1.Basic Concepts
SPAN technology is mainly used to monitor data streams on vswitches. It can be divided into two types: Local SPANLocal Switched Port Analyzer) and remote SPANRemote SPAN ).
We generally say that SPAN refers to local data, and remote data is generally called RSPAN.
These SPAN technologies can COPY some data streams on the vswitch to be monitored, also known as controlled ports) and send them to the data stream analysis device connected to the monitoring port, for example, IDS or a host with the SNIFFER tool installed. The Controlled Port and monitoring port can be local SPAN on the same vswitch, or RSPAN on different vswitches ).
Note: The local SPAN must be used on one vswitch and the rspan must not be used on one vswitch!
* If the following SPAN does not have special emphasis, it indicates both local and remote *
2. SPANMonitoring data stream type
There are three types of data streams that SPAN can monitor;
The incoming traffic of the inbound SPAN Controlled Port.
Outgoing traffic of the Controlled Port of outbound SPAN.
Both receives and sends traffic from a controlled port.
3. SPAN port type
Source Port -- SPAN Source port, also known as monitored Port, that is, the controlled port of the monitored Port)
The controlled port can be the actual physical port, VLAN, and EtherChannel. The physical port can be in different VLANs. If the controlled port is a VLAN, it includes the physical port in this VLAN, if the Controlled Port is an Ethernet channel, it includes all the physical ports that constitute the Ethernet channel. If the controlled port is a TRUNK port, all VLAN traffic carried by the TRUNK port will be monitored, you can also adjust the filter vlan parameters to only monitor the data traffic of the vlan specified in the filter VLAN.
Destination Port -- SPAN Destination port, that is, the monitoring Port-that is, the monitoring port is used to connect the monitoring device ).
The monitoring port can only be a single physical port. A monitoring port can only be used in one SPAN at the same time. The monitoring port is not used in other layer-2 protocols, such:
Cisco Discovery Protocol (CDP ),
VLAN Trunk Protocol (VTP ),
Dynamic Trunking Protocol (DTP ),
Spanning Tree Protocol (STP ),
Port Aggregation Protocol (PagP ),
Link Aggregation Control Protocol (LACP.
By default, the monitoring port does not forward any data streams other than the SPAN Session. You can also set the ingress parameter to enable the layer-2 forwarding function of the monitoring port, for example, when you connect to cisco ids, IDS not only needs to receive data streams of SPAN sessions, but also has communication traffic with other devices in the network, therefore, enable the layer-2 forwarding function of the monitoring port.
* If you set a port to a monitoring port by mistake, it will not be able to perform all communications except SPAN *
The bandwidth of the monitored port is better than or equal to the bandwidth of the controlled port. Otherwise, packet loss may occur.
4. Reflector Port --Reflection Port
* The reflection port is only used in RSPAN * and the controlled port in RSPAN is on the same vswitch and the monitoring port is not on this vswitch ), is used to forward the local controlled port data stream to the remote monitoring port on another vswitch in RSPAN. The reflection port can only be a physical port.
* The reflected port cannot belong to any VLAN *
* A dedicated VLAN is also used in RSPAN to forward traffic *. The reflection port uses this dedicated VLAN to send data streams to other switches through the TRUNK port, the remote switch then uses this dedicated VLAN to send data streams to the analyzer on the monitoring port.
When using the rspan vlan, all vswitches involved in the RSPAN should be in the same VTP domain. VLAN 1 or 1002-1005 cannot be used, which is reserved for the ring and FDDI, if it is a standard VLAN of 2-, you only need to create a VTP Server to set the VTP mode of the switch to Transparent and then create it manually.) Other switches will automatically learn, if it is an extended VLAN of-, you need to create this dedicated VLAN on all switches.
The bandwidth of the reflected port must be greater than or equal to the bandwidth of the controlled port. Otherwise, packet loss may occur.
5. SPANOf3Modes:
1. SPAN: both the source port and target port are in the same vswitch, and the source port can be one or more vswitch ports.
2. VLAN-based Switched Port Analyzer (VSPAN): A variant of SPAN. The source port is not a physical port, but a VLAN.
3. Remote exchange Port Analyzer (RSPAN): The Source Port and target port are in different vswitches.
4. ERSPAN ---- Enhanced Remoted SPAN ---- enhance SPAN
6.Notes
Monitoring ports do not participate in many communications! It will also affect some other communications! Reflection ports have less impact, but there are also problems. Most errors are caused by this.
When using SPAN to monitor a VLAN, only the traffic received by all active ports in the VLAN can be monitored. If the monitored port also belongs to this VLAN, this port is not within the monitoring range.
When using SPAN to monitor VLANs, it does not monitor the routing data between VLANs. For example, if I set up a SPAN to monitor the data streams in the inbound direction of a VLAN in a layer-3 Switch, this direction is the only one ), when a data stream is routed from another VLAN to this VLAN, this data stream is not monitored.
A port configured with port security, such as the maximum number of addresses, cannot be set as a monitoring port.
