Back to Dashboard
Module 49
SPAN, RSPAN, and ERSPAN
β Previous Module
Next Module β
# π CCNA 200-301 - Video 49: SPAN, RSPAN, and ERSPAN ## Deep Study Notes --- ## π Learning Objectives By the end of this video, you should understand: - What SPAN (Switched Port Analyzer) is and why it's used - SPAN configuration (local port monitoring) - RSPAN (Remote SPAN) concepts and configuration - ERSPAN (Encapsulated Remote SPAN) concepts - SPAN limitations and best practices - Troubleshooting SPAN sessions --- ## π§ Core Concepts ### 1. What is SPAN? **Definition:** Switched Port Analyzer (SPAN) is a Cisco feature that mirrors traffic from source ports or VLANs to a destination port for analysis, typically using a network analyzer like Wireshark. **Analogy:** Think of SPAN like a security camera in a store. The camera (destination port) records everything happening in a specific aisle (source port). You can review the footage later to see what happened. ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β SPAN CONCEPT β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β Switch: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β Source Port (Fa0/1) β β β β βββββββββββ β β β β β PC1 β β β β β β Traffic β β β β β ββββββ¬βββββ β β β β β β β β β β Original Traffic β β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββΊ β β β β β β β β β ββββββΌβββββ β β β β β Switch β β β β β β β β β β β β SPAN β β β β β β Session β β β β β β β β β β β ββββββ¬βββββ β β β β β β β β β β Mirrored Traffic β β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββΊ β β β β β β β β β ββββββΌβββββ β β β β β Fa0/24 β β β β β β(Dest) β β β β β ββββββ¬βββββ β β β β β β β β ββββββββββΌββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β βΌ β β βββββββββββββββββββ β β β Analyzer PC β β β β (Wireshark) β β β βββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 2. SPAN Terminology | Term | Description | |------|-------------| | **Source Port** | Port being monitored (traffic mirrored from here) | | **Source VLAN** | VLAN being monitored (all ports in VLAN are sources) | | **Destination Port** | Port where mirrored traffic is sent (monitoring device) | | **SPAN Session** | Configuration that defines source and destination | | **Ingress Traffic** | Traffic entering the source port/VLAN | | **Egress Traffic** | Traffic exiting the source port/VLAN | | **Both** | Both ingress and egress traffic | ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β SPAN DIRECTION β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β Source Port Traffic: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β βββββββββββ β β β β β PC1 β β β β β ββββββ¬βββββ β β β β β β β β β β Ingress (RX) Egress (TX) β β β β β Traffic from PC1 Traffic to PC1 β β β β β β β β β ββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β Switch Port Fa0/1 β β β β β β β β β β β β RX (Receive) βββββββββββββ TX (Transmit) βββββββββββΊ β β β β β β β β β β β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β β SPAN Direction Options: β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β’ rx: Mirror only ingress traffic β β β β β β β’ tx: Mirror only egress traffic β β β β β β β’ both: Mirror both directions (default) β β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 3. SPAN Configuration **Basic SPAN Configuration (Single Source Port):** ```cisco ! Configure SPAN session 1 Switch(config)# monitor session 1 source interface fastEthernet 0/1 Switch(config)# monitor session 1 destination interface fastEthernet 0/24 ! Verify SPAN session Switch# show monitor session 1 ``` **SPAN with Direction Control:** ```cisco ! Mirror only ingress traffic (RX) Switch(config)# monitor session 1 source interface fastEthernet 0/1 rx Switch(config)# monitor session 1 destination interface fastEthernet 0/24 ! Mirror only egress traffic (TX) Switch(config)# monitor session 2 source interface fastEthernet 0/1 tx Switch(config)# monitor session 2 destination interface fastEthernet 0/25 ! Mirror both directions (default) Switch(config)# monitor session 3 source interface fastEthernet 0/1 both Switch(config)# monitor session 3 destination interface fastEthernet 0/26 ``` **SPAN with Multiple Source Ports:** ```cisco ! Mirror multiple ports to same destination Switch(config)# monitor session 1 source interface fastEthernet 0/1 , fastEthernet 0/2 , fastEthernet 0/3 Switch(config)# monitor session 1 destination interface fastEthernet 0/24 ! Using interface range Switch(config)# monitor session 1 source interface range fastEthernet 0/1-5 Switch(config)# monitor session 1 destination interface fastEthernet 0/24 ``` **SPAN with Source VLAN:** ```cisco ! Mirror all ports in VLAN 10 Switch(config)# monitor session 1 source vlan 10 Switch(config)# monitor session 1 destination interface fastEthernet 0/24 ! Mirror specific VLAN traffic direction Switch(config)# monitor session 1 source vlan 10 rx Switch(config)# monitor session 1 destination interface fastEthernet 0/24 ``` **SPAN with VLAN Filtering:** ```cisco ! Mirror specific VLANs from a trunk port Switch(config)# monitor session 1 source interface gigabitEthernet 0/1 Switch(config)# monitor session 1 filter vlan 10,20,30 Switch(config)# monitor session 1 destination interface fastEthernet 0/24 ``` --- ### 4. SPAN Verification Commands | Command | Purpose | |---------|---------| | `show monitor session [num]` | Display specific SPAN session | | `show monitor session all` | Display all SPAN sessions | | `show monitor session [num] detail` | Detailed SPAN session info | | `show running-config | include monitor` | Display SPAN config | **Example Outputs:** ```cisco Switch# show monitor session 1 Session 1 -------- Type : Local Session Source Ports : Both : Fa0/1 Destination Ports : Fa0/24 Encapsulation : Native Ingress : Disabled Switch# show monitor session all Session 1 -------- Type : Local Session Source Ports : Both : Fa0/1 Destination Ports : Fa0/24 Session 2 -------- Type : Local Session Source VLANs : RX Only : 10 Destination Ports : Fa0/25 Switch# show monitor session 1 detail Session 1 --------- Type : Local Session Description : - Source Ports : RX Only : Fa0/1 Source VLANs : RX Only : 10 Destination Ports : Fa0/24 Encapsulation : Native Ingress : Disabled Filter VLANs : 10,20,30 ``` --- ### 5. SPAN Limitations and Considerations ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β SPAN LIMITATIONS β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β 1. DESTINATION PORT RESTRICTIONS β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Destination port cannot be a source port β β β β β’ Destination port cannot be a trunk port (by default) β β β β β’ Destination port operates at the speed of the source port β β β β β’ Multiple sources can share one destination β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β 2. TRAFFIC NOT MIRRORED β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ SPAN does not mirror SPAN traffic itself β β β β β’ CDP, VTP, DTP, PAgP, LACP control frames (depending on config) β β β β β’ Routing protocol control packets (OSPF, EIGRP) may not be mirroredβ β β β β’ Encapsulated traffic on trunk ports β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β 3. PERFORMANCE IMPACT β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Copying traffic uses switch CPU/memory β β β β β’ High traffic rates can impact switch performance β β β β β’ Multiple SPAN sessions increase overhead β β β β β’ Use SPAN only when needed, not continuously β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 6. RSPAN (Remote SPAN) **Definition:** RSPAN extends SPAN across multiple switches by using a dedicated VLAN to transport mirrored traffic to a remote destination. ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β RSPAN ARCHITECTURE β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β Source Switch Destination Switch β β β β βββββββββββββββββββββββββββ βββββββββββββββββββββββββββ β β β β β β β β β Source Port (Fa0/1) β β Destination Port β β β β βββββββββββ β β (Fa0/24) β β β β β PC1 β β β βββββββββββ β β β β ββββββ¬βββββ β β βAnalyzer β β β β β β β β βββββββββββ β β β β ββββββΌβββββ β β β β β β β β Switch β β β ββββββΌβββββ β β β β β β β β β Switch β β β β β β RSPAN β β β β β β β β β β Source β β β β RSPAN β β β β β β VLAN 100β β β β Destination β β β β ββββββ¬βββββ β β β VLAN 100β β β β β β β β ββββββ¬βββββ β β β β β β β β β β β β ββββββΌβββββ β β ββββββΌβββββ β β β β β Trunk βββββββββββββͺββββββββββ β Trunk β β β β β β Gi0/24 β β β β Gi0/24 β β β β β βββββββββββ β β βββββββββββ β β β β β β β β β βββββββββββββββββββββββββββ βββββββββββββββββββββββββββ β β β β RSPAN VLAN carries mirrored traffic across switches β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` **RSPAN Configuration (Source Switch):** ```cisco ! Create RSPAN VLAN SwitchA(config)# vlan 100 SwitchA(config-vlan)# remote-span SwitchA(config-vlan)# exit ! Configure RSPAN source SwitchA(config)# monitor session 1 source interface fastEthernet 0/1 SwitchA(config)# monitor session 1 destination remote vlan 100 ! Configure trunk for RSPAN VLAN SwitchA(config)# interface gigabitEthernet 0/24 SwitchA(config-if)# switchport mode trunk SwitchA(config-if)# switchport trunk allowed vlan add 100 SwitchA(config-if)# exit ``` **RSPAN Configuration (Destination Switch):** ```cisco ! Create same RSPAN VLAN SwitchB(config)# vlan 100 SwitchB(config-vlan)# remote-span SwitchB(config-vlan)# exit ! Configure RSPAN destination SwitchB(config)# monitor session 1 source remote vlan 100 SwitchB(config)# monitor session 1 destination interface fastEthernet 0/24 ! Configure trunk for RSPAN VLAN SwitchB(config)# interface gigabitEthernet 0/24 SwitchB(config-if)# switchport mode trunk SwitchB(config-if)# switchport trunk allowed vlan add 100 SwitchB(config-if)# exit ``` --- ### 7. ERSPAN (Encapsulated Remote SPAN) **Definition:** ERSPAN encapsulates mirrored traffic in GRE packets and sends it over an IP network (Layer 3), allowing monitoring across routed networks. ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β ERSPAN ARCHITECTURE β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β Source Switch IP Network Destination β β β β βββββββββββββββββββββββββββ βββββββββββ βββββββββββββββββ β β β β β β β β β β β Source Port (Fa0/1) β β β β Destination β β β β βββββββββββ β β Router β β Port β β β β β PC1 β β β β β β β β β ββββββ¬βββββ β β β β βββββββββββ β β β β β β β β β βAnalyzer β β β β β ββββββΌβββββ β β β β βββββββββββ β β β β β Switch β β β β β β β β β β β β β β β βββββββββββ β β β β β ERSPAN β β β β β β Switch β β β β β β Source β β β β β βββββββββββ β β β β ββββββ¬βββββ β β β β β β β β β β β β β β β β β β GRE Encapsulation β β β β β β β β (IP 192.168.1.1) β β β β β β β ββββββΌβββββ β β β β β β β β β Gi0/0 βββββββββββββͺββββββββββ Gi0/0 βββββββββ Gi0/0 β β β β β192.168.1.1β β β192.168.1.2β β β β β β βββββββββββ β βββββββββββ β β β β β β β β β β βββββββββββββββββββββββββββ βββββββββββββββββ β β β β ERSPAN uses GRE encapsulation to transport mirrored traffic over IP