Network management experience: vswitch Port Analyzer

Working principle of Switch Port Analyzer SPAN)

SwitchedPortAnalyzer is mainly used to provide network data flow for a network analyzer.

It can mirror data from several source ports in a VLAN to a monitoring port, or mirror data from several VLANs to a control port. All data streams flowing from Port 5 on the source port are mirrored to port 10, and the data analysis device receives all data streams from Port 5 through the monitoring port.

It is worth noting that the source port and Image Port must be on the same server.VswitchAnd SPAN does not affect data exchange on the source port. It only sends copies of data packets sent or received from the source port to the monitoring port.

During a SPAN task, you can use Parameter Control to specify the types of data streams to be monitored. You can also use one or more ports, ports, and one or more VLANs as the source ports, send or receive one-way or two-way data streams from these ports to the monitoring port.

In the ipvst4006 switch, you can configure up to six one-way SPAN tasks: two input data stream monitors and four output data stream monitors. A bidirectional SPAN task actually contains one unidirectional input and one unidirectional output. Besides, the L2 Switch Port can be used as the source port, and the L3 routing port on ipvst4006 can also be set as the source port.

The SPAN task does not affect the normal operation of the switch. After a SPAN task is created, the task is in the active or inactive status based on the status or operation of the switch, and the system logs the task. The "showmonitorsession" command can be used to display the current status of a SPAN.

If the system restarts, the SPAN task is inactive before the initialization of the target port. The destination port (Monitoring Port) can be any exchange or routing port on the switch. When a destination port is activated, any data packets sent to this port that are not related to the SPAN task will be discarded.

A destination port can only be in one SPAN task. When a port is configured as a destination port, it cannot be the source port, and the redundant link port cannot be the destination port of the SPAN. In particular, if a Trunk port is configured as the target port of the Switch Port Analyzer, its Trunk function will also be automatically stopped.

The source port can also be called the monitored port. In a SPAN task, one or more source ports can be configured as the input direction, output direction, or bidirectional mode, in a SPAN task, all source ports must be monitored in the same direction.

The vlan on the ipvst4006 switch can also be set as the source port, which means that all ports in the specified VLAN are the source port in the current SPAN task.

The Trunk port can be set as the source port separately or together with the non-Trunk port, but note that, the monitoring port does not recognize the data Encapsulation Format from the Trunk port for different VLANs. In other words, the packets received on the monitoring port cannot identify the VLAN from.

Classification and configuration of SPAN data streams

The VLAN-based switch port analyzer uses one or more VLANs as the monitoring object. All ports in the analyzer are source ports, which are similar to the port-based SPAN, VLAN-based SPAN is also divided into three types: input data stream, output data stream, and bidirectional data stream monitoring. As follows:

(1) IngressSPAN: the data stream received by the source port and sent to the monitoring port;

(2) output data stream (EgressSPAN): refers to the data stream sent from the source port, and its data copy is sent to the monitoring port;

(3) Two-way data stream (BothSPAN): This is a combination of the above two types.

Note the following points when configuring a VLAN-based SPAN task:

(1) The Trunk port can be included in the source port;

(2) for two-way SPAN tasks, if there is data exchange between the two source ports in the source VLAN, two copies of each data packet will be forwarded to the mirror port;

(3) For SPAN tasks with multiple source VLANs, if a source VLAN is deleted, the VLAN will also be deleted from the source VLAN list;

(4) a vlan in the inactive status cannot participate in the SPAN task;

(5) For a source VLAN that is set as an input data stream monitoring, route information packets from other VLANs are not mirrored. In addition, route information packets sent from VLANs configured as output data flow monitoring to other VLANs are also not mirrored. In other words, a VLAN-based SPAN task only mirrors packets that enter and exit the L2 Switch Port, without mirroring the routing information between VLANs. All non-route data packets transmitted between networks, including multicast packets and BPDU (Bridge Protocol Data Unit) packets, can be mirrored using SPAN tasks.

In some task configurations, the Switch Port Analyzer sends multiple copies of the same SPAN source port data packet to the SPAN monitoring port. As mentioned above, in a two-way SPAN task, assume a1 and a2 are the source port, d1 is the destination port, and if there is data packet transmission between a1 and a2, data Packets transmitted from a1 to a2 are sent to d1 twice, and vice versa.