Configuring RSPAN Ingestion

Remote SPAN (RSPAN) is an extension of the SPAN port mirroring technology that uses a dedicated internal VLAN to mirror L2 traffic from multiple switches to a single SPAN port. All L2 traffic included as part of the RSPAN session flows out of the SPAN port and can be ingested by a connected Sensor without any special configuration.

To ingest RSPAN:

1. Configure RSPAN on your Cisco switch.
2. Connect your Sensor to the SPAN port.
3. Verify Ingestion.

Configuring RSPAN on Your Cisco Switch

To configure RSPAN on your Cisco switches:

1. Configure RSPAN to mirror specified traffic from one or more switches to a specific SPAN port.

Connect Sensor to SPAN Port

Connect one of the Sensor's data ports to the SPAN port used as the destination for the RSPAN session.

Verifying Ingestion

To verify ingestion:

1. Click Investigate | Threat Hunting. The Interflow Search tab appears.
2. Change the Indices to Traffic. The table immediately updates to show ingested Interflow records.