - 129
monitor session 1 destination interface FastEthernet 1/0/12 encapsulation replicate
!
end

✔SW1(filter vlan)

configure terminal
!
monitor session 1 source interface FastEthernet 1/0/1
monitor session 1 filter vlan 1 , 128 , 130
monitor session 1 destination interface FastEthernet 1/0/12
!
end

SW1 Console Log

SW1

SW1(config)#do sh run | i monitor
monitor session 1 source interface Fa1/0/1
monitor session 1 filter vlan 1 , 128 , 130
monitor session 1 destination interface Fa1/0/12
SW1(config)#do sh monitor
Session 1
---------
Type                   : Local Session
Source Ports           : 
    Both               : Fa1/0/1
Destination Ports      : Fa1/0/12
    Encapsulation      : Native
          Ingress      : Disabled
Filter VLANs           : 1,128,130


SW1(config)#
SW1(config)#monitor session 1 destination int f1/0/12 encapsulation rep
SW1(config)#$sion 1 destination int f1/0/12 encapsulation replicate 
SW1(config)#do sh monit
SW1(config)#do sh monitor 
Session 1
---------
Type                   : Local Session
Source Ports           : 
    Both               : Fa1/0/1
Destination Ports      : Fa1/0/12
    Encapsulation      : Replicate
          Ingress      : Disabled
Filter VLANs           : 1,128,130


SW1(config)#

Remote SPAN(RSPAN) Lab

✔SW1

configure terminal
!
vlan 999
 remote-span
exit
!
monitor session 1 source interface FastEthernet 1/0/1
monitor session 1 destination remote vlan 999
!
end

RSPAN seems to be not work encapsulation replicate, any tags stripped.

✔SW2

configure terminal
!
vlan 999
 remote-span
exit
!
monitor session 1 source remote vlan 999
monitor session 1 destination interface FastEthernet 1/0/12 encapsulation replicate
!
end

SW2 mis-configuration

SW2

configure terminal
!
vlan 999
 remote-span
exit
!
monitor session 1 source remote vlan 999
monitor session 1 destination remote vlan 999
!
end

SW3 mis-configuration

SW3

configure terminal
!
vlan 999
 remote-span
exit
!
monitor session 1 source remote vlan 999
monitor session 1 destination interface FastEthernet 1/0/12
!
end

SW2 Configuration Log

SW2

SW2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SW2(config)#vl
SW2(config)#vlan 999
SW2(config-vlan)#remo
SW2(config-vlan)#remote-span 
SW2(config-vlan)#exit
SW2(config)#moni
SW2(config)#monitor sess
SW2(config)#monitor session 1 sou
SW2(config)#monitor session 1 source remo
SW2(config)#monitor session 1 source remote vl
SW2(config)#monitor session 1 source remote vlan 999
SW2(config)#moint
SW2(config)#monito
SW2(config)#monitor ses
SW2(config)#monitor session 1 des
SW2(config)#monitor session 1 destination remo
SW2(config)#monitor session 1 destination remote vl
SW2(config)#monitor session 1 destination remote vlan 999
% RSPAN VLAN already exists as source. The same session cannnot have RSPAN VLAN both as source and destination
SW2(config)#do sh run | i monitor
monitor session 1 source remote vlan 999 
SW2(config)#monitor session 1 destination remote vlan 999
% RSPAN VLAN already exists as source. The same session cannnot have RSPAN VLAN both as source and destination
SW2(config)#

SW2(config)#vlan 999
SW2(config-vlan)#remo
SW2(config-vlan)#remote-span 
SW2(config-vlan)#exit
SW2(config)#
*Mar  1 01:25:52.131: %LINK-3-UPDOWN: Interface FastEthernet1/0/12, changed state to up
*Mar  1 01:25:53.138: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/12, changed state to up
SW2(config)#reo
SW2(config)#reosl
SW2(config)#moni 
SW2(config)#monitor se
SW2(config)#monitor session 1 sou
SW2(config)#monitor session 1 source remo
SW2(config)#monitor session 1 source remote vl
SW2(config)#monitor session 1 source remote vlan 999
SW2(config)#moni
SW2(config)#monitor se
SW2(config)#monitor session 1 des
SW2(config)#monitor session 1 destination int
SW2(config)#monitor session 1 destination interface f1/0/12 en
SW2(config)#monitor session 1 destination interface f1/0/12 encapsulation rep
SW2(config)#$sion 1 destination interface f1/0/12 encapsulation replicate 
SW2(config)#no monitor session 1 destination interface f1/0/12 encapsulation r$
SW2(config)#$session 1 destination interface f1/0/12                         
% All or part of the specified port(s) are not the destination port of the SPAN session. Command rejected.
SW2(config)#monitor session 1 destination interface f1/0/12   
SW2(config)#do sh run | i monitor
monitor session 1 destination interface Fa1/0/12
monitor session 1 source remote vlan 999 
SW2(config)#
*Mar  1 01:35:43.184: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/23, changed state to down
SW2(config)#
*Mar  1 01:35:44.199: %LINK-3-UPDOWN: Interface FastEthernet1/0/23, changed state to down
SW2(config)#
*Mar  1 01:35:48.419: %LINK-3-UPDOWN: Interface FastEthernet1/0/23, changed state to up
SW2(config)#
*Mar  1 01:35:50.440: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/23, changed state to up
SW2(config)#vlan 998        
SW2(config-vlan)#remo
SW2(config-vlan)#remote-span 
SW2(config-vlan)#exit
SW2(config)#do sh vlan bri

