Translate

Monday, 26 September 2016

SPAN (Switch Port Analyzer)

SPAN (Switch Port Analyzer)

What is SPAN and why is it needed?

On any hub and spoke topology, the switch has important relationship with spokes.The SPAN feature was introduced on switches because of a fundamental difference that switches have with hubs. When a hub receives a packet on one port, the hub sends out a copy of that packet on all ports except on the one where the hub received the packet. After a switch boots, it starts to build up a Layer 2 forwarding table on the basis of the source MAC address of the different packets that the switch receives. After this forwarding table is built, the switch forwards traffic that is destined for a MAC address directly to the corresponding port.

For example, if you want to capture Ethernet traffic that is sent by host A to host B, and both are connected to a hub, just attach a sniffer to this hub. All other ports see the traffic between hosts A and B:


On a switch, after the host B MAC address is learned, unicast traffic from A to B is only forwarded to the B port. Therefore, the sniffer does not see this traffic:


In this configuration, the sniffer only captures traffic that is flooded to all ports, such as:

Broadcast traffic
Multicast traffic with CGMP or Internet Group Management Protocol (IGMP) snooping disabled
Unknown unicast traffic

Unicast flooding occurs when the switch does not have the destination MAC in its content-addressable memory (CAM) table. The switch does not know where to send the traffic. The switch floods the packets to all the ports in the destination VLAN.

An extra feature is necessary that artificially copies unicast packets that host A sends to the sniffer port:


In this diagram, the sniffer is attached to a port that is configured to receive a copy of every packet that host A sends. This port is called a SPAN port. The other sections of this document describe how you can tune this feature very precisely in order to do more than just monitor a port.


SPAN Terminology

  • Ingress traffic-Traffic that enters the switch.
  • Egress traffic-Traffic that leaves the switch.
  • Source (SPAN) port -A port that is monitored with use of the SPAN feature.
  • Source (SPAN) VLAN -A VLAN whose traffic is monitored with use of the SPAN feature.
  • Destination (SPAN) port -A port that monitors source ports, usually where a network analyzer is connected.
  • Reflector Port -A port that copies packets onto an RSPAN VLAN.
  • Monitor port-A monitor port is also a destination SPAN port in Catalyst 2900XL/3500XL/2950 terminology.




  • Local SPAN-The SPAN feature is local when the monitored ports are all located on the same switch as the destination port. This feature is in contrast to Remote SPAN (RSPAN), which this list also defines.



  • Remote SPAN (RSPAN)-Some source ports are not located on the same switch as the destination port. RSPAN is an advanced feature that requires a special VLAN to carry the traffic that is monitored by SPAN between switches. RSPAN is not supported on all switches. Check the respective release notes or configuration guide to see if you can use RSPAN on the switch that you deploy.



  • Port-based SPAN (PSPAN)-The user specifies one or several source ports on the switch and one destination port.



  • VLAN-based SPAN (VSPAN)-On a particular switch, the user can choose to monitor all the ports that belong to a particular VLAN in a single command.



  • ESPAN-This means enhanced SPAN version. This term has been used several times during the evolution of the SPAN in order to name additional features. Therefore, the term is not very clear. Use of this term is avoided in this document.
  • Administrative source-A list of source ports or VLANs that have been configured to be monitored.

  • Operational source-A list of ports that are effectively monitored. This list of ports can be different from the administrative source. For example, a port that is in shutdown mode can appear in the administrative source, but is not effectively monitored.

Characteristics of Source VLAN


VSPAN is the monitoring of the network traffic in one or more VLANs. The SPAN or RSPAN source interface in VSPAN is a VLAN ID, and traffic is monitored on all the ports for that VLAN.
VSPAN has these characteristics:
  • All active ports in the source VLAN are included as source ports and can be monitored in either or both directions.
  • On a given port, only traffic on the monitored VLAN is sent to the destination port.
  • If a destination port belongs to a source VLAN, it is excluded from the source list and is not monitored.
  • If ports are added to or removed from the source VLANs, the traffic on the source VLAN received by those ports is added to or removed from the sources that are monitored.
  • You cannot use filter VLANs in the same session with VLAN sources.
  • You can monitor only Ethernet VLANs.

Characteristics of Destination Port

Each local SPAN session or RSPAN destination session must have a destination port (also called a monitoring port) that receives a copy of traffic from the source ports and VLANs.
A destination port has these characteristics:
  • A destination port must reside on the same switch as the source port (for a local SPAN session).
  • A destination port can be any Ethernet physical port.
  • A destination port can participate in only one SPAN session at a time. A destination port in one SPAN session cannot be a destination port for a second SPAN session.
  • A destination port cannot be a source port.
  • A destination port cannot be an EtherChannel group.
  • A destination port can be a physical port that is assigned to an EtherChannel group, even if the EtherChannel group has been specified as a SPAN source. The port is removed from the group while it is configured as a SPAN destination port.
  • The port does not transmit any traffic except that traffic required for the SPAN session unless learning is enabled. If learning is enabled, the port also transmits traffic directed to hosts that have been learned on the destination port.
  • The state of the destination port is up/down by design. The interface shows the port in this state in order to make it evident that the port is currently not usable as a production port.
  • If ingress traffic forwarding is enabled for a network security device. The destination port forwards traffic at Layer 2.
  • A destination port does not participate in spanning tree while the SPAN session is active.
  • When it is a destination port, it does not participate in any of the Layer 2 protocols (STP, VTP, CDP, DTP, PagP).
  • A destination port that belongs to a source VLAN of any SPAN session is excluded from the source list and is not monitored.
  • A destination port receives copies of sent and received traffic for all monitored source ports. If a destination port is oversubscribed, it can become congested. This congestion can affect traffic forwarding on one or more of the source ports.

Characteristics of Reflector Port

The reflector port is the mechanism that copies packets onto an RSPAN VLAN. The reflector port forwards only the traffic from the RSPAN source session with which it is affiliated. Any device connected to a port set as a reflector port loses connectivity until the RSPAN source session is disabled.


The reflector port has these characteristics:
  • It is a port set to loopback.
  • It cannot be an EtherChannel group, it does not trunk, and it cannot do protocol filtering.
  • It can be a physical port that is assigned to an EtherChannel group, even if the EtherChannel group is specified as a SPAN source. The port is removed from the group while it is configured as a reflector port.
  • A port used as a reflector port cannot be a SPAN source or destination port, nor can a port be a reflector port for more than one session at a time.
  • It is invisible to all VLANs.
  • The native VLAN for looped-back traffic on a reflector port is the RSPAN VLAN.
  • The reflector port loops back untagged traffic to the switch. The traffic is then placed on the RSPAN VLAN and flooded to any trunk ports that carry the RSPAN VLAN.
  • Spanning tree is automatically disabled on a reflector port.
  • A reflector port receives copies of sent and received traffic for all monitored source ports.

No comments:

Post a Comment