Problem solve Get help with specific problems with your technologies, process and projects.

Cisco's RSPAN

The uses and setup of Cisco's RSPAN.

Traffic-collecting devices such as IDS probes and protocol analyzers have often frustrated network administrators...

because they never seem to be where you need them. This is particularly true in remote offices, where these devices are permanently fixed. While it's easy to "span" or "mirror" the port you need to do the probe, all too often, the port you need is on a different switch, in a closet far away. Inevitably, valuable time is wasted dispatching someone to move the probe into the right closet, and configure that switch appropriately.

While it's true that in most of these remote-office cases, the traffic you want to capture passes through the core of your network, from an architectural purist's perspective, that's the last place you want to be spanning ports. Recall that cores are high-speed, low-drag; things like filtering, PBR, and spanning can cause serious performance problems and belong much closer to the end-points.

A much better solution is RSPAN, which is like the regular span, except that it uses a special...  VLAN on trunks between switches to carry the traffic you want to see. Of course, you've always been able to front-panel-connect a span port to a VLAN and trunk it all over your campus, but the RSPAN feature solves an otherwise tricky problem: it disables MAC address learning so all traffic is flooded. Another problem is that it's possible that QoS schemes in intermediate switches could even change the order of the packets, confusing your analyzer or IDS/IPS.

The downside though, is that due to the nature of the VLAN trunking mechanisms RSPAN uses, don't expect to get your layer 2 control traffic to your probe or things like collisions. And if you do use RSPAN, it's probably wise to rate limit this traffic so that you don't accidentally use up all your bandwidth and starve production data. Whether you intentionally affect it, or just let the switches give it "best effort", keep in mind that the timestamps in your trace files will all be different than when they were originally transmitted.

You can find implementation details for RSPAN features on

Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years experience in the networking industry, and co-author of several books on networking, most recently, CCSPTM: Secure PIX and Secure VPN Study Guide published by Sybex.

This was last published in February 2005

Dig Deeper on Network services

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Cisco RSPAN is very useful for a number of reasons: If you want to use wireshark to capture traffic from an interface that is connected to a workstation, server, phone or anything else you want to sniff. Redirect all traffic from a VLAN to an IDS / IPS. Redirect all VoIP calls from a VLAN so you can record the calls. The source can be an interface or a VLAN, the destination is an interface. You can choose if you want to forward transmitted, received or both directions to the destination interface. Good work.