Vswitch span technology Overview + Cisco configuration example

Vswitch span technology Overview + Cisco configuration example

1. Introduction to span

The span technology is mainly used to monitor data streams on vswitches. It can be divided into two types: Local span and remote span.
---- Local Switched Port Analyzer (SPAN) and remote span (rspan) have slightly different implementation methods.

Using the span technology, we can copy data streams or mirror 1 on some vswitches that want to be monitored ports (hereinafter referred to as controlled ports ).
Sent to the traffic analyzer connected to the monitoring port, such as the Cisco IDS or the PC. Controlled Port and
The monitoring port can be on the same vswitch (local span) or on different vswitches (Remote span ).

2. Glossary

SPAN session -- span session
A span session is a data flow between a group of controlled ports and a monitoring port. It can simultaneously access traffic from multiple ports or one end
You can also monitor inbound traffic of all ports in a VLAN.
Traffic and out-of-the-box traffic of VLANs are monitored. You can set span for a port in the closed state, but the span session is not active at this time,
But as long as the related interface is opened, the span will become active.
The monitoring port is preferably> = the bandwidth of the controlled port. Otherwise, packet loss may occur.

SPAN traffic -- span traffic
Use a local span to monitor all network traffic, including multicast, Bridge Protocol Data Unit (BPDU), and CDP,
VTP, DTP, STP, pagp, lacp packets. rspan cannot monitor layer-2 protocols.

Traffic types -- traffic type
The monitored traffic types are divided into three types: the received traffic of the receive (RX) span Controlled Port and the transmit (TX) span Controlled Port.
Both is a controlled port for receiving and sending traffic.

Source Port -- the source port of the span SESSION (monitored port-that is, the Controlled Port)
The controlled port can be an actual physical port, VLAN, or Ethernet Channel port group etherchannel. physical ports can be in different VLANs,
If the controlled port is a VLAN, it includes the physical ports in the VLAN. If the Controlled Port is an Ethernet channel, it includes
All physical ports. If the controlled port is a trunk port, all VLAN traffic on the trunk port will be monitored.
You can also adjust the filter VLAN parameters to only monitor the data traffic of the VLAN specified in the filter VLAN.

Destination Port -- the target port of the span SESSION (Monitoring Port-that is, the monitoring port)
The monitoring port can only be a separate physical port. A monitoring port can only be used in one span session at the same time.
The port does not participate in other layer-2 protocols, such as Layer 2 protocols.
Cisco Discovery Protocol (CDP ),
VLAN trunk protocol (VTP ),
Dynamic Trunking Protocol (DTP ),
Spanning Tree Protocol (STP ),
Port aggregation protocol (pagp ),
Link aggregation Control Protocol (lacp ).
By default, the monitoring port does not forward any data streams other than the span session. You can also set the ingress
Parameter to enable the layer-2 forwarding function of the monitoring port. For example, when connecting to the Cisco IDS, IDS not only needs to be connected
Receives the data stream of a span session. IDS itself communicates with other devices in the network, so you need to open the monitoring port
Layer-2 forwarding.

Reflector port -- Reflection Port
The reflected port is only used in rspan. It is on the same vswitch as the controlled port in rspan. It is used to route traffic from the local Controlled Port.
The remote monitoring port forwarded to another vswitch in rspan. The reflected port can only be one physical port,
It does not belong to any VLAN (it is invisible to all VLANs .).
In rspan, a dedicated VLAN is also used to forward traffic. The reflection port uses this dedicated VLAN to route data streams through the trunk port.
Send the data to another vswitch. Then, the remote switch sends the data stream to the analyzer on the monitoring port through this dedicated VLAN.
For rspan VLAN creation, all vswitches involved in rspan should be in the same VTP domain, and VLAN 1 or
1002-1005, which is reserved for Token Ring and FDDI VLANs. If it is a standard VLAN of 2,
You only need to create a vtp server, and other switches will learn it automatically. If it is an extended VLAN of-, you need
Create this dedicated VLAN on all vswitches.
It is best to use a reflection port> = bandwidth of the Controlled Port, otherwise packet loss may occur.

VLAN-based span-VLAN-based Span
The VLAN-based span can only monitor the traffic received by all active ports in the VLAN (only received ed (RX) Traffic). If
If the monitoring port belongs to this VLAN, this port is not in the monitoring range, and vspan only monitors the traffic entering the switch, not on the VLAN interface.
Routing data for monitoring.
(Vspan only monitors traffic that enters the switch, not traffic that is routed between VLANs.
For example, if a VLAN is being RX-monitored and the multilayer switch routes traffic
From another VLAN to the monitored VLAN, that traffic is not monitored and is not supported ed
On the span destination port .)

