29 October 2010

Configuring Remote Switched Port Analyzer (RSPAN)

SPAN is configured and applies to a single switch. There is also a method for analyzing multiples switches. The destination is on a switch that is remote to the others source ports, which are on different switches. RSPAN can be used where it is necessary to monitor multiple points on a network without spending the money to have multiple monitors in place.

The next example shows a network with three switches connected together. There is a switch on each floor of this three-story building, and each serves the employes on the floor on which it is placed.

But the budget allows only one IDS sensor. The IDS is located on the third floor and connected to Gi0/24.

There are two particular ports we are interested in monitoring. One is the router connection, which is connected to the Internet (GigabitEthernet 0/1), and the others is on the second floor, where there is a critical financial system connected to Gi 0/10.


















Let´s walk through the configuration of an RSPAN as shown in the diagram. RSPAN requires that we create a VLAN so that we can have a destination for our monitor ports. We then have to configure the VLAN as an RSPAN VLAN. It´s important to note that only RSPAN traffic traverses this VLAN. See the configuration steps listed:

Switch3(config)# vlan 500
Switch3(config-vlan)# remote-span

Now that we have the RSPAN VLAN configured, we need to specify which ports are sources ports to monitor. In this case we want to monitor the router port and the financial server port, as previously mentioned. The keyword both used after the interface in this example means both transmit and receive traffic:

Switch1(config)# monitor session 1 source int g0/1 both
Switch2(config)# monitor session 1 source int g0/10 both

Next we need to configure the destination, using the VLAN that we set up earlier:

Switch1(config)# monitor session 1 dest remote vlan 500
Switch2(config)# monitor session 1 dest remote vlan 500

Last we need to configure the forwarding destination port to point to the remote VLAN to have the IDS monitor the traffic:

switch3(config)# monitor session 1 source rem vlan 500
switch3(config)# monitor session 1 dest int giga 0/24

Now let´s verify the switch configuration for the three switches. Let´s start with Switch 1:






















Next let´s look at Switch 2:






















Last, let´s look at Switch 3 configuration, which will be different than the other two switches because the destination ports live here.






















 biOos
Posted by at
Labels:

2 comments:

Raj said...

Hi Markus,

I am not sure what could I have done wrong, I have similar configuration on my three switches but I cant capture any traffic on 3rd switch.

Do you have any suggestions?

Thanks & Regards,
Rajabu Kitindi

11:55 AM
MBORILE said...

Hello, all three switches have the vlan 500? Trunk on switches allow the vlan? Create a SVI using vlan 500 for connectivity test.

1:32 PM

Post a Comment

Subscribe to: Post Comments (Atom)