β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` **ERSPAN Configuration (Source Switch):** ```cisco ! Configure ERSPAN source SwitchA(config)# monitor session 1 type erspan-source SwitchA(config-mon-erspan-src)# source interface fastEthernet 0/1 SwitchA(config-mon-erspan-src)# destination SwitchA(config-mon-erspan-src-dst)# ip address 192.168.2.100 SwitchA(config-mon-erspan-src-dst)# erspan-id 1 SwitchA(config-mon-erspan-src-dst)# origin ip address 192.168.1.1 SwitchA(config-mon-erspan-src-dst)# exit ! Or using legacy configuration SwitchA(config)# monitor session 1 type erspan-source SwitchA(config-mon-erspan-src)# source interface fastEthernet 0/1 SwitchA(config-mon-erspan-src)# destination SwitchA(config-mon-erspan-src-dst)# ip address 192.168.2.100 SwitchA(config-mon-erspan-src-dst)# erspan-id 1 SwitchA(config-mon-erspan-src-dst)# origin ip address 192.168.1.1 ``` **ERSPAN Configuration (Destination Switch):** ```cisco ! Configure ERSPAN destination SwitchB(config)# monitor session 1 type erspan-destination SwitchB(config-mon-erspan-dst)# destination interface fastEthernet 0/24 SwitchB(config-mon-erspan-dst)# source SwitchB(config-mon-erspan-dst-src)# erspan-id 1 SwitchB(config-mon-erspan-dst-src)# ip address 192.168.2.100 ``` --- ### 8. SPAN vs. RSPAN vs. ERSPAN Comparison | Feature | SPAN | RSPAN | ERSPAN | |---------|------|-------|--------| | **Scope** | Single switch | Multiple switches (Layer 2) | Anywhere (Layer 3/IP) | | **Transport** | Local switch | Dedicated VLAN | GRE/IP encapsulation | | **Protocol** | Ethernet | Ethernet | GRE/IP | | **Distance** | Switch internal | Switched network | Routed network | | **Configuration** | Simple | Moderate | Complex | | **Use Case** | Local monitoring | Campus monitoring | WAN/Remote monitoring | ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β SPAN vs. RSPAN vs. ERSPAN β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β SPAN: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β Source Switch βββββββββββββββββββββββββββββββββββββββββββ Analyzer β β β β (Same switch, no special transport) β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β RSPAN: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β Source Switch ββββ RSPAN VLAN (L2) ββββ Destination Switch ββββ Analyzerβ β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β ERSPAN: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β Source Switch ββββ GRE/IP Network (L3) ββββ Destination Switch ββββ Analyzerβ β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 9. SPAN Best Practices ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β SPAN BEST PRACTICES β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β 1. USE DEDICATED DESTINATION PORT β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Use a dedicated port for SPAN destination β β β β β’ Do not use production ports as destination β β β β β’ Ensure destination port speed matches source aggregate bandwidth β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β 2. MONITOR ONLY WHAT'S NEEDED β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Limit sources to specific ports or VLANs β β β β β’ Use direction control (rx/tx) to reduce traffic β β β β β’ Avoid monitoring high-speed trunks unless necessary β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β 3. PLAN FOR BANDWIDTH β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Destination port must handle aggregate traffic from sources β β β β β’ 1 Gbps source Γ 10 ports = 10 Gbps destination requirement β β β β β’ Use higher-speed destination ports when needed β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β 4. SECURITY CONSIDERATIONS