Case study: local port ImageSPAN):
Topology:
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0523194459-0.png "title =" 2013-08-29_181659.png "/>
SW Configuration:
[Sw1] grouping ing-group 1 local # local port Image group
[Sw1] logging ing-group 1 logging ing-port Ethernet 1/0/10 Ethernet 1/0/20 both # monitor the input and output of the Image Source port
[Sw1] logging ing-group 1 monitor-port e1/0/24 # Set port e1/0/24 as the destination port of the Local Image group
[Sw1] dis grouping ing-group 1 # view image group information
Grouping ing-group 1:
Type: local
Status: active
Processing port:
Ethernet1/0/41 both
Ethernet1/0/41 both
Monitor port: Ethernet1/0/24
PC-A switch instead) configuration: Just configure an IP address, telnet port 23 to open.
PC-A] dis cu
#
Sysname PC-A
Local-user admin
Password simple admin
Service-type ftp
#
Vlan 1
#
Interface Vlan-interface1
Ip address 192.168.2.10 255.255.255.0
PC-B firewall instead) configuration: Also an IP address, telnet port 23 open.
& Lt; PC-B & gt; dis cu
#
Sysname PC-B
#
Firewall packet-filter enable
Firewall packet-filter default permit
#
Undo insulate
#
Local-user admin
Password simple admin
Service-type telnet
#
Interface Ethernet0/0
Ip address 192.168.2.20 255.255.255.0
#
Firewall zone trust
Add interface Ethernet0/0
Set priority 85
#
PC-A telnet PC-BTest:
& Lt; PC-A & gt; telnet 192.168.2.20
Trying 192.168.2.20...
Press CTRL + K to abort
Connected to 192.168.2.20...
**************************************** ****************************************
* Copyright (c) 2004-2009 Hangzhou H3C Technologies Co., Ltd. All rights reserved .*
* Without the owner's prior written consent ,*
* No decompiling or reverse-engineering shall be allowed .*
**************************************** ****************************************
Login authentication
Username: admin
Password:
<PC-B>
Our IPS or IDS can get data packets through packet capture software to detect the communication between the mirror source port.
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0523196359-1.png "title =" 2013-08-29_173812.png "/>
Remote port ImageRSPAN)
Topology:
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/05231954K-2.png "title =" 2013-08-29_182954.png "/>
SW3 Source switch Configuration:
<SW3> dis cu
#
Sysname SW3
#
Grouping-group 1 remote-source # define the SW3 switch as a remote source Image group
#
Vlan 1
#
Vlan 10 # create VLAN 10
Remote-probe vlan enable # define VLAN 10 as the remote-probe VLAN
#
Interface Ethernet1/0/1
Port link-type trunk # configure e1/0/1 as the trunk port
Port trunk permit vlan 1 10 # configure the trunk port to allow remote-probe VLAN packets to pass through
#
Interface Ethernet1/0/5
Duplex full
Speed100
Operating ing-group 1 reflector-port # Configure port e1/0/5 as the remote reflection port
#
Interface Ethernet1/0/10
Grouping-group 1 grouping ing-port inbound # monitor input packets of e1/0/10 remote image source port
#
Interface Ethernet1/0/20
Grouping-group 1 grouping ing-port outbound # monitor output packets of e1/0/20 Remote Image Source port
#
Interface NULL0
#
Grouping-group 1 remote-probe vlan 10 # configuring remote-probe VLAN for remote source images
View the remote source image group configuration
<SW3> dis grouping ing-group remote-source
Grouping ing-group 1:
Type: remote-source
Status: active
Processing port:
Ethernet1/0/41 inbound
Ethernet1/0/42 outbound
Reflector port: Ethernet1/0/5
Remote-probe vlan: 10
SW2 intermediate switch Configuration:
<SW2> dis cu
#
Sysname SW2
#
Vlan 10
Remote-probe vlan enable # configure VLAN 10 as the remote-probe VLAN
#
Interface Ethernet1/0/1
Port link-type trunk # configure e1/0/1 as the trunk port
Port trunk permit vlan 1 10 # enable the current trunk port to allow remote-probe VLAN packets to pass through
#
Interface Ethernet1/0/24
Port link-type trunk # configure e1/0/1 as the trunk port
Port trunk permit vlan 1 10 # enable the current trunk port to allow remote-probe VLAN packets to pass through
SW1 destination switch Configuration:
<SW1> dis cu
#
Sysname SW1
#
Grouping-group 1 remote-destination # configure a remote destination image group
#
Vlan 10
Remote-probe vlan enable # define VLAN 10 as the remote-probe VLAN
#
Interface Ethernet1/0/1
Port link-type trunk # Configure port e1/0/1 as port trunk
Port trunk permit vlan 1 10 # enable the current trunk port to allow remote-probe VLAN packets to pass through
#
Interface Ethernet1/0/24
Port access vlan 10
Using ing-group 1 monitor-port # configure e1/0/24 as the destination port of the Remote Image
#
Grouping-group 1 remote-probe vlan 10 # configure VLAN 10 as the remote-probe VLAN of the remote destination image group
View and display the configuration of the remote target image group:
[SW1] dis grouping ing-group remote-destination
Grouping ing-group 1:
Type: remote-destination
Status: active
Monitor port: Ethernet1/0/24
Remote-probe vlan: 10
This article is from the "Network CTO" blog, please be sure to keep this source http://7392072.blog.51cto.com/7382072/1286148