Iii. Interoperability Between span and rspan and other features

Routing-span does not monitor route data between VLANs)
Routing-ingress span does not monitor routed traffic. vspan only monitors traffic that
Enters the switch, not traffic that is routed between VLANs. For example, if a VLAN is
Being RX-monitored and the multilayer switch routes traffic from another VLAN to
Monitored VLAN, that traffic is not monitored and not supported ed on the span destination port.

STP-the monitoring port and reflection port are not involved in STP, but span has no impact on the STP of the controlled port;

CDP-the monitoring port does not participate in CDP;

VTP--RSPAN VLAN can be trimmed pruning;

VLAN and trunking-you can modify the VLAN and trunk settings of the Controlled Port, monitoring port, and reflection port, and change the Controlled Port
The monitoring port and reflection port will take effect immediately after being removed from the span;

Etherchannel-the entire ethernet Channel group can be used as a controlled port. If a physical port belonging to an Ethernet Channel group is
Configured with a controlled port, monitoring port, or reflection port, the port is automatically removed from the Ethernet Channel group.
After deletion, it will be automatically added to the original Ethernet Channel group;

QoS-due to the impact of QoS policies, the data streams received on the monitoring port are different from the actual data streams on the controlled port, such as the dscp value.
Modified;

Multicast -- span can monitor multicast data streams;

Port Security-The Security Port cannot be used as the monitoring port;

802.1X-802.1x can be set on the controlled port, monitoring port, and reflection port, but there are some restrictions.

Iv. Example of span and rspan Configuration

SPAN restrictions and default settings
Only two SPAN sessions can be set on a catalyst 3550 switch. The default span is not used. If this parameter is set, the default span is used.
In this case, the inbound and outbound traffic of the first interface configured as the controlled port will be monitored, and the controlled port appended later will only be
Traffic is monitored. The default encapsulation type of the monitoring port is native, that is, no VLAN flag is used.

1. configuring ing span -- configure local Span

Switch (config) # No monitor session 1 // clear the span settings that may already exist first
Switch (config) # monitor session 1 source interface fastethernet0/10
// Set the Controlled Port of Span
Switch (config) # monitor session 1 destination interface fastethernet0/20
// Set the monitoring port of Span

Switch # sh mon
Session 1
---------
Type: Local session
Source ports:
BOTH: fa0/10 // note that this is both
Destination Ports: fa0/20
Encapsulation: Native
Ingress: Disabled

Switch (config) # monitor session 1 source interface fastethernet0/11-13
// Add the Controlled Port of Span

Switch # sh mon
Session 1
---------
Type: Local session
Source ports:
RX only: fa0/11-13 // note that this is RX only
BOTH: fa0/10 // pay attention to the both
Destination Ports: fa0/20
Encapsulation: Native
Ingress: Disabled

Switch (config) # monitor session 1 destination interface fastethernet0/20 ingress VLAN 5
// Set the monitoring port of span and enable Layer 2 forwarding

Switch # sh mon
Session 1
---------
Type: Local session
Source ports:
RX only: fa0/11-13
BOTH: fa0/10
Destination Ports: fa0/20
Encapsulation: Native
Ingress: enabled, default VLAN = 5 // allow normal traffic
Ingress encapsulation: Native

2. VLAN-based span-VLAN-based Span

Switch (config) # No monitor session 2
Switch (config) # monitor session 2 source VLAN 101-102 RX
Switch (config) # monitor session 2 destination interface fastethernet0/30
Switch # sh mon ses 2
Session 2
---------
Type: Local session
Source VLANs:
RX only: 101-102 // note that this is RX only
Destination Ports: fa0/30
Encapsulation: Native
Ingress: Disabled

Switch (config) # monitor session 2 source VLAN 201-202 RX
Switch # sh mo se 2
Session 2
---------
Type: Local session
Source VLANs:
RX only: 101-102,201-202 // note that 201-202 is added here.
Destination Ports: fa0/30
Encapsulation: Native
Ingress: Disabled

3. Specifying VLANs to filter

Switch (config) # No monitor session 2
Switch (config) # monitor session 2 source interface fastethernet0/48 RX
Switch (config) # monitor session 2 filter VLAN 100-102 // specify the controlled VLAN range
Switch (config) # monitor session 2 destination interface fastethernet0/30

Switch # sh mon ses 2
Session 2
---------
Type: Local session
Source ports:
BOTH: fa0/48
Destination Ports: fa0/30
Encapsulation: Native
Ingress: Disabled
Filter VLANs: 100-102 // only monitor traffic in the VLAN100-102

4. configuring ing rspan -- configure remote rspan

Rspan sessions are divided into rspan source sessions and rspan destination sessions.
The corresponding configurations must also be performed on the Source and Destination Switches of the session.

