Local Span 1

By Chris August 30, 2016 09:05

The first step to see useful SPAN output in a network analyzer (like Wireshark) begins with a packet capture. In a network with Cisco switches, that means configuring a Switched Port Analyzer (SPAN) session to direct the to-be-captured messages to the analyzer. This next lab gives you some basic requirements, with a common over-arching requirement: collect all the messages that matter, while avoiding gathering too many messages.


Configure local SPAN on switch SW1 in the figure. Note that with SPAN it is difficult to capture exactly the subset of messages you want to capture. So, you have two goals: a primary goal that defines all the messages that you must capture, and secondary goal of capturing as few extra messages beyond those requested as part of the primary goal.

The requirements for this lab are as follows:

  • The primary goal: capture all frames flowing between PC1 and PC2
  • The secondary goal: capture as few extra frames as possible, which then requires less filtering on the network analyzer to then show all the messages sent between PC1 and PC2.
  • Configure all SPAN parameters, even default parameters, in an effort to practice remembering all command parameters
  • You may capture per interface, or per VLAN, and for any direction needed to meet the goals
  • As for the topology:
    • All devices sit in VLAN 2
    • All devices use IP addresses in subnet, with the last octet of each respective address shown in the figure near the device.
    • Trunking is not used between the switch and the router
    • The rest of the enterprise network (not shown) exists to the right of the router
    • The server on the left is the network analyzer

Figure 1: Single Switch Topology for Local SPAN Configuration


Initial Configuration

Example 1 shows the initial configuration on switch SW1.


Example 1: Switch SW1 Configuration


Answer on Paper, or Maybe Test in Lab

To answer on paper, the process is of course simple: write your answer, and check it against the answer post that follows this post.

To test in lab, if you build this lab exercise in hardware, you will need to download and install a network analyzer on the computer that sits where the server sits in the figure. The process of how to do that is beyond the scope of this lab. However, if you start at www.wireshark.org and follow the instructions.


Do this Lab with Cisco’s VIRL

You can do these labs on paper and still get a lot out of the lab. As an extra help, we have added files for the Virtual Internet Routing Lab (VIRL) software as well. The .VIRL file found here is a file that when used with VIRL will load a lab topology similar to this lab’s topology, with the initial configuration shown in the lab. This section lists any differences between the lab exercise and the .VIRL file’s topology and configuration.

Download this lab’s VIRL file!

The virl topology matches this lab topology exactly. The host info does as well.


Host device info:

This table lists host information pre-configured in VIRL, information that might not be required by the lab but may be useful to you.

Device IP Address User/password
PC1 cisco/cisco
PC2 cisco/cisco
PC3 cisco/cisco
PC4 cisco/cisco
Wireshark cisco/cisco


Handy Host Commands:

To see PC IP address: ifconfig eth1

Ping example: ping6 -c4 2001:0:0:10::100

Trace example: tracepath6 2001:0:0:10::1


A Word about Packet Captures for this Lab

VIRL does support the ability to capture packets, which allows you to then feed the packets into Wireshark running on your computer. Basically you tell VIRL on what interface to capture, and then direct VIRL where to send the packets. However, the specifics require several steps. So, I’ve left the rest of the details out of the blog post here, other than to mention that you can further research this feature on your own if you happen to use VIRL.

Protecting CLI Access 2
Answers: Protecting CLI Access 2
By Chris August 30, 2016 09:05
Write a comment

No Comments

No Comments Yet!

Let me tell You a sad story ! There are no comments yet, but You can be first one to comment this article.

Write a comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email


Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.