`

Chapter 1
LAN Basics
1. Ethernet Cabling
Type of Cable Key Pins Connected
Straight through 1–1 ; 2–2 ; 3–3 ; 6–6
Crossover 1–3 ; 2–6 ; 3–1 ; 6–2

2. ARP Types
Term Description
- A protocol used on LANs so that an IP host can discover the
ARP MAC address of another device that is using a particular IP
address.
- Default time-out value of an ARP entry in Cisco IOS Software is
240 seconds.
- A router feature used when a router sees an ARP request
searching for an IP host’s MAC, when the router believes that
Proxy ARP the IP host could not be on that LAN because the host is in
(P-ARP) another subnet. If the router has a route to reach the subnet
where the ARP determined host resides, the router replies to the
ARP request with the router’s MAC address
Reverse ARP - A standard protocol by which a LAN-attached host can
(R-ARP) dynamically broadcast a request for a server to assign it an IP
address.
- A Gratuitous ARP is an ARP Response that was not
Gratuitous ARP prompted by an ARP Request. The Gratuitous ARP is sent as
(G-ARP) a broadcast, as a way for a node to announce or update its IP to
MAC mapping to the entire network.
Inverse ARP - Maps a known DLCI to an IP Address.
(I-ARP) - Used in Frame-relay networks.

3. Networking Devices
A. Hub
-Works at layer 1 of OSI model.
-When frame is received, it is forwarded to all ports.
-Half duplex devices––uses Collision Sense Multiple Access/Collision Detection
(CSMA/CD) for detecting collision.
-Hub shares Bandwidth.
-Typically unmanaged (accepts no user defined configuration) and unintelligent (doesn’t
inspect frames at all before forwarding) device.
-Hub is a half-duplex device.
-Hub offers one broadcast domain and one collision domain.
-Hub network ∝ 1 / Bandwidth
`

Note:
 A set of devices that can send frames that collide with frames sent by another device in
that same set of devices is called collision domain.
 A set of devices that receive broadcast sent by anyone of the devices in the same set is
called broadcast domain.

B. Switch
-Works at layer 2 of OSI model.
-Layer 2 header and trailer along with data encapsulated by them is called Frame.
-Frames are forwarded on the basis of destination of MAC addresses.
-Switch is also known as transparent bridge because Layer 2 switches do not rewrite
anything in layer 2 frame when forwarding that is why switches are faster than routers who
rewrite the layer 2 frame before forwarding.
-Switch is full duplex device.
-Typically, last port of switch is used for uplink (trunking).
-By default, Switch offers 1 broadcast domain and multiple collision domains.
Number of ports  Number of collision domains
Number of VLANs Number of broadcast domains
-By default, Switch can have 16(0-15) telnet sessions.
-Layer 2 Limitations:
i. CAM Table size
-CAM table cannot be summarized unlike routing table.
-50,000 hosts = 50,000 MAC addresses.
-When CAM table is full, switch acts like a hub- floods all the frames
-MACOF  An attack in which switch is flooded with random MAC addresses.

ii. Broadcast Domain Limitations

-Larger Broadcast domains –– Broadcast storms.
-Broadcast storms can happen for legitimate reasons (such as ARP Storms) and
illegitimate reasons (fragile attack or smurf attack).
-Both of these attacks flood the VLAN segment
Solution: VLANS – Limiting hosts per vlan limits Broadcast domain size.
Note:
 Difference between bridge and switch:
There is a single CPU for every port in the bridge (Software specific) whereas switches
are built with Application specific integrated circuits (ASICs) where every port is
managed individually (Hardware specific).

C. Layer 3 Switch or Multi-Layer Switch

-Can perform Layer2 and Layer3 operations as well, but rewrite packet is hardware
accelerated with Application Specific ICs (ASICs).
-Can resolve ARP between different Networks.
`

D. Router:
-Works at layer 3 of OSI model.
-Layer 3 header and trailer along with data encapsulated by them is called Packet.
-Offer multiple collision and broadcast domains.
-Normally, routers do not modify layer 3 packet heard ––exceptions such as NAT.
-By default, router can have 5(0-4) telnet sessions.