4.1 configure a dedicated rspan VLAN
Switch (config) # VLAN 800
Switch (config-VLAN) # remote-span
Switch (config-VLAN) # End

SW1 # sh vl id 800
VLAN name status ports
----------------------------------------------------------------------------
800 vlan0800 active fa0/47, fa0/48

VLAN type said MTU parent ringno bridgeno STP brdgmode trans1 trans2
--------------------------------------------------------------------
800 enet 100800 1500---0 0

Remote span VLAN
----------------
Enabled // note the prompt

Primary Secondary type ports
---------------------------------------------------------------------------

4.2 configure rspan source session

Switch (config) # No monitor Session 1
Switch (config) # monitor session 1 source interface fastethernet0/10-13
Switch (config) # monitor session 1 source interface fastethernet0/15 RX
Switch (config) # monitor session 1 destination remote VLAN 800 reflector-port fastethernet0/20

SW1 # sh mo se 1
Session 1
---------
Type: Remote source session
Source ports:
RX only: fa0/11-13, fa0/15
BOTH: fa0/10
Reflector port: fa0/20
DeST rspan VLAN: 800

4.3 configure rspan destination session

Switch (config) # monitor session 1 source Remote VLAN 800
Switch (config) # monitor session 1 destination interface fastethernet0/30
Switch (config) # End

Sw2 # sh mo se 1
Session 1
---------
Type: remote destination session
Source rspan VLAN: 800
Destination Ports: fa0/30
Encapsulation: Native
Ingress: Disabled

(VLAN-based rspan) VLAN-based rspan is similar to the preceding method, but the entire VLAN is controlled.
The method for enabling Layer-2 forwarding of monitoring ports and specifying VLANs to filter is the same as that of local span,
This example is not used here. For details, see Cisco CD.

5. span configuration of catalyst 4000/4500 series switches

Grouping Span
The command is as follows:
Set span {src_mod/src_ports | src_vlan | sc0} dest_mod/dest_port [RX | TX | both]
[Inpkts {enable | disable}] [learning {enable | disable}]
[Multicast {enable | disable}] [Create]
The create parameter in set span is used to create multiple span sessions.
Show Span
Set span disable [dest_mod/dest_port | all]

Example:
This example shows how to configure span so that both the transmit and receive
Traffic from Port 2/4 (the span source) is mirrored on port 3/6 (the span destination ):

Console> (enable) set span 2/4 3/6
// Overwrote port 3/6 to monitor transmit/receive traffic of port 2/4
Incoming packets disabled. Learning enabled.

Console> (enable) show Span
Destination: Port 3/6
Admin Source: Port 2/4
Invalid Source: None
Direction: transmit/receive
Incoming packets: Disabled
Learning: Enabled
Filter :-
Status: Active
----------------------------------------------
Total local span sessions: 1
Console> (enable)

This example shows how to set VLAN 522 as the span source and port 2/1 as the span destination:

Console> (enable) set span 522 2/1
// Overwrote port 2/1 to monitor transmit/receive traffic of VLAN 522
Incoming packets disabled. Learning enabled.
Console> (enable) show Span
Destination: Port 2/1
Admin Source: VLAN 522
Export Source: Port 2/1-2
Direction: transmit/receive
Incoming packets: Disabled
Learning: Enabled
Filter :-
Status: Active
----------------------------------------------
Total local span sessions: 1
Console> (enable)

Processing ing rspan
The command is as follows:
Set VLAN vlan_num [rspan]
Show VLAN
Set rspan source {MOD/ports... | VLANs...} {rspan_vlan} reflector MOD/port [RX | TX | both]
[Filter VLANs...] [Create]
Set rspan destination {mod_num/port_num} {rspan_vlan} [inpkts {enable | disable}]
[Learning {enable | disable}] [Create]
Show rspan
Set rspan disable source [rspan_vlan | all]
Set rspan disable destination [mod_num/port_num | all]

-------------- End -------------------------