SPAN, RSPAN and ERSPAN

Cisco switches have a feature that allow a copy of traffic from a source port or a source VLAN to be sent to a single port or IP address (over GRE). This feature, known as SPAN (Switch Port Analyser).

Reasons you may want to use this feature may include monitoring traffic, collecting traffic or to support a specific application such as sending a copy of all voice traffic to a voice recorder so that any calls made using a VOIP system can be recorded. Another use is sending a copy of traffic to an IDS / IPS for security purposes.

The three types of SPAN:

SPAN

Source and destination of target traffic is on the same local switch, configuration is straightforward. Any traffic recieved on Gi1/0/1 will be duplicated and sent out to port Gi1/0/24.

Screenshot-2019-01-15-at-22.05.31

RSPAN

Source and destination of target traffic can be on different switches. A dedicated VLAN has to be used to transport this traffic between source and destination switch. You need to ensure that you don't saturate the path between the switches if you are copying lots of traffic.

Configuration is required on both switches as seen below, the below example is capturing traffic from Gi1/0/1 on switch 3 and sending it to port Gi1/0/1 on switch 4.

Switch 3 configuration:

Screenshot-2019-01-15-at-22.10.41

Switch 4 configuration:

Screenshot-2019-01-15-at-22.12.03

ERSPAN

Firstly, ERSPAN is only supported on high-end platforms as it requires the ability to establish GRE tunnels. It isn't supported on the Cisco Catalyst 9300 switches that I am using for study so the configuration has been taken from Cisco's website.

ERSPAN allows the destination of SPAN traffic to be on a seperate layer 3 network by the use of a GRE tunnel. You could even set the destination IP address to a workstation running Wireshark, Wireshark is smart enough to see the traffic encapsulated in the GRE protocol and display the correct IP addressing of captured traffic.

Configuration Example for an ERSPAN Source Session
This example shows how to configure an ERSPAN source session:

switch# config t
switch(config)# interface e14/30
switch(config-if)# no shut
switch(config-if)# exit
switch(config)# monitor erspan origin ip-address 3.3.3.3 global
switch(config)# monitor session 1 type erspan-source
switch(config-erspan-src)# source interface e14/30
switch(config-erspan-src)# erspan-id 1
switch(config-erspan-src)# ip ttl 16
switch(config-erspan-src)# ip dscp 5
switch(config-erspan-src)# vrf default
switch(config-erspan-src)# destination ip 9.1.1.2
switch(config-erspan-src)# no shut
switch(config-erspan-src)# exit
switch(config)# show monitor session 1

Configuration Example for an ERSPAN Destination Session
This example shows how to configure an ERSPAN destination session:

switch# config t
switch(config)# interface e14/29
switch(config-if)# no shut
switch(config-if)# switchport
switch(config-if)# switchport monitor
switch(config-if)# exit
switch(config)# monitor session 2 type erspan-destination
switch(config-erspan-dst)# source ip 9.1.1.2
switch(config-erspan-dst)# destination interface e14/29
switch(config-erspan-dst)# erspan-id 1
switch(config-erspan-dst)# vrf default
switch(config-erspan-dst)# no shut
switch(config-erspan-dst)# exit
switch(config)# show monitor session 2