4. Ethernet Types
-Types of Ethernet:
Ethernet  IEEE 802.3 Fast-Ethernet  IEEE 802.3u
Gigabit-Ethernet  IEEE 802.3ab 10 Gigabit-Ethernet  IEEE 802.3ae
EtherChannel  IEEE 802.3ad

5. MAC Address
A. Ethernet Address Formats
-12 bit hex (or 48 bit binary) address.
-Permanently encoded into ROM chip on NIC. Sometimes it’s also referred as Burned in
Address (BIA).
MAC Address division of bits
Organizational Unique Identifier (OUI)
MAC-Address First 3 Bytes - Assigned by IEEE to the vendor.
(48 bits - Identifies the manufacturer of the NICE card.
or Vendor Assigned Part
6 Bytes) Last 3 Bytes - Assigned by the vendor.
- Identifies Ethernet Hardware.

Bit type Meaning

- Binary 0 means that address is vendor assigned.
U/L - Binary 1 means that address has been administratively assigned, overriding
the vendor assigned address.
I/G - Binary 0 means that address is unicast.
- Binary 1 means that address is multicast/broadcast.
-Example:
The ethernet multicast addresses used by IP multicast implementations always start with
0x01005E. Hex 01 (the first byte of the address) converts to binary 00000001, with the least
significant bit being 1, confirming the use of I/G bit.
`

B. Three types of Ethernet/MAC Address

Type Description and notes
Unicast - Fancy term for an address that represents a single LAN interface.
- The I/G bit, the least significant bit in MSB, is set to 0.
Broadcast - An address that means “all devices that reside on this LAN right now”.
- Always a value of FFFFFFFFFFFF.
- A MAC address that implies some subset of all devices currently on the
Multicast LAN.
- By definition, the I/G bit is set to 1.
C. LAN Switch Forward Behavior
Type Description and notes
Known Forwards frame out the single interface associate with destination address.
Unicast
Unknown Floods frame out all interfaces, except the interface on which the frame
Unicast was received
Broadcast Floods frame identically to unknown unicasts.
Multicast Floods frame identically to unknown unicasts, unless multicast
optimizations are configured.

6. Auto negotiation, Speed, and Duplex

-By default, each cisco switch port uses Ethernet Auto-negotiation to determine the speed
& Duplex (half or full).
-Speed/Duplex of switch port can be set/reset manually by the following command:
Switch(config-if)# [no]speed {10|100|1000|auto}
Switch(config-if)# [no]duplex {half| full| auto}
-If auto-negotiation is not active on both sides, the interfaces will find their speed settings
based on the incoming electrical signal, as long as the fixed sides uses a speed which is
supported by the other side.
-If auto-negotiation is not active, Switch will use its default speed and duplex settings:
Half duplex (HDX)  for Ethernet (10Mbps) and FastEthernet (100 Mbps)
Full duplex (FDX)  GigabitEthernet (1000Mbps)
Note:
 Speed mismatch on both ends will cause the link no longer to function. However, if one
end is set to auto-negotiate, it may link up.
 Duplex mismatch will cause performance issues—packets maybe dropped
 We could set the speed on one side to fix and on the other side to auto, even though it’s
not a good practice, it’s still possible
 Even though it is possible to play with those settings, it is still considered to be best
practice to set the interfaces to auto negotiation.
`

7. Network Latency
-Network-Latency = NIC-delay + Propagation-delay + Intermediary-device-latency
-NIC-Delay Time taken by source NIC to place voltage pulses on wire and time taken by
recipient NIC to interpret those results.
-Propagation-delaytime taken by signal to travel through cable.
-Intermediary-devices-latencyLatency based on network devices placed between two
devices.

8. Switch Forwarding Methods

A. Store and forward Switching
-Switch receives all bits in the frame (store) before forwarding the frame (forward).
-This allows the switch to check the Frame Check Sequence (FCS) before forwarding
the frame, thus ensuring that errored frames are not forwarded.

B. Cut through Switching

a. Fast Forward Switching:
-Switch immediately forwards packet after reading destination field in header is
received.
-This method doesn’t allow the switch to discard the frames that fail the FCS check,
but forwarding action is faster, resulting in lower latency.

b. Fragment Free Switching:

-Performs similar to cut-through switching, but the switch waits for first 64Bytes to be
received before forwarding.
-Switch stores first 64B of frame before forwarding.
-According to ethernet specifications, collisions should be detected during the first
64Bytes of the frame, so the frames that are in error because of a collision will not
be forwarded.

9. Symmetric and Asymmetric Switching

-Symmetric switching provides switched connection between ports with same bandwidth.
-Asymmetric switching provides switched connection between ports of different bandwidth.
`

10. Hierarchical Design

Access Layer Distribution Layer Core Layer
End users are Provides interconnection High-speed backbone of inter-
connected to access between access & core network
layer layer
Total layer 2 Fast and reliable as both of
connectivity, No routing Performs routing downstream blocks depend on
on this layer core layer
Types:
i. Collapsed-core:
Core-layer is collapsed into
Distribution-layer

Only electric ports No electric ports, only ii. Dual-core:

fiber ports. Connects 2 or more *switch
blocks in redundant fashion

*Switch-block = group of Access-

layer switches together with
distribution-switches.
Offers services such as Offers services such as Offer services such as
Authentication  Redundancy  Wire speed forwarding
Wireless–WPA/WPA2  (HSRP,VRRP,GLBP)  Efficient Bandwidth utilization
Port Security  Bandwidth-
aggregation
(Ether channel)

11. Switch Features

A. Forms
Form Notes
Fixed configuration -Fixed in their configuration.
Switches -No new feature can be added.
Modular -Comes with different sized chassis that allowed for installation
Switches for different number of modular line cards.
-Line Cards contain ports–chassis are used for expansion.
-Can be interconnected using backplane cable that provides
Stackable high bandwidth throughput between switches.
Switches -Stackable switches use special port for interconnections & do
not use line ports for inter-switch connections.
`

B. Performance
a. Port Density:
- Port density is number of ports per switch.
- Fixed configuration switches typically have up to 48ports with option for up to 4
additional ports for small form factor pluggable device (SFFP).
- A single 48port switch is better than two 24port switches.
One 48 port switch – 1 power port and 47 usable ports.
Two 24 port switches – 2 power ports, 2 interconnecting cables and 44 usable
ports.

b.Forwarding rates:
- Defines the processing capabilities of a switch by routing how much data the
switch can process per second.
- Wire Speed is the data rate that each port on switch is capable of attaining.
- Wire speed describes theoretical maximum data-transmission rate of
connection.

c. Link Aggregation:
- As a part of bandwidth aggregation, you should determine if there are enough
ports on a switch to aggregate to support the required bandwidth.

d.POE-Power over Ethernet:

- Allows the switch to deliver power to a device over existing ethernet cabling.
- Adds considerable cost to the switch.

e. Layer3 Functionality:
- L3 switches over advanced functionality.
- L3 switches are also known as Multilayer Switch.

C. Switch features in a hierarchical Network

Access Layer Distribution Layer Core Layer
Port Security Redundant Redundant components
components
L2 support mostly L3 Support L3 Support
POE Higher forwarding Higher forwarding rates
rates
FE/GE GE/10GE GE/10GE
L2 QoS ,VLANs L3 QoS, Security L3 QoS, Security
Policies, ACL Policies, ACL
Link Aggregation Link Aggregation Link Aggregation
Scalable uplinks to higher Scalable to high
`

layers speed links to access –––––––––

layer and core layer

12. Commands
Description Commands
User Mode Switch>
Privilege Mode Switch#
Modes Global Config Mode Switch(config)#
Interface Mode Switch(config-if)#
Line Mode Switch(config-line)#
Sub Interface Mode Switch(config-sub-if)#
Setting Clock Switch# Clock set hr:min:sec day month year
Interface Switch(config)# interface range interface-type module/first-number –
Range last-number
-Used to bundle interfaces, interface ranges or both of them.

-Defining:
Macros Switch(config)# define interface-range macro-name interface-id
/interface-range

-Invoking:
Switch(config)# interface-range macro macro-name
-Used to bundle commands.
-Defining:
Switch(config)# macro name macro-name

Smart Macro @
-Applying on interface:
Switch(config-if)# macro apply macro-name
Note:
 Smart macros are only available on catalysts.
 Macros and Interface-range feature are available on both routers
and catalysts.
-Mostly a router that connects to the distant network
Switch(config)# ip default-gateway ip-address-of-gateway

Default
Gateway

Switch(config)# ip default-gateway 172.17.99.

`

Enable and - Limits access to enable mode.

enable- - Plain-text  Switch(config)#enable password password
secret - Encrypted  Switch(config)#enable secret password
Passwords
Note:
 If neither enable nor enable-secret is enabled, then IOS prevents
enable access from a telnet session.
 Enable passwords are saved in plain text and can be seen in show
running-config.
 Enable secret stores passwords in encrypted form and cannot be
seen under show running-config.
Service - To encrypt the passwords that are stored in plain text, service
Password password encryption is used.
Encryption Switch(config)# [no] service password-encryption
Setting Switch(config)#line console console-ID
Console Switch (config-line)#password password
Password Switch (config-line)#login
Switch (config-line)#exit
Setting Switch (config)#line auxiliary auxiliary-ID
Auxiliary Switch (config-line)#password password
Password Switch (config-line)#login
Switch (config-line)#exit
Show mac-address-table {dynamic | static | address hw-address
| aging-time | count | dynamic | static | interface interface-id | vlan
vlan-id}
Verification Show startup-config
Commands Show flash
Show ip interface brief
Show interfaces [ interface-id ] switchport | trunk ]
Show process
Show inventory
Show diagnostic
Resetting a Switch# Delete flash:vlan.dat Deleting the database from flash
switch Switch# write erase Deleting NVRAM configs
Switch# reload Reloading the switch

13. Detecting Error Conditions

-By default, a switch detects an error-condition on every switch-port for every possible
cause. If an error-condition is detected, switch-port is put into err-disable state.
-There are 3 ways to de-configure err-disabled port:
i. Reload the switch.
ii. Shutdown the port manually and then turn it up using no shutdown command.
iii. Switch(config)# errdisable recovery cause all
Switch(config)# errdisable recovery interval seconds
Seconds range: 30–86400(24 hours)
-Detecting error-condition:
`

Switch(config)# errdisable detect cause all

-To display the error disabled state of interfaces :
Show interface status err-disabled
14. CISCO Discovery Protocol (CDP)
-CDP is a proprietary protocol designed by Cisco System for Cisco devices.
-CDP helps administrators in collecting information about cisco devices.
-CDP is a data link layer protocol.
-Routers and catalyst switches support CDP.
-CDP is enabled by default on all supporting devices.
-Supporting device can receive and send CDP messages.
-CDP messages are generated every 60 seconds as Layer 2 multicast messages on each
of a device’s active interfaces with a hold-down period of 180 seconds for missing
neighbor.
-CDP messages are not forwarded. It means you can get CDP information only about the
directly connected devices.
-CDP messages contain useful information about cisco device including following:-
Name Name of the neighboring device with hostname command
Local Interface Type & ID of the local interface on which ads of this neighbor
were received
Duplex-settings Duplex setting of the interface that CDP was generated on
VTP Domain VTP Domain of the device if relevant
Native VLAN Native VLAN of the sending port if relevant
Holdtime Specifies the time left before this entry is flushed if no new
updates are received
Device capability See the first line in the command output below for a list of codes
Device Platform The neighboring device model
Port ID The connected interface of the neighbor
IOS IOS software version
Layer3 address(es) The Layer 3 address(es) of the device

CDP Configuration
Commands
Router(config)#cdp run
Router(config-if)#cdp enable
Router(config)#cdp timer seconds
Router(config)#cdp holdtime seconds
show cdp
show cdp interface [interface-id]
show cdp neighbors [detail]
show cdp traffic
show cdp entry [device-id]
Description
Enables cdp on a cisco device
Enables cdp on an interface
Adjusting CDP timers
To display global CDP information, including
timer and hold-time information
Displays information about the interfaces on
which CDP is enabled
Displays detailed information about
neighboring devices discovered using CDP
Displays traffic information from the CDP
table
Displays information about a specific
`

neighbor device listed in the CDP table

15. Link Layer Discovery Protocol (LLDP)

-Link Layer Discovery Protocol (LLDP) is an IEEE standard discovery protocol that is similar
to CDP.
-LLDP is disabled by default.
-Differences between CDP and LLDP:
 LLDP sends Topology change notification if a device is added or removed, while CDP
does not.
 Both discovery protocols discover Cisco devices (of course), but only LLDP discovers
third party devices.
 CDP has checksum support, while LLDP does not.
 CDP supports native VLAN, while LLDP does not.

