SPAN, RSPAN, and ERSPAN: Complete Guide for CCNP ENCOR

SPAN, RSPAN, and ERSPAN: Network Assurance and Traffic Monitoring

Why This Topic Matters for CCNP ENCOR

Network assurance and troubleshooting are critical skills tested in the CCNP ENCOR exam. SPAN (Switched Port Analyzer), RSPAN (Remote SPAN), and ERSPAN (Encapsulated Remote SPAN) are essential monitoring technologies that allow network engineers to capture and analyze traffic without disrupting network operations. Understanding these technologies is crucial for:

• Identifying network performance issues
• Detecting security threats and anomalies
• Troubleshooting application problems
• Validating network configurations
• Compliance and auditing requirements

What is SPAN (Switched Port Analyzer)?

SPAN is a Cisco technology that copies traffic from one or more source ports or VLANs to a destination port (typically connected to a monitoring device like a packet analyzer or IDS/IPS system). It allows you to monitor network traffic without inserting devices inline.

Key Characteristics of SPAN:

• Local Monitoring: Works only on a single switch
• Source Options: Can monitor ports, VLANs, or entire switch
• Destination: Traffic is copied to a physical port on the same switch
• Non-Intrusive: Original traffic is unaffected; copies are sent to monitoring port
• Overhead: Minimal performance impact on monitored switch

SPAN Configuration Example:

To configure SPAN on a Cisco switch, you specify source ports and destination ports:

• Source port: The port you want to monitor
• Destination port: The port connected to your monitoring device
• Direction: Both (ingress and egress), ingress only, or egress only

What is RSPAN (Remote SPAN)?

RSPAN extends SPAN functionality across multiple switches by using a dedicated VLAN (RSPAN VLAN) to carry mirrored traffic from source switches to destination switches. This allows you to monitor traffic across your entire network infrastructure.

Key Characteristics of RSPAN:

• Distributed Monitoring: Works across multiple switches
• RSPAN VLAN: Uses a dedicated, special-purpose VLAN to transport mirrored traffic
• Source Switches: Copy traffic to the RSPAN VLAN
• Destination Switches: Extract traffic from the RSPAN VLAN to a local monitoring port
• Network-Wide Visibility: Can monitor traffic from remote locations

RSPAN Architecture:

• Source Switch: Mirrors traffic to RSPAN VLAN
• Intermediate Switches: Forward RSPAN VLAN traffic transparently
• Destination Switch: Extracts mirrored traffic to monitoring device

RSPAN VLAN Requirements:

• Must be dedicated exclusively for RSPAN
• Should not carry any user traffic
• Must be configured on all switches in the RSPAN path
• VLAN number must be the same across all switches

What is ERSPAN (Encapsulated Remote SPAN)?

ERSPAN is an evolution of RSPAN that encapsulates mirrored traffic in IP packets, allowing monitoring across Layer 3 boundaries and providing more flexibility and scalability than traditional RSPAN.

Key Characteristics of ERSPAN:

• IP-Based: Uses GRE (Generic Routing Encapsulation) tunnels for transport
• Layer 3 Capable: Works across routed networks and different subnets
• Flexible: No need for dedicated VLAN across entire network
• Scalable: Multiple monitoring sessions can exist simultaneously
• Encapsulation: Original traffic is encapsulated in GRE packets with source and destination IP addresses

ERSPAN Architecture:

• Source Switch: Encapsulates mirrored traffic in GRE packets
• IP Network: Transports GRE-encapsulated traffic using standard routing
• Destination Switch: Decapsulates GRE packets and sends traffic to monitoring device

ERSPAN Versions:

• ERSPANv1: Original implementation, basic functionality
• ERSPANv2: Enhanced version with better metadata and options support

Comparison: SPAN vs RSPAN vs ERSPAN

How SPAN Works: Step-by-Step

SPAN Configuration Process:

1. Define Source: Select port(s) or VLAN(s) to monitor
2. Define Destination: Select output port connected to analyzer
3. Set Direction: Choose ingress, egress, or both
4. Enable Session: Activate the SPAN session
5. Verify: Confirm traffic is being mirrored

Traffic Flow in SPAN:

Original traffic passes through the switch normally. A copy of the traffic is simultaneously sent to the destination port where a monitoring device (like Wireshark, tcpdump, or Intrusion Detection System) captures and analyzes it.