β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ SPAN traffic may contain sensitive data β β β β β’ Secure analyzer ports (physical security) β β β β β’ Use RSPAN/ERSPAN with VLAN isolation β β β β β’ Consider encryption for ERSPAN over untrusted networks β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β 5. TROUBLESHOOTING β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Verify destination port is up/up β β β β β’ Check for dropped packets (show monitor) β β β β β’ Ensure trunk ports carry RSPAN VLAN β β β β β’ Verify IP reachability for ERSPAN β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ## π§ Complete Configuration Examples ### Lab 1: Local SPAN **Topology:** ``` PC1 (Fa0/1) ββββ Switch ββββ Analyzer (Fa0/24) ``` **Switch Configuration:** ```cisco ! Configure SPAN session to monitor PC1 Switch(config)# monitor session 1 source interface fastEthernet 0/1 both Switch(config)# monitor session 1 destination interface fastEthernet 0/24 ! Verify Switch# show monitor session 1 ! Remove SPAN session Switch(config)# no monitor session 1 ``` --- ### Lab 2: SPAN with Multiple Source Ports **Topology:** ``` PC1 (Fa0/1) βββββ PC2 (Fa0/2) βββββΌββββ Switch ββββ Analyzer (Fa0/24) PC3 (Fa0/3) βββββ ``` **Switch Configuration:** ```cisco ! Monitor multiple ports Switch(config)# monitor session 1 source interface range fastEthernet 0/1-3 both Switch(config)# monitor session 1 destination interface fastEthernet 0/24 ! Verify Switch# show monitor session 1 ``` --- ### Lab 3: RSPAN Configuration **Topology:** ``` Source Switch Destination Switch PC1 (Fa0/1) βββββ Analyzer (Fa0/24) β β βββββ Trunk βββββββββββββ ``` **Source Switch Configuration:** ```cisco ! Create RSPAN VLAN SwitchA(config)# vlan 100 SwitchA(config-vlan)# remote-span SwitchA(config-vlan)# exit ! Configure RSPAN source SwitchA(config)# monitor session 1 source interface fastEthernet 0/1 both SwitchA(config)# monitor session 1 destination remote vlan 100 ! Configure trunk to carry RSPAN VLAN SwitchA(config)# interface gigabitEthernet 0/24 SwitchA(config-if)# switchport mode trunk SwitchA(config-if)# switchport trunk allowed vlan add 100 SwitchA(config-if)# exit ``` **Destination Switch Configuration:** ```cisco ! Create same RSPAN VLAN SwitchB(config)# vlan 100 SwitchB(config-vlan)# remote-span SwitchB(config-vlan)# exit ! Configure RSPAN destination SwitchB(config)# monitor session 1 source remote vlan 100 SwitchB(config)# monitor session 1 destination interface fastEthernet 0/24 ! Configure trunk to carry RSPAN VLAN SwitchB(config)# interface gigabitEthernet 0/24 SwitchB(config-if)# switchport mode trunk SwitchB(config-if)# switchport trunk allowed vlan add 100 SwitchB(config-if)# exit ``` --- ### Lab 4: ERSPAN Configuration **Topology:** ``` Source Switch (192.168.1.1) ββββ IP Network ββββ Destination Switch (192.168.2.100) PC1 (Fa0/1) Analyzer (Fa0/24) ``` **Source Switch Configuration:** ```cisco ! Configure ERSPAN source SwitchA(config)# monitor session 1 type erspan-source SwitchA(config-mon-erspan-src)# source interface fastEthernet 0/1 SwitchA(config-mon-erspan-src)# destination SwitchA(config-mon-erspan-src-dst)# ip address 192.168.2.100 SwitchA(config-mon-erspan-src-dst)# erspan-id 1 SwitchA(config-mon-erspan-src-dst)# origin ip address 192.168.1.1 SwitchA(config-mon-erspan-src-dst)# exit ! Verify SwitchA# show monitor session 1 ``` **Destination Switch Configuration:** ```cisco ! Configure ERSPAN destination SwitchB(config)# monitor session 1 type erspan-destination SwitchB(config-mon-erspan-dst)# destination interface fastEthernet 0/24 SwitchB(config-mon-erspan-dst)# source SwitchB(config-mon-erspan-dst-src)# erspan-id 1 SwitchB(config-mon-erspan-dst-src)# ip