Commands
Router(config)#lldp run
Router(config-if)#lldp
{transmit | receive }
show lldp
show lldp interface
{receive | transmit}
show lldp neighbors
[detail]
show lldp traffic
Show lldp entry [device-id] Displays information about a specific neighbor device
LLDP Configuration
Description
Enables lldp on a device
Enable packet transmission/reception the `on
supported interface
To display global LLDP information, including timer
and hold-time information
Displays information about the interfaces on which
LLDP is enabled
Displays detailed information about neighboring
devices discovered using LLDP
Displays traffic information from the LLDP table
listed in the LLDP table

16. Resetting a port to its default state

Switch(config)# default interface interface-type mod/num

17. Toggling between Layer2 and Layer3 port

-Layer 2 switch  Switch-port
Switch-port - No IP assignment
-Layer 3 switch - Supports layer 2 protocols like STP, CDP & DTP.

Routed-port -IP assignment

-No support for VLAN sub interfaces (real router ports do
support VLAN sub interfaces)
-Do not support layer 2 protocols like STP, CDP & DTP.
-To check if the port is switch-port/routed-port:
Show interface interface-id
`

-To toggle between switch-port and routed-port:

Switch(config-if)# [no] switchport
-Use no keyword to disable switch-port and enable routed-port.
-MLS Layer3 interfaces:
Interface Forwarding to Adjacent Device Configuration
Device Requirements
VLAN interface Uses Layer 2 logic and Create VLAN interface; VLAN
Layer 2 MAC address table must also exist
Physical Forwards out physical Use the no switchport
(routed interface interface command to create a routed
interface
Port-channel Not applicable; just used No special configuration;
(switched) interface as another Layer 2 useful with VLAN interfaces
forwarding path
Port-channel Balances across links in Needs the no switchport
(routed interface) Port-channel command to be used as a
routed interface; optionally
change load-balancing method

18. SPAN,RSPAN, and ERSPAN

-SPAN stands for Switch Port Analyzer.
RSPAN stands for Remote Switch Port Analyzer.
ERSPAN stands for Encapsulated Remote Switch port Analyzer.
-It’s a method of directing all the traffic from a source port, source ports or source VLAN to
a single port.
-Monitoring traffic can be useful in many applications such as all traffic from voice VLAN
can be delivered to a single switch port to facilitate call recording in VoIP network.
-By default, both sent/received traffic is being monitored but it can changed as desired.
`

A. Introduction to Port Analyzers

a. Switch Port Analyzer(SPAN):
-Source can be either port/ports/VLAN.
-Destination port is a single port.
-In SPAN, source and destination ports are on same switch.

b. Remote Switch Port Analyzer(RSPAN):

-Source can be either port/ports/VLAN.
-In RSPAN, destination port is a RSPAN VLAN.

c. Encapsulated Remote Switch Port Analyzer(ERSPAN):

-Cisco proprietary feature.
-Available only to Catalyst 6500, 7600, Nexus, and ASR 1000 platforms to date.
-The ASR 1000 supports ERSPAN source (monitoring) only on Fast Ethernet, Gigabit
Ethernet, and port-channel interfaces.
-Source can be either port/ports/VLAN.
-ERSPAN supports jumbo frames up to 9202 bytes.
-It adds a 50-byte header to copied Layer 2 Ethernet Frames.
-In ERSPAN, destination port is a single port.
`

-A Generic Routing Encapsulation (GRE) is created for all the captured traffic and
allows it to be extended across Layer3 domains.

B. Characteristics
a. Characteristics of Source Port:
i. It can be any port type such as Routed port, Switch port, Access port, Trunk port or
EtherChannel port (either one physical port or entire port-channel interface)
ii. It can be monitored in multiple SPAN sessions.
iii. Each source port can be configured with a direction (ingress, egress, or both) to
monitor. For EtherChannel sources, the monitored direction applies to all physical
ports in the group.
iv. Source ports can be in the same or different VLANs.
v. For VLAN SPAN sources, all active ports in the source VLAN are included as
source ports.
vi. If source of SPAN/RSPAN/ERSPAN is a VLAN, then all ports in that VLAN are
monitored. As you add/remove ports from VLAN, the sources are dynamically
updated to include/exclude ports.
vii. A source port cannot be a destination port and vice versa.
viii. Traffic from a non-source VLAN is discarded when it arrives on a source VLAN.

