Edit

Configure traffic mirroring with a Remote SPAN (RSPAN) port

  • Article
  • 2 minutes to read

Configure a remote SPAN (RSPAN) session on your switch to mirror traffic from multiple, distributed source ports into a dedicated remote VLAN.

Data in the VLAN is then delivered through trunked ports, across multiple switches to a specified switch that contains the physical destination port. Connect the destination port to your OT network sensor to monitor traffic with Defender for IoT.

The following diagram shows an example of a remote VLAN architecture:

Diagram of remote VLAN.

This article describes a sample procedure for configuring RSPAN on a Cisco 2960 switch with 24 ports running IOS. The steps described are intended as high-level guidance. For more information, see the Cisco documentation.

Important

This article is intended only as guidance and not as instructions. Mirror ports on other Cisco operating systems and other switch brands are configured differently.

Prerequisites

  • RSPAN requires a specific VLAN to carry the monitored SPAN traffic between switches. Before you start, make sure that your switch supports RSPAN.

  • Make sure that the mirroring option on your switch is turned off.

  • Make sure that the remote VLAN is allowed on the trunked port between the source and destination switches.

  • Make sure that all switches connecting to the same RSPAN session are from the same vendor.

  • Make sure that the trunk port sharing the same remote VLAN between switches isn't already defined as a mirror session source port.

  • The remote VLAN increases the bandwidth on the trunked port by the amount of traffic being mirrored from the source session. Make sure that your switch's trunk port can support the increased bandwidth.

Configure the source switch

On your source switch:

  1. Enter global configuration mode and create a new, dedicated VLAN.

  2. Identify your new VLAN as the RSPAN VLAN, and then return to configure terminal mode.

  3. Configure all 24 ports as session sources.

  4. Configure the RSPAN VLAN to be the session destination.

  5. Return to the privileged EXEC mode and verify the port mirroring configuration.

Configure the destination switch

On your destination switch:

  1. Enter global configuration mode, and configure the RSPAN VLAN to be the session source.

  2. Configure physical port 24 to be the session destination.

  3. Return to privileged EXEC mode and verify the port mirroring configuration.

  4. Save the configuration.

Next steps

For more information, see: