Growing Dreams.....
Growing Dreams.....
SPAN
SPAN Switch Port Analyzer is a tool we run on Switches to capture packets between 2 devices, they can be connected one the same switch, on the different switches and also they can be present on different geographical locations.
SPAN can capture or copy complete traffic from a source port or from a VLAN to a destination port & Destination VLAN and can capture traffic in both directions on the source port (ingress traffic & Egress traffic on source port)
Ingress SPAN:- SPAN take the capture of data before any modification like any ACL filtering, VLAN ACL, Any QoS Marking
Egress SPAN:-SPAN Capture the data after all the modification, filtering or any Marking applied to data.
This feature we use to:-
· Monitor traffic
· Troubleshoot the network issue
· Troubleshoot Connection issue by identifying packets
· The packets encapsulation & encryption
· can also measure packet inputs by decrypting the packet using predefined keys
SPAN offers three types of flavor.
1. SPAN/Local SPAN
2. RSPAN (Remote-SPAN)
3. ERSPAN(Encapsulated Remote SPAN)
SPAN Source Port Type:-
· Physical Port (Fast-Ethernet, Gig-Ethernet...)
· Logical Port (Port-Channel/Ether-Channel, Containing all the ports in same logical link)
· VLAN (including all active ports in the same VLAN)
· Access Port
· Trunk Port
· Routed Port
SPAN Destination Port Type:-
· Physical Port
· Access Port
· Destination port will always be used for monitoring/receiving the captures of SPAN traffic
· Destination port cannot generate any new traffic to communicate to other networks
· Destination port cannot be a part of any other network segment
SPAN/Local SPAN
SPAN captures the data from one interface and replicate it to other interfaces on the same switch.
We can use one port, multiple ports or a range of ports in the source port
Source port can be a Layer2 or Layer 3 port on a switch
SPAN Source can be a physical interface or can be the logical interface
VLAN can be taken as a SPAN source
When we choose a destination port that port configuration will be overridden and will be removed from a Port-channel if a part of any
The destination port will always be used to receive the traffic
The destination port cannot send it own traffic
The destination port cannot be a part of network communication
SPAN by default take both direction traffic
We can configure a maximum of 64 SPAN instances on a switch
Configuration Template for Source:-
|
monitor session 1 source interface Ethernet 0/0 |
To Capture data from Interface E0/0(Ingress/Egress) |
|
monitor session 1 source interface Ethernet 0/0 , ethernet 0/1 |
To Capture data from 2 interfaces |
|
monitor session 1 source interface Ethernet 0/0 - 2 |
To Capture data from range of interfaces |
|
monitor session 1 source interface Ethernet 0/0 rx |
To Capture data but only Ingress Traffic |
|
monitor session 1 source interface Ethernet 0/0 tx |
To Capture data but only Egress Traffic |
|
monitor session 1 source interface Ethernet 0/0 both |
To Capture data both Ingress & Egress |
|
monitor session 1 source interface port-channel 1 |
To capture data from Port-channel |
|
monitor session 1 source vlan 1 |
To Capture data from VLAN |
|
|
|
Configuration Template for Destination:-
|
monitor session 1 destination interface Ethernet 0/1 |
To send Captured data to destination interface |
|
monitor session 1 destination interface Ethernet 0/1 encapsulation replicate |
To send Captured data with control plane(DTP,VTP,STP…) also to destination interface |
RSPAN/Remote SPAN
RSPAN captures the traffic from a switch and transfers the data out to other switches when we have source and destination interfaces on different switches so we configure RSPAN to monitor traffic.
RSPAN config is almost the same as we do in Local SPAN, but we need to send the data to remote switch so we configure one extra option here that is Remote-VLAN.
Remote VLAN Should be Configure on both switches to send and receive the traffic, on the first switch Remote-VLAN will be configured under SPAN destination and on the other switches Remote-VLAN should be configured under SPAN source.
RSPAN allows the switches to transfer the captured traffic to travel between multiple switches to send the data to the real destination/Analyzer
Configuration Template for Remote VLAN on All Switches:-
|
Vlan 101 Remote-span |
To Configure a vlan to use in RPAN//to send captured traffic to other switch |
Configuration Template for First Switch:-
|
monitor session 1 source interface Ethernet 0/0 |
To Capture data from Interface E0/0(Ingress/Egress) |
|
monitor session 1 destination remote VLAN 101 |
To Send data to remote Switch |
Configuration Template for Remote Switch:-
|
monitor session 1 source vlan 101 |
To Receive data from Interface VLAN 101 |
|
monitor session 1 destination interface Ethernet 0/0 |
To Send data to Destination interface |
ERSPAN/Encapsulated Remote SPAN
ERSPAN comes with a new feature GRE(Generic Routing Encapsulation)
To extend the data from one geographical location to another we need GRE tunnels
Over GRE tunnels we can transfer captured data to remote device/Analyzer
ERSPAN feature is only available on Catalyst 6500, 7600, Nexus and ASR Platforms
Regardless of any configured MTU size, ERSPAN creates a Layer-3 Packet that can be as long as 9202 bytes
ERSPAN traffic might be dropped by any interface in the network that enforces an MTU size smaller than 9202 bytes
ERSPAN does not support packet fragmentation; DF bit is already set in IP header of ERSPAN Packet
ERSPAN is not capable to reassemble fragmented packets
ERSPAN ID is used to make the packet unique from various different ERSPAN source sessions, Configured ERSPAN ID must match on Destination ERSPAN Configuration
Configuration Template for First Switch:-
|
monitor session 1 type erspan-source description Source_of_origin source interface Fastethernet 0/1 no shutdown destination ip address 2.2.2.2 origin ip address 1.1.1.1 erspan-id 200 |
//to enable ERSPAN source session //session description //session source interface to be captured //Activate ERSPAN source //Destination config mode in source session //Destination ip address //IP address to be used in source traffic ERSPAN unique ID Should be same on both end |
|
|
|
Configuration Template for Remote Device:-
|
monitor session 2 type erspan-destination description Destination_of_1 destination interface Fastethernet 0/2 no shutdown source ip address 2.2.2.2 erspan-id 200 |
//to enable ERSPAN destination session //session description //session destination interface //Activate ERSPAN destination //source config mode in destination session //Source ip address ERSPAN unique ID Should be same on both end |
|
|
|