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa1/0/1, Fa1/0/2, Fa1/0/4
                                                Fa1/0/5, Fa1/0/6, Fa1/0/7
                                                Fa1/0/8, Fa1/0/9, Fa1/0/10
                                                Fa1/0/11, Fa1/0/13, Fa1/0/14
                                                Fa1/0/15, Fa1/0/16, Fa1/0/17
                                                Fa1/0/18, Fa1/0/19, Fa1/0/20
                                                Fa1/0/21, Fa1/0/22, Gi1/0/1
                                                Gi1/0/2
128  VLAN0128                         active    
129  VLAN0129                         active    
130  VLAN0130                         active    
998  VLAN0998                         active    
999  VLAN0999                         active    
1002 fddi-default                     act/unsup 
1003 token-ring-default               act/unsup 
1004 fddinet-default                  act/unsup 
1005 trnet-default                    act/unsup 
SW2(config)#moni
SW2(config)#monitor se
SW2(config)#monitor session 1 de
SW2(config)#monitor session 1 destination remo
SW2(config)#monitor session 1 destination remote vl
SW2(config)#monitor session 1 destination remote vlan 998
% Session - 1 is a not a Remote Source session. Can't add RSPAN VLAN as destination
SW2(config)#do sh vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa1/0/1, Fa1/0/2, Fa1/0/4
                                                Fa1/0/5, Fa1/0/6, Fa1/0/7
                                                Fa1/0/8, Fa1/0/9, Fa1/0/10
                                                Fa1/0/11, Fa1/0/13, Fa1/0/14
                                                Fa1/0/15, Fa1/0/16, Fa1/0/17
                                                Fa1/0/18, Fa1/0/19, Fa1/0/20
                                                Fa1/0/21, Fa1/0/22, Gi1/0/1
                                                Gi1/0/2
128  VLAN0128                         active    
129  VLAN0129                         active    
130  VLAN0130                         active    
998  VLAN0998                         active    
999  VLAN0999                         active    
1002 fddi-default                     act/unsup 
1003 token-ring-default               act/unsup 
1004 fddinet-default                  act/unsup 
1005 trnet-default                    act/unsup 
SW2(config)#do sh run | sec vlan
vlan internal allocation policy ascending
vlan 128-130 
vlan 998
 remote-span
vlan 999
 remote-span
monitor session 1 source remote vlan 999 
SW2(config)#monitor session 1 destination remote ?       
  vlan  Remote SPAN destination RSPAN VLAN

SW2(config)#monitor session 1 destination remote v
SW2(config)#monitor session 1 destination remote vlan ?
  <1006-4094>  Remote SPAN destination extended RSPAN VLAN number
  <2-1001>     Remote SPAN destination RSPAN VLAN number

SW2(config)#monitor session 1 destination re                  
SW2(config)#monitor session 1 destination remote vl
SW2(config)#monitor session 1 destination remote vlan 998
% Session - 1 is a not a Remote Source session. Can't add RSPAN VLAN as destination
SW2(config)#

SW2 rejected multiple switch RSPAN…

Fa1/0/1 - SW1 - SW2 - SW3 - Wireshark

Let's reference CCO(cisco.com)

Cisco IOS LAN Switching Command Reference - mac address-group through revision [Support] - Cisco

References

PG1X WIKI

Table of Contents

Cisco: Packet Capture: SPAN, RSPAN

Blueprint

Base Configuration

Local SPAN Lab

Remote SPAN(RSPAN) Lab

References

PG1X WIKI

User Tools

Site Tools

Table of Contents

Cisco: Packet Capture: SPAN, RSPAN

Blueprint

Base Configuration

Local SPAN Lab

Remote SPAN(RSPAN) Lab

References

Page Tools