Traffic-collecting devices such as IDS probes and protocol analyzers have often frustrated network administrators because they never seem to be where you need them. This is particularly true in remote offices, where these devices are permanently fixed. While it's easy to "span" or "mirror" the port you need to do the probe, all too often, the port you need is on a different switch, in a closet far away. Inevitably, valuable time is wasted dispatching someone to move the probe into the right closet, and configure that switch appropriately.
While it's true that in most of these remote-office cases, the traffic you want to capture passes through the core of your network, from an architectural purist's perspective, that's the last place you want to be spanning ports. Recall that cores are high-speed, low-drag; things like filtering, PBR, and spanning can cause serious performance problems and belong much closer to the end-points.
A much better solution is RSPAN, which is like the regular span, except that it uses a special VLAN on trunks between switches to carry the traffic you want to see. Of course, you've always been able to front-panel-connect a span port to a VLAN and trunk it all over your campus, but the RSPAN feature solves an otherwise tricky problem: it disables MAC address learning so all traffic is flooded. Another problem is that it's possible that QoS schemes in intermediate switches could even change the order of the packets, confusing your analyzer or IDS/IPS.
The downside though, is that due to the nature of the VLAN trunking mechanisms RSPAN uses, don't expect to get your layer 2 control traffic to your probe or things like collisions. And if you do use RSPAN, it's probably wise to rate limit this traffic so that you don't accidentally use up all your bandwidth and starve production data. Whether you intentionally affect it, or just let the switches give it "best effort", keep in mind that the timestamps in your trace files will all be different than when they were originally transmitted.
You can find implementation details for RSPAN features on www.cisco.com.
Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years experience in the networking industry, and co-author of several books on networking, most recently, CCSPTM: Secure PIX and Secure VPN Study Guide published by Sybex.