How RSPAN Works: Step-by-Step

RSPAN Configuration Process:

1. Create RSPAN VLAN: Define a dedicated VLAN on all switches
2. Configure Source Switch: Set up source SPAN to send traffic to RSPAN VLAN
3. Configure Intermediate Switches: Ensure RSPAN VLAN is allowed on trunk ports
4. Configure Destination Switch: Set up destination SPAN to extract traffic from RSPAN VLAN
5. Connect Analyzer: Attach monitoring device to destination port
6. Verify: Test the monitoring path

Traffic Flow in RSPAN:

Traffic is copied on the source switch into the RSPAN VLAN. This traffic traverses the network through trunk ports carrying the RSPAN VLAN. On the destination switch, traffic is extracted from the RSPAN VLAN and sent to the monitoring port.

How ERSPAN Works: Step-by-Step

ERSPAN Configuration Process:

1. Configure Source: Define source ports or VLANs to monitor
2. Enable GRE Tunnel: Create GRE tunnel to destination switch
3. Specify Destination IP: Set the IP address of the destination switch
4. Configure Destination: Set up ERSPAN destination to receive and decapsulate traffic
5. Connect Analyzer: Attach monitoring device to destination port
6. Verify: Confirm GRE traffic and decapsulation

Traffic Flow in ERSPAN:

Original traffic is captured on the source switch. The traffic is encapsulated in GRE packets with a source IP address (source switch interface) and destination IP address (destination switch interface). These GRE-encapsulated packets are routed through the IP network using standard routing. At the destination switch, GRE packets are decapsulated and the original traffic is sent to the monitoring port.

Important SPAN/RSPAN/ERSPAN Concepts

Source Types:

• Port-based SPAN: Monitor specific physical ports
• VLAN-based SPAN: Monitor all ports belonging to a specific VLAN
• Combination SPAN: Mix of ports and VLANs

Direction Options:

• Ingress: Only incoming traffic to source
• Egress: Only outgoing traffic from source
• Both: All traffic in both directions (default)

Destination Port Considerations:

• Should be configured as access port on the destination VLAN
• Should not be a member of monitored VLAN
• Can be a physical port or EtherChannel
• Traffic is sent untagged to analyzer
• Port speed should match or exceed expected traffic volume

RSPAN VLAN Best Practices:

• Use a high VLAN ID to avoid conflicts
• Remove RSPAN VLAN from user-facing trunk ports
• Configure on all switches that will carry RSPAN traffic
• Document which VLAN is used for RSPAN
• Monitor RSPAN VLAN traffic for anomalies

ERSPAN Best Practices:

• Use dedicated loopback interfaces for source and destination IPs
• Ensure adequate bandwidth for GRE-encapsulated traffic
• Monitor MTU settings (GRE adds 24 bytes overhead)
• Use ACLs to control which traffic gets mirrored
• Implement QoS if monitoring high volumes of traffic

Common SPAN/RSPAN/ERSPAN Use Cases

Security Monitoring:

Connect IDS/IPS systems to SPAN destinations to monitor for malicious traffic and security threats in real-time.

Application Performance Analysis:

Capture application traffic to analyze performance issues, latency problems, and network bottlenecks.

Network Troubleshooting:

Monitor traffic patterns to identify communication problems between devices and diagnose connectivity issues.

Compliance and Auditing:

Record network traffic for compliance requirements and security audits.

Traffic Analysis:

Use packet analyzers to understand bandwidth usage and identify heavy users or protocols.

Limitations and Considerations

SPAN Limitations:

• Works only on a single switch
• No encryption or authentication
• Can impact switch CPU and memory
• Limited by destination port bandwidth
• Cannot filter traffic (mirrors everything)

RSPAN Limitations:

• Requires dedicated VLAN planning
• Occupies bandwidth on trunk links
• Cannot cross Layer 3 boundaries
• Limited scalability with multiple monitoring sessions
• RSPAN VLAN traffic is unencrypted

ERSPAN Limitations:

• More complex configuration than SPAN
• GRE encapsulation adds overhead
• Requires IP connectivity between source and destination
• MTU considerations (GRE adds 24 bytes)
• May require additional CPU resources for encapsulation/decapsulation

