Switched Port ANalyzer (SPAN)
- Monitors all traffic, including multicast and BPDUs.
- 2 local SPAN source sessions.
- 128 sources per session.
- 64 destinations per session.
Switch(config)#monitor session 1 type localSwitch(config-mon-local)#description SPAN sessionSwitch(config-mon-local)#source interface gi1/1-4 bothSwitch(config-mon-local)#destination interface gi2/1Switch(config-mon-local)#no shut
Switch(config)#monitor session 1 source interface gi1/1-4 bothSwitch(config)#monitor session 1 destination interface gi2/1
Remote SPAN (RSPAN)
- Uses a Layer 2 VLAN to carry SPAN traffic between switches.
- Does not monitor BPDUs.
- 2 RSPAN source sessions.
- 64 RSPAN destination sessions.
- 128 sources per session and 1 RSPAN VLAN.
- 64 destinations per session.
- Any network device that supports RSPAN VLANs can be an RSPAN intermediate device.
- MAC address learning is disabled in the RSPAN VLAN.
Switch1(config)#monitor session 1 type rspan-sourceSwitch1(config-mon-rspan-src)#description RSPAN session - sourceSwitch1(config-mon-rspan-src)#source interface gi1/1-4 bothSwitch1(config-mon-rspan-src)#destination remote vlan 666Switch1(config-mon-rspan-src)#no shutSwitch2(config)#monitor session 1 type rspan-destinationSwitch2(config-mon-rspan-dst)#description RSPAN session - destinationSwitch2(config-mon-rspan-dst)#source remote vlan 666Switch2(config-mon-rspan-dst)#destination interface gi2/1Switch2(config-mon-rspan-dst)#no shut
Switch1(config)#monitor session 1 source interface gi1/1-4 bothSwitch1(config)#monitor session 1 destination remote vlan 666Switch2(config)#monitor session 1 source remote vlan 666Switch2(config)#monitor session 1 destination interface gi2/1
Encapsulated RSPAN (ERSPAN)
- Uses a GRE tunnel to carry traffic between switches.
- Adds 50 byte header.
- DF bit is set to prevent fragmentation.
- ERSPAN ID differentiates from various different ERSPAN source sessions.
- Monitors all traffic, including multicast and BPDUs.
- 2 ERSPAN source sessions.
- 24 ERSPAN destination sessions.
- 128 sources per session and 1 IP address.
- 64 destinations per session.
Switch1(config)#monitor session 1 type erspan-sourceSwitch1(config-mon-erspan-src)#description ERSPAN session - sourceSwitch1(config-mon-erspan-src)#source interface gi1/1-4 bothSwitch1(config-mon-erspan-src)#destinationSwitch1(config-mon-erspan-src-dst)#ip address 10.2.2.2Switch1(config-mon-erspan-src-dst)#erspan-id 111Switch1(config-mon-erspan-src-dst)#origin ip address 10.1.1.1Switch1(config-mon-erspan-src-dst)#ip ttl 5Switch1(config-mon-erspan-src)#no shutSwitch2(config)#monitor session 1 type erspan-destinationSwitch2(config-mon-erspan-dst)#description ERSPAN session - destinationSwitch2(config-mon-erspan-dst)#sourceSwitch2(config-mon-erspan-dst-src)#ip address 10.2.2.2Switch2(config-mon-erspan-dst-src)#erspan-id 111Switch2(config-mon-erspan-dst)#destination interface gi2/1Switch2(config-mon-erspan-dst)#no shut
Source trunk VLAN filtering
Switch(config)# monitor session 1 filter vlan 1-5,10Destination trunk VLAN filtering
Switch(config)#interface gi2/1Switch(config-if)#switchportSwitch(config-if)#switchport encapsulation dot1qSwitch(config-if)#switchport mode trunkSwitch(config-if)#switchport trunk allowed vlan 10
Destination port permit lists
Switch(config)#monitor permit-listSwitch(config)#monitor permit-list destination interface gi2/2-4Switch#show monitor permit-list
Notes
- SPAN does not copy the encapsulation from trunk sources. You can configure SPAN destinations as trunks to tag the monitored traffic before it is transmitted for analysis.
- Traffic that enters a VLAN through a Layer 3 VLAN interface is monitored when it is transmitted through an egress port that is in the source VLAN.
- Destination etherchannels do not support PAgP or LACP protocols, only the on mode.
- You can connect member links of a destination etherchannel to separate network analyzers.
- SPAN consumes too many switch and network resources to enable permanently.
No comments:
Post a Comment