b. VLAN filtering:
i. It’s also possible to configure a trunk port as the source of a SPAN or RSPAN
session. In this case, all VLANs on the trunk are monitored by default; the filter
vlan command option can be configured to limit the VLANs being monitored in this
situation.
ii. VLAN filtering applies only to trunk ports or to voice VLAN ports.
iii. VLAN filtering affects only traffic forwarded to the destination SPAN port and does
not affect the switching of normal traffic.
iv. You cannot mix source VLANs and filter VLANs within a session. You can have
source VLANs or filter VLANs, but not both at the same time.
`

c. Characteristics of Destination Port:

i. A destination port can be any Ethernet physical port.
ii. A destination port can participate in only one SPAN session at a time. A destination
port in one SPAN session cannot be a destination port for a second SPAN session.
iii. A destination port cannot be a source port.
iv. A destination port cannot be an EtherChannel group.
v. Destination ports do not support
 802.1x authentication
 Port security
 Private VLANs
 Any Layer 2 protocols (VTP, DTP, STP, CDP, LLDP, etc.)

C. Restrictions and Conditions

i. When you configure a destination port, its original configuration is overwritten.
If the SPAN configuration is removed, the original configuration on that port is restored.
ii. When you configure a destination port, the port is removed from any EtherChannel
bundle if it were part of one. If it were a routed port, the SPAN destination configuration
overrides the routed port configuration.

SPAN, RSPAN, and ERSPAN require compliance with a number of specific conditions to
work. For SPAN, the key restrictions include the following:
i. The source can be either one or more ports or a VLAN, but not a mix of these.
ii. Up to 64 SPAN destination ports can be configured on a switch.
iii. Switched or routed ports can be configured as SPAN source ports or SPAN destination
ports.
iv. Be careful to avoid overloading the SPAN destination port. A 100-Mbps source port can
easily overload a 10-Mbps destination port; it’s even easier to overload a 100Mbps
destination port when the source is a VLAN.
v. Within a single SPAN session, you cannot deliver traffic to a destination port when it is
sourced by a mix of SPAN, RSPAN, or ERSPAN source ports or VLANs. This restriction
comes into play when you want to mirror traffic to both a local port on a switch (in
SPAN) and a remote port on another switch (in RSPAN or ERSPAN mode).
vi. Only one SPAN/RSPAN/ERSPAN session can send traffic to a single destination port.
vii. A SPAN destination port ceases to act as a normal switch port. That is, it passes only
SPAN-related traffic.
viii. Traffic that is routed from another VLAN to a source VLAN cannot be monitored with
SPAN. An easy way to understand this concept is that only traffic that enters or exits the
switch in a source port or VLAN is forwarded in a SPAN session. In other words, if the
traffic comes from another source within the switch (by routing from another VLAN, for
example), that traffic isn’t forwarded through SPAN.
`

D. Configurations
a. SPAN Configuration:
Note:
 The only limitation on session numbering is that the session number must be 1 –
64.
 There can be only one destination port.
 Always specify destination port after the SPAN source.

-Configuration:
Step 1: Configure the source port/ports/VLAN.
Switch(config)# monitor session session-number source {interface |Vlan}
{interface-id [or interface-range] | vlan-id } [Rx |Tx| Both]

Rx  Monitor received traffic only

Tx  Monitor transmitted traffic only
Both  Monitor transmitted and received traffic

Step 2(Optional): If source is a trunk port, you can also filter the vlans coming out of
the trunk.
Switch(config)# monitor session session-number filter vlan {vlan-id | vlan-
list}

Step 3: Configure the destination port.

Switch(config)# monitor session session-number destination interface
interface-id

-Verification: Show monitor session session-number

-Example of SPAN:
Configure a switch to send the following traffic to interface fa0/24, preserving the
encapsulation from the source.
 Received on interface fa0/18.
 Sent on interface fa0/9
 Sent and received on interface fa0/19 (which is a trunk). Also filter out the
VLANs 1,2,3 and 229 from traffic coming from the interface.
Switch(config)# monitor session 1 source interface fa0/18 Rx
Switch(config)# monitor session 1 source interface fa0/9 Tx
Switch(config)# monitor session 1 source interface fa0/19 Both
Switch(config)# monitor session 1 filter vlan 1-3,229
Switch(config)# monitor session 1 destination interface fa0/24 encapsulation
replicate
`

b. RSPAN Configuration:
Note:
 The only limitation on session numbering is that the session number must be
1– 64.
 It is permissible to use different session numbers on different switches in RSPAN.