Troubleshooting SPAN/RSPAN/ERSPAN

SPAN Troubleshooting:

• No traffic at destination: Verify source port is active and carries traffic; check destination port configuration; ensure session is enabled
• Partial traffic: Verify direction settings match monitoring needs
• Analyzer not seeing traffic: Check physical cabling; verify port configuration; confirm analyzer is receiving data

RSPAN Troubleshooting:

• No traffic at destination: Verify RSPAN VLAN exists on all switches; confirm trunk ports allow RSPAN VLAN; check source switch is mirroring correctly
• Interrupted traffic: Verify trunk links are up; check RSPAN VLAN is pruned correctly
• Missing traffic: Ensure RSPAN VLAN is on all switches in the path; verify source and destination configurations match

ERSPAN Troubleshooting:

• No traffic: Verify IP connectivity between source and destination; check GRE tunnel status; confirm MTU settings
• Encapsulation errors: Check source and destination IP addresses; verify routing is correct; check for ACL blocks
• Performance issues: Monitor switch CPU; check bandwidth utilization; verify QoS settings

Exam Tips: Answering Questions on SPAN, RSPAN, and ERSPAN

Tip 1: Understand the Scope Question

When a question asks about monitoring traffic across multiple switches, immediately think RSPAN or ERSPAN. If it's about a single switch, SPAN is the answer. ERSPAN is the best choice when you need to cross Layer 3 boundaries or have a complex, distributed network.

Tip 2: Know the Key Difference Between RSPAN and ERSPAN

RSPAN = VLAN-based transport
ERSPAN = IP-based transport (GRE)
If the question mentions routing or IP networks, ERSPAN is likely correct. If it mentions VLANs and trunking, RSPAN is likely correct.

Tip 3: Remember Destination Port Requirements

When asked about configuring a monitoring port, remember:

• It should NOT be part of the monitored VLAN
• It should be configured as an access port (not trunk)
• Traffic is sent untagged
• Port should have sufficient bandwidth

Tip 4: RSPAN VLAN Configuration

For RSPAN questions, remember the RSPAN VLAN must:

• Be the same VLAN ID across all switches
• Be dedicated only to RSPAN (no user traffic)
• Be pruned correctly on trunk ports
• Exist on all switches that will carry RSPAN traffic

Tip 5: Recognize ERSPAN Overhead

If a question mentions GRE encapsulation, IP tunneling, or adding 24 bytes overhead, it's referring to ERSPAN. Remember that GRE adds overhead, so MTU considerations become important.

Tip 6: Source vs Destination Terminology

In exam questions:
Source: Where you want to monitor traffic from (port, VLAN, or device)
Destination: Where you want to send the mirrored traffic (analyzer device)
Don't confuse these when reading questions.

Tip 7: Direction Configuration

When questions ask about monitoring traffic "in both directions" or "bidirectional," this is the default behavior. If they ask about monitoring only incoming traffic, that's ingress. Only outgoing is egress.

Tip 8: Analyzer Connection

Exam questions often mention connecting a packet analyzer, IDS, or sniffer. Remember:

• It connects to the destination port (not the monitored port)
• In SPAN: directly to the switch
• In RSPAN: to a destination switch port
• In ERSPAN: to a destination switch port (after decapsulation)

Tip 9: Traffic Flow and Path Questions

If asked about traffic flow:
SPAN: Source port → Switch → Destination port (both on same switch)
RSPAN: Source switch → RSPAN VLAN → Trunk ports → Destination switch → Destination port
ERSPAN: Source switch → GRE encapsulation → IP network → Destination switch → Decapsulation → Destination port

Tip 10: Troubleshooting Scenario Questions

When presented with troubleshooting scenarios:

• If traffic isn't being mirrored on the same switch, check SPAN configuration
• If mirrored traffic stops at an intermediate switch, suspect RSPAN VLAN pruning
• If ERSPAN traffic isn't arriving, verify IP connectivity and GRE tunnel
• If analyzer receives partial traffic, check direction settings

Tip 11: Configuration Complexity

Understand the complexity ranking:
Easiest: SPAN (one switch, one port)
Moderate: RSPAN (multiple switches, VLAN planning needed)
Most Complex: ERSPAN (IP planning, GRE configuration, MTU considerations)
Exam questions often test whether you know when to use simpler solutions first.

