How the switch Port Analyzer works

The Switch Port Analyzer (Switchedportanalyzer) is primarily designed to provide network data flow to some network analyzer.

Switch Port Analyzer

It can either implement several source ports in one VLAN to mirror data to a monitoring port, or mirror data from several VLANs to a managed port. All data flows flowing on port 5th on the source port are mirrored to the 10th monitor port, and the data analysis device receives all data streams from port 5th via the monitoring port.

It is noteworthy that the source and mirror ports must be on the same switch (but there are exceptions, such as the Catalyst6000 series switch), and that span does not affect the data exchange of the source port, it simply sends a copy of the packet sent or received by the source port to the monitoring port.

In the span task, the user can use parameter control to indicate the type of data flow that needs to be monitored, and one or more end, port, one or more VLANs can be used as the source port, and the one-way or bidirectional data sent or received from these ports will be transmitted to the monitoring port.

In the Catalyst4006 switch, you can configure up to 6 one-way span tasks: 2 input data flow monitoring and 4 output data flow monitoring. A bi-directional span task actually contains a one-way input and a one-way output. And not only the two-tier switching port can be used as the source port, the three-tier routing port on the Catalyst4006 can also be set as the source port.

The span task does not affect the normal operation of the switch. When a span task is established, the task is activated or inactive depending on the status or operation of the switch, and it is logged. The showmonitorsession command shows the current state of span.

If a system reboot is encountered, the span task is inactive until the destination port initialization is complete. The destination port (monitoring port) can be either an exchange or a routing port on the switch. When a destination port is active, any packets sent to that port that are not related to the span task are discarded.

A destination port can only be in a span task. When a port is made into a destination port, it can no longer be a source port, and redundant link ports cannot be the destination ports for spans. In particular, if a trunk port is configured as the destination port for the switch Port Analyzer, its trunk function will automatically stop.

The source port can also be called the monitored port. In a span task, you can have one or more source ports, and you can set the input direction, output direction, or bidirectional according to the user's needs, but in either case, all source ports must be monitored in the same direction in a span task.

The VLAN on the Catalyst4006 switch can also be set to the source port as a whole, which means that all ports in the specified VLAN are the source ports in the current span task.

The trunk port can be set separately as the source port. Can also be set as a source port with a trunk port, but note that the monitoring port does not recognize the data encapsulation format from the trunk port for different VLANs, in other words, packets received on the monitoring port will not be able to discern which VLAN is coming from.

Classification and configuration of span data streams

The VLAN based switch Port Analyzer is a monitoring object with one or several VLANs, all of which are source ports, similar to port based spans, VLAN based spans are divided into three types of input data flow, output data stream and bidirectional data flow monitoring. The following statement:

(1) input data stream (Ingressspan): Refers to the source port received, its data copy sent to the monitoring port data flow;

(2) output data stream (Egressspan): Refers to send out from the source port, the data copy sent to the monitoring port data stream;

(3) Bidirectional data Flow (Bothspan): That is, the combination of the above two kinds.

In the process of configuring a VLAN-based span task, several points should be noted:

(1) The trunk port can be included in the source port;

(2) For bidirectional span tasks, if there is data exchange between the two source ports in the source VLAN, then two copies of each packet will be forwarded to the mirror port;

(3) for span tasks with multiple source VLANs, if a source VLAN is deleted, the VLAN will also be removed from the source VLAN list;

(4) A VLAN in the inactive state cannot participate in span tasks;

(5) For a source VLAN set to input data flow monitoring, routing information packets from other VLANs are not mirrored, and the routing information packets sent from the VLAN set to the output data stream are also not mirrored. In other words, the VLAN-based span task mirrors only packets going in and out of the two-tier exchange port, not the routing information between the VLANs. Non-routed packets, including multicast packets and BPDU (Bridging Protocol Data Unit) packets, that are transmitted across the network can be mirrored using the span task.

Switch Port Analyzer with some tasks configured, multiple copies of the same span source port packet are sent to the span monitoring port. As mentioned earlier, in a bi-directional span task, assume that A1 and A2 are the source ports, D1 is the destination port, and if there is packet transmission between A1 and A2, packets sent to A1 in A2 will be transmitted to D1 two times, and vice versa.