address 192.168.2.100 SwitchB(config-mon-erspan-dst-src)# exit ! Verify SwitchB# show monitor session 1 ``` --- ### Lab 5: SPAN with VLAN Filtering **Topology:** ``` Trunk Port (Gi0/1) carries VLANs 10,20,30 Monitor only VLANs 10 and 20 ``` **Switch Configuration:** ```cisco ! Monitor trunk port but filter specific VLANs Switch(config)# monitor session 1 source interface gigabitEthernet 0/1 both Switch(config)# monitor session 1 filter vlan 10,20 Switch(config)# monitor session 1 destination interface fastEthernet 0/24 ! Verify Switch# show monitor session 1 Switch# show monitor session 1 detail ``` --- ## β Exam Tips (For CCNA 200-301) | Topic | What Cisco Tests | |-------|------------------| | **SPAN Purpose** | Mirror traffic for analysis (Wireshark, IDS) | | **SPAN Direction** | rx (ingress), tx (egress), both | | **Source Types** | Ports, VLANs | | **RSPAN** | Remote SPAN over Layer 2 VLAN | | **ERSPAN** | Encapsulated Remote SPAN over IP/GRE | | **RSPAN VLAN** | Must be configured with `remote-span` | | **Destination Restrictions** | Cannot be source port, cannot be trunk (by default) | ### Common Exam Scenarios: **Scenario 1:** "A security analyst needs to capture traffic from a specific switch port for analysis. Which feature should be configured?" - **Answer:** SPAN (Switched Port Analyzer) **Scenario 2:** "Traffic from a switch in one building needs to be monitored from a switch in another building across a routed network. Which feature should be used?" - **Answer:** ERSPAN (Encapsulated Remote SPAN) **Scenario 3:** "What is the purpose of the `remote-span` VLAN command?" - **Answer:** Marks a VLAN as an RSPAN VLAN for transporting mirrored traffic ### Mnemonics: **SPAN Types:** **"S.R.E." - SPAN, RSPAN, ERSPAN** - **S**PAN: Local only - **R**SPAN: Remote Layer 2 - **E**RSPAN: Remote Layer 3/IP **SPAN Directions:** **"R.T.B." - Receive, Transmit, Both** - **R**x: Receive (ingress) - **T**x: Transmit (egress) - **B**oth: Both directions --- ## π Summary (1-Minute Revision) ``` SPAN, RSPAN, ERSPAN: SPAN (Switched Port Analyzer): βββ Local traffic mirroring (single switch) βββ Source: Ports or VLANs βββ Destination: Local port βββ Direction: rx, tx, both βββ Command: monitor session [id] source/destination RSPAN (Remote SPAN): βββ Remote mirroring over Layer 2 βββ Uses dedicated VLAN (remote-span) βββ Source: Ports on source switch βββ Destination: Remote VLAN βββ Destination switch: source remote vlan ERSPAN (Encapsulated Remote SPAN): βββ Remote mirroring over IP/Layer 3 βββ Uses GRE encapsulation βββ Source: ERSPAN source configuration βββ Destination: IP address βββ Works across routed networks CONFIGURATION: SPAN: βββ monitor session 1 source interface fa0/1 βββ monitor session 1 destination interface fa0/24 RSPAN: βββ vlan 100, remote-span βββ monitor session 1 source interface fa0/1 βββ monitor session 1 destination remote vlan 100 βββ (On dest) monitor session 1 source remote vlan 100 destination fa0/24 ERSPAN: βββ monitor session 1 type erspan-source βββ source interface fa0/1 βββ destination ip address 192.168.2.100 βββ erspan-id 1 βββ origin ip address 192.168.1.1 βββ (On dest) monitor session 1 type erspan-destination VERIFICATION: βββ show monitor session [id] βββ show monitor session all βββ show monitor session [id] detail ``` --- ## π§ͺ Practice Questions **1. What does SPAN stand for?** - A) Switched Port Analyzer - B) Simple Port Analyzer - C) Switched Packet Analyzer - D) Simple Packet Analyzer <details> <summary>Answer</summary> <b>A) Switched Port Analyzer</b> - SPAN is Cisco's Switched Port Analyzer for traffic mirroring. </details> **2. Which command configures a SPAN session to monitor port Fa0/1?