-Configuration:
On Source Switch:
Step 1: In order to configure RSPAN, you need to have RSPAN VLAN. Those VLANS
have special properties and cannot be assigned to any access ports.
Configuring RSPAN VLAN : Switch(config)# vlan vlan-id
Switch(config-vlan)# remote span
Verifying RSPAN VLAN: show vlan remote-span

Step 2: Configure the source port/ports/VLAN.

Switch(config)# monitor session session-number source {interface |Vlan}
{interface-id [or interface-range] | vlan-id } [Rx |Tx| Both]

Rx  Monitor received traffic only

Tx  Monitor transmitted traffic only
Both  Monitor transmitted and received traffic

Step 3(Optional): If source is a trunk port, you can also filter the vlans coming out of
the trunk.
Switch(config)# monitor session session-number filter vlan {vlan-id | vlan-
list}

Step 4:Configure the destination remote vlan.

Switch(config)# monitor session session-number destination remote vlan
vlan-id

On Destination Switch:
Step 1: Configure the RSPAN VLAN with same id as on source switches.
Configuring RSPAN VLAN : Switch(config)# vlan vlan-id
Switch(config-vlan)# remote span
Verifying RSPAN VLAN: show vlan remote-span

Step 2: Configure the source VLAN.

Switch(config)# monitor session session-number source remote vlan
vlan-id

Step 3:
`

Configure the destination port of RSPAN VLAN.

Switch(config)# monitor session session-number destination interface
interface-id

-Verification: Show monitor session session-number

Note:
 Usually SPAN/RSPAN ignores layer 2 traffic like CDP, spanning-tree BPUDs, VTP,
DTP and PAgP frames.  However, these traffic types can be forwarded along with the
normal SPAN traffic if the encapsulation replicate Cisco IOS command is
configured in a Cisco Catalyst Switch.

-Example of RSPAN:
Configure 2 switches IDF-SYR1 and IDF-SYR2, to send traffic to RSPAN VLAN 199,
which is delivered to port fa0/24 on switch MDF-SYR9 as follows.
 From IDF-SYR1, all traffic received on VLANs 66-68
 From IDF-SYR2, all traffic received on VLAN 9
 From IDF-SYR2, all traffic sent and received on VLAN 11

IDF-SYR1(config)#vlan 199
IDF-SYR1(config-vlan)#remote span
IDF-SYR1(config-vlan)#exit
IDF-SYR1(config)#monitor session 1 source vlan 66-68 Rx
IDF-SYR1(config)#monitor session 1 destination remote vlan 199
IDF-SYR2(config)#vlan 199
IDF-SYR2(config-vlan)#remote span
IDF-SYR2(config-vlan)#exit
IDF-SYR2(config)#monitor session 2 source vlan 9 Rx
IDF-SYR2(config)#monitor session 2 source vlan 11
IDF-SYR2(config)#monitor session 2 destination remote vlan 199 encapsulation
replicate
MDF-SYR9(config)#vlan 199
MDF-SYR9(config-vlan)#remote span
MDF-SYR9(config-vlan)#exit
MDF-SYR9(config)#monitor session 3 source remote vlan 199
MDF-SYR9(config)#monitor session 3 destination interface fa0/24
`

c. ERSPAN Configuration Examples:

Note:
 ERSPAN ID Ranges from 1 – 1023.

Configure ERSPAN on the switches so that traffic of port Gi1.23 of router R2 is

capture, and sent to interface Gi2 of R1 traffic

R2(config)#monitor session 10 type erspan-source

R2(config-mon-erspan-src)# source interface GigabitEthernet1.23
R2(config-mon-erspan-src)# filter vlan 23
R2(config-mon-erspan-src)# destination
R2(config-mon-erspan-src-dst)# erspan-id 100
R2(config-mon-erspan-src-dst)# ip address 1.1.1.1
R2(config-mon-erspan-src-dst)# origin ip address 2.2.2.2
R2(config-mon-erspan-src-dst)# no shutdown

R1(config)#monitor session 10 type erspan-destination

R1(config-mon-erspan-dst)# destination interface GigabitEthernet2
R1(config-mon-erspan-dst)# source
R1(config-mon-erspan-dst-src)# erspan-id 100
R1(config-mon-erspan-dst-src)# ip address 1.1.1.1
R1(config-mon-erspan-dst-src)# no shutdown