Tip 12: Bandwidth and Performance Considerations

Watch for questions mentioning:

• High-speed monitoring → Consider bandwidth impact
• Multiple sessions needed → ERSPAN is more scalable
• Remote monitoring across WAN → ERSPAN is the answer
• MTU issues → Likely ERSPAN (GRE overhead)

Tip 13: Security Implications

Remember that:

• SPAN/RSPAN traffic is unencrypted by default
• Anyone with access to destination port can see all traffic
• This is important for security and compliance questions
• ERSPAN traffic can be encrypted using IPSec

Tip 14: Multi-Part Questions

If an exam question asks about:
"Configure monitoring from Switch A to Switch B in the same VLAN" → RSPAN
"Configure monitoring from Switch A to Switch C in a different subnet" → ERSPAN
"Configure monitoring within Switch A" → SPAN

Tip 15: Review and Verify Strategy

When answering SPAN/RSPAN/ERSPAN questions:

1. Identify the scope (single switch vs. multiple)
2. Identify the network topology (same VLAN vs. different subnets)
3. Consider complexity vs. requirements
4. Verify all configuration elements are addressed
5. Check for gotchas like RSPAN VLAN pruning or ERSPAN MTU

Practice Exam Scenarios

Scenario 1: Local Port Monitoring

Question: A network engineer needs to monitor traffic on port G0/0/1 of a Catalyst 9300 switch using a packet analyzer. What technology should be used?

Answer: SPAN

This is a single-switch, local monitoring scenario. SPAN is the simplest and most appropriate solution. The analyzer connects to a destination port on the same switch.

Scenario 2: Multi-Switch Monitoring

Question: An organization needs to monitor traffic from a server on Switch A located in Building 1 and send the mirrored traffic to a monitoring device on Switch B located in Building 2. Both switches are in the same Layer 2 domain. What technology is best suited?

Answer: RSPAN

This requires monitoring across switches in the same Layer 2 domain. RSPAN is ideal because both switches can be connected via trunk links in the same VLAN domain. Configure a dedicated RSPAN VLAN to transport the mirrored traffic.

Scenario 3: Remote IP-Based Monitoring

Question: A security team needs to monitor traffic from servers in the data center (Switch A with IP 192.168.1.10) and send mirrored traffic to an IDS system connected to a switch in the remote office (Switch B with IP 10.0.1.10). The devices are connected via a routed WAN link. Which monitoring solution is most appropriate?

Answer: ERSPAN

This scenario requires crossing Layer 3 boundaries (different subnets). ERSPAN is the only option because it uses IP-based GRE encapsulation to transport mirrored traffic through the routed network. RSPAN cannot cross Layer 3 boundaries.

Key Formulas and Mnemonics

SPAN = Switched Port Analyzer - Local monitoring
RSPAN = Remote SPAN - VLAN-based remote monitoring
ERSPAN = Encapsulated Remote SPAN - IP-based remote monitoring

Remember: "GRE for ERSPAN" - Encapsulation is key
Remember: "VLAN for RSPAN" - Layer 2 transport is key
Remember: "Same Switch for SPAN" - Local only

Final Review Checklist

Before the exam, ensure you can:

• ☐ Define SPAN, RSPAN, and ERSPAN clearly
• ☐ Explain when to use each technology
• ☐ Understand traffic flow for each method
• ☐ Configure source, destination, and direction for SPAN
• ☐ Plan and configure RSPAN VLAN across switches
• ☐ Configure ERSPAN with IP addresses and GRE
• ☐ Troubleshoot why mirrored traffic isn't arriving
• ☐ Explain the limitations of each technology
• ☐ Identify correct technology for scenario-based questions
• ☐ Understand destination port configuration
• ☐ Know RSPAN VLAN best practices
• ☐ Understand GRE encapsulation and MTU impact
• ☐ Recognize security implications of monitoring

Conclusion

SPAN, RSPAN, and ERSPAN are fundamental network assurance technologies for the CCNP ENCOR exam. Understanding when and how to use each technology is critical for network monitoring and troubleshooting. Remember the key differentiators: SPAN is local, RSPAN uses VLANs, and ERSPAN uses GRE and IP. With this comprehensive guide and the exam tips provided, you'll be well-prepared to answer any question about these technologies on your CCNP ENCOR exam.