|
|
This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on the Catalyst 6000 family switches.
This chapter consists of these sections:
This section describes the concepts and terminology associated with SPAN and RSPAN configuration.
A SPAN session is an association of a destination port with a set of source ports, configured with parameters that specify the monitored network traffic. You can configure multiple SPAN sessions in a switched network. SPAN sessions do not interfere with the normal operation of the switches. You can enable or disable SPAN sessions with command-line interface (CLI) or SNMP commands. When enabled, a SPAN session might become active or inactive based on various events or actions, and this would be indicated by a syslog message. The "Status" field in the show span and show rspan commands displays the operational status of a SPAN or RSPAN session.
A SPAN or RSPAN destination session remains inactive after system power-up until the destination port is operational. An RSPAN source session remains inactive until any of the source ports are operational or the RSPAN VLAN becomes active.
A destination port (also called a monitor port) is a switch port where SPAN sends packets for analysis. Once a port becomes an active destination port, it does not forward any traffic except that required for the SPAN session. By default, an active destination port disables incoming traffic (from the network to the switching bus), unless you specifically enable the port. If incoming traffic is enabled for the destination port, it is switched in the native VLAN of the destination port. The destination port does not participate in spanning tree while the SPAN session is active. See the caution statement in the "Configuring SPAN from the CLI" section for information on how to prevent loops in your network topology.
Only one destination port is allowed per SPAN session, and the same port cannot be a destination port for multiple SPAN sessions. A switch port configured as a destination port cannot be configured as a source port. EtherChannel ports cannot be SPAN destination ports.
If the trunking mode of a SPAN destination port is "on" or "nonegotiate" during SPAN session configuration, the SPAN packets forwarded by the destination port will have the encapsulation as specified by the trunk type; however, the destination port will stop trunking, and the show trunk command will reflect the trunking status for the port prior to SPAN session configuration.
A source port is a switch port monitored for network traffic analysis. The traffic through the source ports can be categorized as ingress, egress, or both. You can monitor one or more source ports in a single SPAN session with user-specified traffic types (ingress, egress, or both) applicable for all the source ports.
You can configure source ports in any VLAN. You can configure VLANs as source ports (src_vlans), which means that all ports in the specified VLANs are source ports for the SPAN session.
Source ports are administrative (Admin Source) or operational (Oper Source) or both. Administrative source ports are the source ports or source VLANs specified during SPAN session configuration. Operational source ports are the source ports monitored by the destination port. For example, when source VLANs are used as the administrative source, the operational source is all the ports in all the specified VLANs.
The operational sources are always active ports. If a port is not in the spanning tree, it is not an operational source. All physical ports in an EtherChannel source are included in operational sources if the logical port is included in the spanning tree.
The destination port, if it belongs to any of the administrative source VLANs, is excluded from the operational source.
You can configure a port as a source port in multiple active SPAN sessions, but you cannot configure an active source port as a destination port for any SPAN session.
If a SPAN session is inactive, the "oper source" field will not be updated until the session becomes active.
Trunk ports can be configured as source ports, and can be mixed with nontrunk source ports; however, the encapsulation of the packets forwarded by the destination port are determined by the trunk settings of the destination port during SPAN session configuration.
Ingress SPAN copies network traffic received by the source ports for analysis at the destination port.
Egress SPAN copies network traffic transmitted from the source ports for analysis at the destination port.
VLAN-based SPAN (VSPAN) is analysis of the network traffic in one or more VLANs. You can configure VSPAN as ingress SPAN, egress SPAN, or both. All the ports in the source VLANs become operational source ports for the VSPAN session. The destination port, if it belongs to any of the administrative source VLANs, is excluded from the operational source. If you add or remove ports from the administrative source VLANs, the operational sources are modified accordingly.
Use the following guidelines for VSPAN sessions:
Trunk VLAN filtering is analysis of network traffic on a selected set of VLANs on trunk source ports. You can combine trunk VLAN filtering with other source ports that belong to any of the selected VLANs, and you can also use trunk VLAN filtering for RSPAN. Based on the traffic type (ingress, egress, or both), SPAN sends a copy of the network traffic in the selected VLANs to the destination port.
Use trunk VLAN filtering only with trunk source ports. If you combine trunk VLAN filtering with other source ports that belong to VLANs not included in the selected list of filter VLANs, SPAN includes only the ports that belong to one or more of the selected VLANs in the operational sources.
When a VLAN is cleared, it is removed from the VLAN filter list. A SPAN session is disabled if the VLAN filter list becomes empty.
Trunk VLAN filtering is not applicable to VSPAN sessions.
All network traffic, including multicast and bridge protocol data unit (BPDU) packets, can be monitored using SPAN (RSPAN does not support monitoring of BPDU packets). Multicast packet monitoring is enabled by default.
In some SPAN configurations, multiple copies of the same source packet are sent to the SPAN destination port. For example, a bidirectional (both ingress and egress) SPAN session is configured for sources a1 and a2 to a destination port d1. If a packet enters the switch through a1 and gets switched to a2, both incoming and outgoing packets are sent to destination port d1; both packets would be the same (if a Layer-3 rewrite occurrs, the packets are different). Similarly, for RSPAN sessions with sources distributed in multiple switches, the destination ports might forward multiple copies of the same packet.
You can configure (and store in NVRAM) a maximum of 30 SPAN sessions in a Catalyst 6000 family switch; the maximum is 5 SPAN sessions in a Catalyst 5000 family switch. See Table 32-1 for the supported combinations of SPAN/RSPAN sessions. You can configure multiple ports or VLANs as sources for each session.
| SPAN/RSPAN Sessions | Catalyst 5000 Family Switches1 | Catalyst 6000 Family Switches2 |
|---|---|---|
rx or both SPAN sessions | 1 | 2 |
tx SPAN sessions | 4 | 4 |
tx, rx, or both RSPAN source sessions | - | 1 |
RSPAN destinations | - | 24 |
Total SPAN sessions | 53 | 304 |
This section consists of the following:
All Catalyst 6000 family switch supervisor engines support the SPAN feature.
SPAN selects network traffic for analysis by a network analyzer such as a SwitchProbe device or other Remote Monitoring (RMON) probe. SPAN mirrors traffic from one or more source ports on any VLAN, from one or more VLANs, or from the sc0 console interface to a destination port for analysis (see Figure 32-1). In Figure 32-1, all traffic on Ethernet port 5 (the source port) is mirrored to Ethernet port 10. A network analyzer on Ethernet port 10 receives all network traffic from Ethernet port 5 without being physically attached to it.
For SPAN configuration, the source ports and the destination port must be on the same switch.
SPAN does not affect the switching of network traffic on source ports; a copy of the packets received or transmitted by the source ports are sent to the destination port.
Follow these guidelines when configuring SPAN:
To configure SPAN, you specify the source, the destination port, the direction of the traffic through the source that you want to mirror to the destination port, and whether or not the destination port can receive packets.
To configure a SPAN port, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Configure the SPAN source and destination ports. | set span {src_mod/src_ports | src_vlans | sc0} {dest_mod/dest_port} [rx | tx | both] [inpkts {enable | disable}] [learning {enable | disable}] [multicast {enable | disable}] |
Step 2 Verify the SPAN configuration. | show span |
 | Caution If the SPAN destination port is connected to another device and you enable reception of incoming packets (using the inpkts enable keywords), the SPAN destination port receives traffic for whatever VLAN the SPAN destination port belongs to. However, the SPAN destination port does not participate in spanning tree for that VLAN. Use caution when using the inpkts keyword to avoid creating network loops with the SPAN destination port or assigning the SPAN destination port to an unused VLAN. |
This example shows how to configure SPAN so that both transmit and receive traffic from port 1/1 (the SPAN source) is mirrored on port 2/1 (the SPAN destination):
Console> (enable) set span 1/1 2/1 Destination : Port 2/1 Admin Source : Port 1/1 Oper Source : Port 1/1 Direction : transmit/receive Incoming Packets: disabled Learning : enabled Multicast : enabled Filter : -
This example shows how to set VLAN 522 as the SPAN source and port 2/1 as the SPAN destination:
Console> (enable) set span 522 2/1 Destination : Port 2/1 Admin Source : VLAN 522 Oper Source : Port 3/1-2 Direction : transmit/receive Incoming Packets: disabled Learning : enabled Multicast : enabled Filter : - Console> (enable)
This example shows how to set VLAN 522 as the SPAN source and port 2/12 as the SPAN destination. Only transmit traffic is monitored. Normal incoming packets on the SPAN destination port are allowed.
Console> (enable) set span 522 2/12 tx inpkts enable Destination : Port 2/12 Admin Source : VLAN 522 Oper Source : Port 2/1-2 Direction : transmit Incoming Packets: enabled Learning : enabled Multicast : enabled Filter : - Console> (enable)
This example shows how to set port 3/2 as the SPAN source and port 2/2 as the SPAN destination:
Console> (enable) set span 3/2 2/2 tx create Destination : Port 2/1 Admin Source : port 3/1 Oper Source : Port 3/1 Direction : transmit/receive Incoming Packets: disabled Destination : Port 2/2 Admin Source : port 3/2 Oper Source : Port 3/2 Direction : transmit Incoming Packets: disabled Learning : enabled Multicast : enabled Filter : - Console> (enable)
To disable SPAN, perform this task in privileged mode:
| Task | Command |
|---|---|
Disable SPAN on the switch. | set span disable [dest_mod/dest_port | all] |
This example shows how to disable SPAN on the switch:
Console> (enable) set span disable 2/1 Disabled monitoring of VLAN 522 transmit traffic by Port 2/1 Console> (enable)
This section consists of the following:
RSPAN supervisor engine requirements are as follows:
RSPAN has all the features of SPAN (see the "Understanding How SPAN Works" section), plus support for source ports and destination ports distributed across multiple switches, allowing remote monitoring of multiple switches across your network (see Figure 32-2).
The traffic for each RSPAN session is carried over a user-specified RSPAN VLAN that is dedicated for that RSPAN session in all participating switches. The SPAN traffic from the sources, which cannot be in the RSPAN VLAN, is switched to the RSPAN VLAN and then forwarded to destination ports configured in the RSPAN VLAN. The traffic type for sources (ingress, egress, or both) in an RSPAN session can be different in different source switches, but is the same for all sources in each source switch for each RSPAN session. Do not configure any ports in an RSPAN VLAN except those selected to carry RSPAN traffic. Learning is disabled on the RSPAN VLAN.
Follow these guidelines when configuring RSPAN:
 | Tips As RSPAN VLANs have special properties, we recommend that you reserve a few VLANs across your network for use as RSPAN VLANs; do not assign access ports to these VLANs. |
| Tips An output access control list (ACL) can be applied to RSPAN traffic to selectively filter specific flows. Specify these ACLs on the RSPAN VLAN in the RSPAN source switches. |
The first step in configuring an RSPAN session is to select an RSPAN VLAN for the RSPAN session that does not exist in any of the switches that will participate in RSPAN. With VTP enabled in the network, you can create the RSPAN VLAN in one switch and VTP propagates it to the other switches in the VTP domain.
Use VTP pruning to get efficient flow of RSPAN traffic or manually delete the RSPAN VLAN from all trunks that do not need to carry the RSPAN traffic.
Once the RSPAN VLAN is created, you configure the source and destination switches using the set rspan command.
To configure RSPAN VLANs, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Configure RSPAN VLANs. | set vlan vlan_num [rspan] |
Step 2 Verify the RSPAN VLAN configuration. | show vlan |
This example shows how to set VLAN 500 as an RSPAN VLAN:
Console> (enable) set vlan 500 rspan vlan 500 configuration successful Console> (enable) Console> (enable) show vlan . display truncated . VLAN DynCreated RSPAN ---- ---------- -------- 1 static disabled 2 static disabled 3 static disabled 99 static disabled 500 static enabled Console> (enable)
To configure RSPAN source ports, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Configure RSPAN source ports. Use this command on each of the source switches participating in RSPAN. | set rspan source {mod/ports... | vlans... | sc0} {rspan_vlan} [rx | tx | both] [multicast {enable | disable}] [filter vlans...] [create] |
Step 2 Verify the RSPAN configuration. | show rspan |
This example shows how to specify ports 4/1 and 4/2 as ingress source ports for RSPAN VLAN 500:
Console> (enable) set rspan source 4/1-2 500 rx Rspan Type : Source Destination : - Rspan Vlan : 500 Admin Source : Port 4/1-2 Oper Source : None Direction : receive Incoming Packets: - Learning : - Multicast : enabled Filter : - Console> (enable)
To configure RSPAN source VLANs, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Configure RSPAN source VLANs. All the ports in the source VLAN become operational source ports. | set rspan source {mod/ports... | vlans... | sc0} {rspan_vlan} [rx | tx | both] [multicast {enable | disable}] [filter vlans...] [create] |
Step 2 Verify the RSPAN configuration. | show rspan |
This example shows how to specify VLAN 200 as a source VLAN for RSPAN VLAN 500 (selecting the rx option makes all ports in the VLAN ingress ports):
Console> (enable) set rspan source 200 500 rx Rspan Type : Source Destination : - Rspan Vlan : 500 Admin Source : VLAN 200 Oper Source : None Direction : receive Incoming Packets: - Learning : - Multicast : enabled Filter : - Console> (enable)
To configure RSPAN destination ports, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Configure RSPAN destination ports. Use this command on each of the destination switches participating in RSPAN. | set rspan destination {mod_num/port_num} {rspan_vlan} [inpkts {enable | disable}] [learning {enable | disable}] [create] |
Step 2 Verify the RSPAN configuration. | show rspan |
Console> (enable) set rspan destination 3/1 500 Rspan Type : Destination Destination : Port 3/1 Rspan Vlan : 500 Admin Source : - Oper Source : - Direction : - Incoming Packets: disabled Learning : enabled Multicast : - Filter : - Console> (enable)
To disable RSPAN, perform this task in privileged mode:
| Task | Command |
|---|---|
Disable RSPAN on the switch. | set rspan disable source [rspan_vlan | all] set rpsan disable destination [mod_num/port_num | all] |
This example shows how to disable all enabled source sessions:
Console> (enable) set rspan disable source all This command will disable all remote span source session(s). Do you want to continue (y/n) [n]? y Disabled monitoring of all source(s) on the switch for remote span. Console> (enable)
This example shows how to disable one source session by rspan_vlan number:
Console> (enable) set rspan disable source 903 Disabled monitoring of all source(s) on the switch for rspan_vlan 903. Console> (enable)
This example shows how to disable all enabled destination sessions:
Console> (enable) set rspan disable destination all This command will disable all remote span destination session(s). Do you want to continue (y/n) [n]? y Disabled monitoring of remote span traffic for all rspan destination ports. Console> (enable)
This example shows how to disable one destination session by mod_num/port_num:
Console> (enable) set rspan disable destination 4/1 Disabled monitoring of remote span traffic on port 4/1. Console> (enable)
The following sections describe typical RSPAN configurations.
This example shows how to configure a single RSPAN session. Figure 32-3 shows an RSPAN configuration; see Table 32-2 for the necessary commands to configure this RSPAN session. Table 32-2 assumes that you have already set up RSPAN VLAN 901 for this session on all the switches using the set vlan vlan_num rspan command. With VTP enabled in the network, you can create the RSPAN VLAN in one switch and VTP propagates it to the other switches in the VTP domain. Note that in the configuration example shown in Table 32-2, the RSPAN session may be disabled in Switch A or B or both without modifying the configuration in Switch C or Switch D.
| Switch | Ports | RSPAN VLAN | Direction | RSPAN CLI Commands |
|---|---|---|---|---|
A (source) | 4/1, 4/2 | 901 | Ingress | set rspan source 4/1-2 901 rx |
B (source) | 3/1, 3/2, 3/3 | 901 | Bidirectional | set rspan source 3/1-3 901 |
C (intermediate) | - | 901 | - | No RSPAN CLI command needed |
D (destination) | 1/2 | 901 | - | set rspan destination 1/2 901 |
This example shows how to modify an active RSPAN session. Use Figure 32-3 for reference; see Table 32-3 for the necessary commands to disable an RSPAN session and to add or remove source ports from an RSPAN session.
| Switch | Action | RSPAN CLI Commands |
|---|---|---|
A (source) | Disable the RSPAN session. | set rspan disable source 901 |
B (source) | Remove source port 3/2 from RSPAN session. | set rspan source 3/1, 3/3 901 |
B (source) | Add back source port 3/2 to RSPAN session. | set rspan source 3/1-3 901 |
This example shows how to add RSPAN source ports in intermediate switches. Figure 32-4 shows an RSPAN configuration; see Table 32-4 for the necessary commands to configure this RSPAN session. Ports 2/1-2 in Switch C can be configured for the same RSPAN session.
| Switch | Ports | RSPAN VLAN | Direction | RSPAN CLI Commands |
|---|---|---|---|---|
A (source) | 4/1, 4/2 | 901 | Ingress | set rspan source 4/1-2 901 rx |
B (source) | 3/1, 3/2, 3/3 | 901 | Bidirectional | set rspan source 3/1-3 901 |
C (intermediate) | - | 901 | - | No RSPAN CLI command needed |
C (source) | 2/1, 2/2 | 901 | Bidirectional | set rspan source 2/1-2 901 |
D (destination) | 1/2 | 901 | - | set rspan destination 1/2 901 |
This example shows how to configure multiple RSPAN sessions. Figure 32-5 shows an RSPAN configuration; see Table 32-5 for the necessary configuration commands to configure this RSPAN session. This is a typical scenario where the monitoring probes would be placed in the data center and source ports in the access switches (other ports in any of the switches can also be configured for RSPAN). If there is no change in the route for SPAN traffic, the destination switch and the intermediate switches need to be configured only once.
In Figure 32-5, two RSPAN sessions are used with RSPAN VLANs 901 (for probe 1) and 902 (for probe 2). The direction of traffic over trunks T1 through T6 is shown only for understanding; the direction of the trunks depends on the STP states of the respective trunks for the RSPAN VLAN(s). You need to configure the RSPAN VLANs in each of the switches for the respective RSPAN sessions. With VTP enabled in the network, you can create the RSPAN VLAN in one switch and VTP propagates it to the other switches in that VTP domain. With VTP disabled, create the RSPAN VLANs in each switch.
| Switch | Port | RSPAN VLAN(s) | Direction | RSPAN CLI Commands |
|---|---|---|---|---|
A (destination) | 2/1 | 901 | - | set rspan destination 2/1 901 |
A (destination) | 2/2 | 902 | - | set rspan destination 2/2 902 |
B (intermediate) | - | 901, 902 | - | No RSPAN CLI command needed |
C (intermediate) | - | 901, 902 | - | No RSPAN CLI command needed |
D (source) | 2/1-2 | 901 | Ingress | set rspan source 2/1-2 901 rx |
E (source) | 3/1-2 | 901 | Egress | set rspan source 3/1-2 901 tx |
F (source) | 4/1-3 | 901 | Both | set rspan source 4/1-3 902 |
You can attach multiple network analyzers (probes) to the same RSPAN session. For example, in Figure 32-6, you can add probe 3 in Switch B to monitor RSPAN VLAN 901 using the set rspan destination 1/2 901 command. Similarly, you could add source ports to Switch C.
Posted: Mon Aug 28 09:17:46 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.