Introduction

In this post we will have a look at the different port mirroring options available on the Catalyst 2960 switch series. We will have a look the differences between SPAN and RSPAN and how to configure them. This may also be valid for other Cisco switches.

Port Mirroring Explained

With port mirroring you can basically send all traffic of a switch port or VLAN to another port. This port can than be used to sniff and analyze the network traffic using Wireshark for example.

Difference between SPAN and RSPAN

SPAN

SPAN or Switch Port Analyzer is often also revered as Local SPAN. SPAN is used to mirror traffic from one switch port to another on the same switch.

RSPAN

RSPAN or Remote Switch Port Analyzer (Remote SPAN) is used to mirror traffic from one switch port to another across multiple switches. RSPAN works by mirroring the traffic from the source ports of an RSPAN session onto a VLAN that is dedicated for the RSPAN session. This VLAN can then be trunked to other switches.

Configuration

Configure SPAN

Use global configuration mode:

configure terminal

Define SPAN session and source port:

monitor session 1 source interface GigabitEthernet 1/0/1

Define destination port for your session:

monitor session 1 destination interface GigabitEthernet 1/0/2

All traffic on switch port GigabitEthernet0/1 will be mirrored to GigabitEthernet0/2 now. Keep in mind that you can also define multiple source or destination ports for each session.

View your configured session:

show monitor session 1

To remove your created SPAN session use the following command in global configuration mode:

no monitor session 1

Configure RSPAN

Source Switch Configuration

Create a VLAN for your RSPAN configuration:

vlan 999

In VLAN configuration mode set the remote-span option:

remote-span

If you limit the VLAN on your trunks you have to add the new VLAN, otherwise you can skip this step. Select your trunk interfaces in configuration mode:

interface GigabitEthernet 1/0/48

Allow the RSPAN VLAN on the trunk port:

switchport trunk allowed vlan add 999 end

Now we can set the source and destination ports again.
First we will set our source interface:

monitor session source interface GigabitEthernet 1/0/1

In the next step we have to define a reflector-port for our RSPAN configuration. The reflector port should be an empty switch port with no active device connected to it. The ports resources will then be used to mirror the traffic to the selected VLAN.

Set our newly created VLAN as the destination:

monitor session 1 destination remote vlan 999 reflector-port GigabitEthernet 1/0/3

Destination Switch Configuration

Create your RSPAN VLAN and allow it on your trunk port if necessary:

vlan 999
remote-span
interface GigabitEthernet 1/0/48
switchport trunk allowed vlan add 999

Set your monitor session source to your RSPAN VLAN:

monitor session 1 source remote vlan 999

Set the destination interface:

monitor session 1 destination interface GigabitEthernet 1/0/1

Port GigabitEthernet 1/0/1 on our destination switch can now be used to view the mirrored traffic from our source switch on port GigabitEthernet 1/0/1.