SPAN: Description [Credits to ETts for this explanation]
Suppose, for instance, that you want to examine traffic flowing in and out of a port, or within a virtual local-area network (VLAN). In a shared network, such as Ethernet, you would attach a network analyzer to an available port on the hub and your analyzer would listen to all traffic on the segment, as illustrated in the figure.
The analyzer decodes the frames and provides you with an analysis of the frame contents, such as the packets and other higher-layer protocol information.
In a switched network, however, this is not as simple as in a shared network. In a switched network, the switch filters frames from transmitting out a port unless the bridge/switch table believes the frame's destination is on that port, or the frame needs to be flooded, such as during a spanning-tree update. This is not going to work for you because you want to see all the switch traffic, from all the VLANs. The SPAN switch feature enables you to attach an analyzer on a switch port and capture traffic from other ports in the switch, as illustrated in the figure below.
The SPAN port mirrors traffic from one or more source interfaces on any VLAN, or from one or more VLANs to a destination port for analysis. The network analyzer attaches to the SPAN port and examines the traffic as it passes through the switch. The network analyzer enables you to dig into the details of your network traffic. For SPAN configuration, the source interfaces and the destination interface must be on the same switch.
NOTE: SPAN does not affect the switching of network traffic on source interfaces; copies of the frames received or transmitted by the source interfaces are sent to the destination interface.
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml
SPAN: Configuration
Scenario: In order to configure port Fa0/1 as a destination port, the source ports Fa0/2 and Fa0/5, and the management interface (VLAN 1), select the interface Fa0/1 in the configuration mode.
Step 1: Enter destination port
S4#conf t
S4(config)#int fa0/1
S4(config-if)#
Step 2: Enter the list of ports to be monitored:
S4(config-if)#port monitor fa0/2
S4(config-if)#port monitor fa0/5 (With this command, every packet that these two ports receive or transmit is also copied to port Fa0/1.)
Step 3: Issue a variation of the port monitor command in order to configure the monitoring for the administrative interface (administrative interface as in vlan interface where the above 2 ports belong)
S4(config-if)#port monitor vlan 1 (The vlan 1 keyword simply refers to the administrative interface of the switch. Note: Both of the above ports should belong to VLAN 1 for SPAN to work)
Note: This configuration applies to 2900XL/3500XL.
RSPAN: Description
RSPAN allows you to monitor source ports that are spread all over a switched network, not only locally on a switch with SPAN. This feature appears in CatOS 5.3 in the Catalyst 6500/6000 Series Switches and is added in the Catalyst 4500/4000 Series Switches in CatOS 6.3 and later.
The functionality works exactly as a regular SPAN session. The traffic that is monitored by SPAN is not directly copied to the destination port, but flooded into a special RSPAN VLAN. The destination port can then be located anywhere in this RSPAN VLAN. There can even be several destination ports.
This diagram illustrates the structure of an RSPAN session:
Full explanation available: http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml
RSPAN (Remote Switched Port Analyzer): Configuration
S4#conf t
S4(config)#vlan [#]
S4(config-vlan)#remote span
S4(config)#monitor session [#] source [interface, remote, vlan]
S4(config)#monitor session [#] destination remote [vlan #]
S2#conf t
S2(config)#vlan [#]
S2(config-vlan)#remote span
S2(config)#monitor session [#] source remote vlan [#]
S2(config)#monitor session [#] destination interface [#]
Show Command/s:
S2#show monitor [session] [#]
Next stop... Inter-VLAN routing.
No comments:
Post a Comment