** - A) `monitor session 1 source interface fa0/1` - B) `span session 1 source fa0/1` - C) `port-monitor session 1 source fa0/1` - D) `mirror session 1 source fa0/1` <details> <summary>Answer</summary> <b>A) `monitor session 1 source interface fa0/1`</b> - This configures the source port for SPAN. </details> **3. What is the purpose of RSPAN?** - A) Local traffic mirroring - B) Remote traffic mirroring over Layer 2 - C) Remote traffic mirroring over IP - D) Packet capture on router <details> <summary>Answer</summary> <b>B) Remote traffic mirroring over Layer 2</b> - RSPAN uses a dedicated VLAN for remote mirroring. </details> **4. Which command is used to mark a VLAN for RSPAN?** - A) `vlan 100 remote-span` - B) `vlan 100 rspan` - C) `vlan 100 span` - D) `vlan 100 mirror` <details> <summary>Answer</summary> <b>A) `vlan 100 remote-span`</b> - The `remote-span` command marks the VLAN for RSPAN. </details> **5. Which SPAN type uses GRE encapsulation?** - A) SPAN - B) RSPAN - C) ERSPAN - D) None <details> <summary>Answer</summary> <b>C) ERSPAN</b> - Encapsulated Remote SPAN uses GRE encapsulation over IP. </details> **6. Which direction options are available for SPAN?** - A) rx, tx, both - B) in, out, both - C) ingress, egress, all - D) receive, send, both <details> <summary>Answer</summary> <b>A) rx, tx, both</b> - rx (receive/ingress), tx (transmit/egress), both. </details> **7. Which command displays SPAN session information?** - A) `show span` - B) `show monitor session` - C) `show mirror` - D) `show port-monitor` <details> <summary>Answer</summary> <b>B) `show monitor session`</b> - Displays SPAN session configuration. </details> **8. What is a limitation of SPAN destination ports?** - A) Cannot be used for data traffic - B) Must be faster than source ports - C) Cannot be a source port - D) All of the above <details> <summary>Answer</summary> <b>D) All of the above</b> - Destination ports have several restrictions. </details> **9. Which feature allows traffic monitoring across routed networks?** - A) SPAN - B) RSPAN - C) ERSPAN - D) VSPAN <details> <summary>Answer</summary> <b>C) ERSPAN</b> - ERSPAN works over IP networks using GRE encapsulation. </details> **10. What does ERSPAN use for encapsulation?** - A) IPsec - B) GRE - C) L2TP - D) MPLS <details> <summary>Answer</summary> <b>B) GRE</b> - ERSPAN uses Generic Routing Encapsulation. </details> **11. Which command configures ERSPAN destination IP?** - A) `destination ip address` - B) `erspan-destination ip` - C) `ip destination` - D) `remote ip` <details> <summary>Answer</summary> <b>A) `destination ip address`</b> - Configures the destination IP for ERSPAN. </details> **12. Which traffic is NOT typically mirrored by SPAN?** - A) User data - B) CDP frames - C) Spanning Tree BPDUs - D) All of the above may not be mirrored <details> <summary>Answer</summary> <b>D) All of the above may not be mirrored</b> - Control plane traffic may not be mirrored depending on configuration. </details> --- ## π Next Steps After completing Video 49, you should be ready for: - **Video 50:** Cisco DNA Center and SD-Access - **Video 51:** Troubleshooting Methodology **Lab Practice:** 1. Configure local SPAN to monitor a port 2. Capture traffic with Wireshark 3. Configure SPAN with multiple source ports 4. Configure RSPAN between two switches 5. Configure ERSPAN across a routed network 6. Verify with `show monitor session` --- **Ready for Video 50?** Share the link or say "next" and I'll continue with Cisco DNA Center and SD-Access. I'll continue with **Video 50: Cisco DNA Center and SD-Access** based on the standard CCNA 200-301 curriculum. ---