Cisco 2960 switch and SPAN vs RSPAN

I had the opportunity last week to work with some Gigabit POE Cisco 2960 switches, an Avaya IP office VoIP system, and a layer 2 based Ethernet recording system. The recording system basically had two dedicated Ethernet ports designed to receive mirrored traffic from the VoIP VLAN. Tap interfaces is what I took to calling them. After reviewing the 2960 specs I found features called SPAN and RSPAN. My first go round with these and it took me a little while of reading to realize that RSPAN basically is for capturing traffic from remote switches where as SPAN is for capturing/mirroring traffic from the local switch. However they can’t be mixed. I can’t have RSPAN traffic and local SPAN traffic go to the same destination port.

So in my case there were only two switches, but VoIP phones could have been connected to any port on either switch and dropped into VLAN 12 via LLDP. So both “Tap” ports were connected to the primary server room switch in let’s say “Gi1/0/2” and “Gi1/0/3”. “Gi1/0/1” is used as the uplink port on both switches. Here are the commands I used to configure RSPAN traffic for VLAN 12 from the remote switch over to “Gi1/0/2”.

First create the vlan on remote switch and mark it for RSPAN traffic…
#config t
#vlan 44
#name RSPAN_VLAN
#remote-span

Next we enter the commands on the remote switch to mirror traffic from VLAN 12 to the RSPAN VLAN.
#config t
#monitor session 1 source vlan 12
#monitor session 1 destination remote vlan 44

Now to add this RSPAN VLAN to our trunk interface up-linking the two switches. I assume you’ve already added VLAN 1 and 12.
#config t
#interface Gi1/0/1
#switchport trunk allowed vlan add 44

Now to configure the local switch to capture this RSPAN vlan traffic and forward it to the Gi1/0/2 interface. First configure the VLAN.
#config t
#vlan 44
#name RSPAN_VLAN
#remote-span

Now add that RSPAN VLAN to the up-link interface.
#config t
#interface Gi1/0/1
#switchport trunk allowed vlan add 44

Configure the source and destination for the capture/mirror.
#config t
#monitor session 1 source remote vlan 44
#monitor session 1 destination interface Gi1/0/2

So great, done… Now what about the local VLAN12 traffic? This only sends the traffic from the remote switch to Gi1/0/2.. In order to send local VLAN 12 traffic to Gi1/0/3 we’ll need to configure a local SPAN.. This is quite a bit easier.. Here are the commands from my example above.

Monitor session 2 source vlan 13
Monitor session 2 destination interface Gi1/0/3

That’s it, with the above commands all of our VLAN 12 traffic is being forward from the local and remote switch to two different destination ports.  what I haven’t tested yet is adding a third switch to the same RSPAN VLAN..  This should work, it would be a shame if you had to create a destination port for each remote switch.

Thanks for reading.

Regards,
Adam Tyler

Leave a Reply