CCIE Routing & Switching v5 Workbook -
CCIE R&S v5 Advanced Technology Labs -
LAN Switching
RSPAN
A Note On Section Initial Configuration Files: You must load the
initial configuration files for the section, named LAN Switching Initial
Spanning Tree, which can be found in
. Reference the Virtual Routers &
Physical Switches Diagram to complete this task.
Task
Disable the Ethernet links between SW1 and SW2.
Create VLAN 500 as an RSPAN VLAN on all switches in the topology.
Configure Fa0/5 on SW2 to be an access port on VLAN 43 and redirect all traffic on
this port to the RSPAN VLAN.
Configure SW1 to capture traffic on RSPAN VLAN and redirect it to a host connected
to port Fa0/24.
Accept inbound tagged traffic for VLAN 146.
Configuration
SW1:
interface range FastEthernet0/23 - 24
shutdown
!
vlan 500
remote-span
!
monitor session 2 destination interface Fa0/24 ingress dot1q vlan 146
monitor session 2 source remote vlan 500
SW2:
interface range FastEthernet0/23 - 24
shutdown
!
interface FastEthernet0/5
switchport mode access
switchport access vlan 43
!
monitor session 2 source interface FastEthernet0/5
monitor session 2 destination remote vlan 500
Verification
The Remote SPAN, or RSPAN, feature is used when the source port or VLAN that
is being monitored is on a different physical switch than the destination sniffer or
sensor. The SPAN session can be spanned across multiple switches (a Layer 2
network). With ERSPAN, the SPAN session can be sent across a routed Layer 3
network.
The first step in configuring RSPAN is to ensure that the switches in the Layer 2
transit path from the source port/VLAN to the destination port are trunking at Layer
2, and know about the RSPAN VLAN that is used to encapsulate and transport the
monitored traffic. In this case VTP is used, so only the VTP server SW1 needs to
create the VLAN. Note the remote-span keyword under the VLAN: this is a special
attribute that affects how traffic is processed when it is received in this VLAN.
Next, the switch attached to the source port or VLAN creates a SPAN session. The
source of this span session, in the case of SW2, is all traffic on port Fa0/5. The
destination of the session is the RSPAN VLAN 500 itself. This means that all traffic
on port Fa0/5 will receive a new 802.1q header with a VLAN 500 tag and be sent
out in the Layer 2 network.
Finally, the switch attached to the sniffer/sensor creates a SPAN session with the
source as the RSPAN VLAN, and the destination as the local port. This means that
the switch wants to listen for all traffic received in the RSPAN VLAN and redirect it
out a local port. In this case, SW1 says that the source of the session is the remote
VLAN 500. On SW1, therefore, all traffic coming in a trunk link with a tag of 500 will
be redirected out port Fa0/24. Because the
ingress dot1q vlan 146
keyword is also
used, SW1 accepts only inbound tagged traffic with tag 146.
SW2#show monitor session 2
Session 2
---------
Type: Remote Source Session
Source Ports:Both: Fa0/5
Dest RSPAN VLAN: 500
!
!SW1#show monitor session 2
Session 2
---------
Type
: Remote Destination SessionSource RSPAN VLAN: 500
Destination Ports
: Fa0/24
Encapsulation: NativeIngress: Enabled, default VLAN = 146
Ingress encap : DOT1Q
Verify that VLAN 500 was propagated through VTP as RSPAN.
SW2#show vlan id 500
VLAN NameStatus Ports
---- -------------------------------- --------- -------------------------------
500 VLAN0500active Fa0/19, Fa0/20
VLAN Type SAIDMTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
500 enet 1005001500 ---- -00
Remote SPAN VLAN
----------------Enabled
Primary Secondary TypePorts
------- --------- ----------------- ------------------------------------------