Local Span 1
The first step to see useful SPAN output in a network analyzer (like Wireshark) begins with a packet capture. In a network with Cisco switches, that means configuring a Switched Port Analyzer (SPAN) session to direct the to-be-captured messages to the analyzer. This next lab gives you some basic requirements, with a common over-arching requirement: collect all the messages that matter, while avoiding gathering too many messages.
Requirements
Configure local SPAN on switch SW1 in the figure. Note that with SPAN it is difficult to capture exactly the subset of messages you want to capture. So, you have two goals: a primary goal that defines all the messages that you must capture, and secondary goal of capturing as few extra messages beyond those requested as part of the primary goal.
The requirements for this lab are as follows:
- The primary goal: capture all frames flowing between PC1 and PC2
- The secondary goal: capture as few extra frames as possible, which then requires less filtering on the network analyzer to then show all the messages sent between PC1 and PC2.
- Configure all SPAN parameters, even default parameters, in an effort to practice remembering all command parameters
- You may capture per interface, or per VLAN, and for any direction needed to meet the goals
- As for the topology:
- All devices sit in VLAN 2
- All devices use IP addresses in subnet 172.16.2.0/24, with the last octet of each respective address shown in the figure near the device.
- Trunking is not used between the switch and the router
- The rest of the enterprise network (not shown) exists to the right of the router
- The server on the left is the network analyzer
Figure 1: Single Switch Topology for Local SPAN Configuration
Initial Configuration
Example 1 shows the initial configuration on switch SW1.
Example 1: Switch SW1 Configuration
hostname SW1 ! vlan 2 ! interface GigabitEthernet0/1 switchport mode access switchport access vlan 2 ! interface GigabitEthernet0/2 switchport mode access switchport access vlan 2 ! interface GigabitEthernet0/3 switchport mode access switchport access vlan 2 ! interface GigabitEthernet1/0 switchport mode access switchport access vlan 2 ! interface GigabitEthernet1/1 switchport mode access switchport access vlan 2 ! interface GigabitEthernet1/2 switchport mode access switchport access vlan 2
Answer on Paper, or Maybe Test in Lab
To answer on paper, the process is of course simple: write your answer, and check it against the answer post that follows this post.
To test in lab, if you build this lab exercise in hardware, you will need to download and install a network analyzer on the computer that sits where the server sits in the figure. The process of how to do that is beyond the scope of this lab. However, if you start at www.wireshark.org and follow the instructions.
Do this Lab with Cisco’s CML (Formerly VIRL)
You can do these labs on paper and still get a lot out of the lab. As an extra help, we have added files for Cisco Modeling Lab – Personal (CML-P). CML-P replaces Cisco Virtual Internet Routing Lab (VIRL) software, in effect serving as VIRL Version 2.
Below, find two files: a file useful with CML-P and another useful with VIRL. (Note that the CML-P file has a .yaml filetype, while the older VIRL file has a VIRL filetype.) Once the file is loaded, CML-P or VIRL will create a lab topology similar to this lab’s topology, with the initial configuration shown in the lab as well.
The CML/VIRL topology matches this lab topology exactly. The host info does as well.
Host device info:
This table lists host information pre-configured in VIRL, information that might not be required by the lab but may be useful to you.
| Device | IP Address | User/password |
| PC1 | 172.16.2.1 | cisco/cisco |
| PC2 | 172.16.2.2 | cisco/cisco |
| PC3 | 172.16.2.3 | cisco/cisco |
| PC4 | 172.16.2.4 | cisco/cisco |
| Wireshark | 172.16.2.5 | cisco/cisco |
| R1 | 172.16.2.6 |
Handy Host Commands:
To see PC IP address: ifconfig eth1
Ping example: ping6 -c4 2001:0:0:10::100
Trace example: tracepath6 2001:0:0:10::1
A Word about Packet Captures for this Lab
VIRL does support the ability to capture packets, which allows you to then feed the packets into Wireshark running on your computer. Basically you tell VIRL on what interface to capture, and then direct VIRL where to send the packets. However, the specifics require several steps. So, I’ve left the rest of the details out of the blog post here, other than to mention that you can further research this feature on your own if you happen to use VIRL.
