Mastering The Art Of SPAN Port Mirroring: A Practical Approach

ByImran Ullah Khan

A switch port analyzer or SPAN port mirroring is a way through which we capture network data for monitoring purposes. It is also called port mirroring because it mirrors traffic from different ports to different ports. We mirror the network traffic from one set of ports to another port which can then be connected to a monitoring device. It allows us to analyze the network traffic through some software like Wireshark to monitor client usage and perform general analysis.

SPAN Port Mirroring Variations

a) Local SPAN

In the local Switch port analyzer, traffic is captured locally on a switch and mirrored to another local port on the same device.

Local SPAN Port Mirroring

Suppose a network administrator wants to capture port 10 traffic, and he also wants to analyze port 10 traffic at the local port 1.

b) Remote SPAN Port Mirroring

In this scenario, you can monitor your network traffic from remote locations that are distributed over multiple switches throughout the network.

Remote SPAN Port mirroring

Suppose you want to monitor the traffic of port 20,21,22 on switch2 and analyze it at switch2 on port 5. The source ports are at switch2 while the destination ports are at switch1. When the traffic passes between switches, then it will use a special vlan tag which is called Remote SPAN vlan. It is specially designed only for RSPAN traffic. The link between the two switches must be of the trunk.

c) ERSPAN

It is a Cisco proprietary, which uses a GRE tunnel to send traffic to a central location. It sends traffic through the layer 3 routing network. Every Cisco switch doesn’t support ERSPAN. But, it is supported by high-end Cisco switches like 4500, 6500 series, and Nexus switches.

ERSPAN

Configure a separate vlan for RSPAN, and don’t assign access ports to the Remote port analyzer. Similarly, Remote-span vlan must be allowed on a trunk port. Moreover, If VTP is configured in the network and VTP pruning is enabled on it, then it must be disabled for Remote SPAN vlan.

Important Points

The interfaces that we monitor are called source ports, or monitor ports, While those interfaces from where we monitor the traffic are called destination ports. The monitor ports will either transmit the traffic (Tx) receive the traffic or it will do both. Source and destination ports cannot be the same port. The destination port shouldn’t be fully saturated. It must be of greater bandwidth.

1) Configuration of Local SPAN

Below is the lap topology of Local SPAN Port Mirroring, which we will use for its implementation. There are three PCs and one server connected with Switch. A sniffer is also connected with a switch through the Gig 0/1 interface.

Local SPAN Practical

Interface fast ethernet from 0/1 to 0/5 will be monitored both for traffic receiving and transmitting. The sniffer through Gig 0/1 will monitor all five interfaces.

Check the monitor session at the switch by the following command.

show monitor session 1

Ping each PC from one another. Also, browse the web server by writing its IP address 192.168.1.1 in the browser for generating HTTP traffic as below:

browse web server

Now check the traffic generated in the network in the sniffer.

check traffic

That was the Local switch port mirroring configuration. The next configuration is RSPAN.

2) Configuration of RSPAN

Below is the lab topology of Remote port mirroring. There are two switches in the network. Two PCs are connected to the Switch1 and a server is also connected to it. A sniffer is connected to the switch 2. We will analyze the traffic at switch2 through Sniffer. The two switches are connected through a trunk link.

Configuring RSPAN

We will analyze the traffic of the web server that is connected to the switch via Fa 0/1. An analyzer at switch 2 is connected via Gig 0/1. There is a trunk link between two switches. Below is the configuration of RSPAN at switch1.

vlan 15 remote-span

Configuration of RSPAN at switch2

vlan 15 remote-span at sw2

Show monitor session at Switch1

show monitor session remote

Also, check the session at Swtich2

show monitor session remote at sw2

Check sniffer at switch2

check sniffer

Generate some traffic by Ping we server from PC at switch1. Also, browse the web server in PC1 by writing its IP address in the web browser of the PC.

browse http server

Now check the Sniffer the sniffer to monitor the traffic.

check traffic in sniffer

ICMP means that we Ping the web server, while HTTP indicates web browsing.

3) Configuration of ERSPAN

Below is the lab topology of ERSPAN.

configuring ERSPAN

The source port is in one network, while the destination port (analyzer) is in another network. So we will analyze the traffic of Network1 from Network3.

Configuration of Router R1.

ERSPAN on R1

Similarly, the configuration of ERSPAN on Router R2.

ERSPAN on R2
Imran Ullah Khan

Hey, I'm Imran Ullah Khan, an IT enthusiast from Lakki Marwat, Pakistan. I hold a BSCS degree and wear a tech-belt with certifications like CCNA, CCNP, MCSE, RHCSA, RHCE, FIREWALL, and VMWARE.

With 8 years of tech exploration, I'm currently an I.T instructor and the force behind CCNA Practical Labs. My blog is your gateway to practical CCNA insights. Let's simplify networking! WhatsApp at 0092313-9492026. Let's connect and tech-chat!

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *