Using Port Mirroring to Monitor Traffic - Monitoring Campus Networks - CCNP Routing and Switching SWITCH 300-115 Official Cert Guide (2015)

CCNP Routing and Switching SWITCH 300-115 Official Cert Guide (2015)

Part V. Monitoring Campus Networks

Chapter 16. Using Port Mirroring to Monitor Traffic

This chapter covers the following topics that you need to master for the CCNP SWITCH exam:

Image Using Local SPAN: This section explains how you can use a local SPAN session to mirror traffic from one or more interfaces or VLANs to a different interface, so that the traffic can be captured or monitored.

Image Using Remote SPAN: This section expands on the local SPAN idea to include traffic monitoring across two switches that are separated from each other.

Image Managing SPAN Sessions: This section explains how you can monitor and delete active SPAN sessions on a switch.

Sometimes network traffic must be monitored for troubleshooting or analysis purposes. By nature, switches try to forward traffic to a destination as directly as possible. As a result, all traffic is not normally flooded to all switch ports, so you cannot simply connect to a switch and monitor interesting traffic flows.

Catalyst switches can mirror traffic passing through switch ports or VLANs onto other ports so that a network analysis device can capture or “listen in” on interesting traffic within the switch. This chapter explains how you can leverage the Switch Port Analysis (SPAN) feature to mirror traffic between ports on the same switch or across a switched network to a remote switch. In fact, SPAN is also commonly known as port mirroring.

“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt based on your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 16-1 outlines the major headings in this chapter and the “Do I Know This Already?” quiz questions that go with them. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes.”

Image

Table 16-1 “Do I Know This Already?” Foundation Topics Section-to-Question Mapping

1. Which of the following allows traffic on one port to be mirrored to another port on the same switch?

a. VSPAN

b. RSPAN

c. Local SPAN

d. CSPAN

2. A local SPAN session can use which of the following as a source? (Choose all that apply.)

a. Physical interface

b. VLAN

c. SVI

d. An interface in an EtherChannel

e. A port-channel interface

3. Which one of the following answers contains the command(s) to correctly configure a local SPAN session to mirror all traffic from interface Gi1/0/13 to interface Gi1/0/27?

a. monitor session 1 interface gi1/0/13 interface gi1/0/27

b. monitor interface gi1/0/13 interface gi1/0/27

c. monitor session 1 source interface gi1/0/13 both

monitor session 1 destination interface gi1/0/27

d. monitor session 1 source interface gi1/0/27 both

monitor session 1 destination interface gi1/0/13

4. Which one of the following must be configured to connect switches used for RSPAN?

a. An 802.1Q trunk allowing data VLANs

b. Access mode switch ports (single VLAN)

c. A private VLAN over a trunk

d. An RSPAN VLAN over a trunk

5. Which one of the following correctly describes a difference between an RSPAN VLAN and a regular VLAN?

a. The RSPAN VLAN disables MAC address learning.

b. The RSPAN VLAN uses static MAC address definitions.

c. The RSPAN VLAN has the RSPAN source and destination MAC addresses defined in the CAM table.

d. The RSPAN VLAN cannot be carried over a trunk link.

6. To configure an RSPAN session’s source switch, what is used for the session destination?

a. The switch port leading to the destination switch

b. The RSPAN VLAN

c. The final destination switch port

d. The next-hop router

7. Which two of the following will correctly display active SPAN sessions on a switch?

a. show span

b. show monitor

c. show running-config

d. show session

8. Suppose a switch has the following SPAN configuration:

monitor session 1 source interface gi1/0/1 both
monitor session 1 destination interface gi1/0/48
monitor session 2 source interface gi1/0/1 both
monitor session 2 destination remote vlan 99

Which of the following commands will correctly delete only the local SPAN session? (Choose all that apply.)

a. no monitor session all

b. no monitor session 1

c. no monitor session 2

d. no monitor session local

e. no monitor session remote

Foundation Topics

Suppose that a problem exists on your switched network and you want to use a network analyzer to gather data. Of interest is a conversation between two hosts connected to a switch, one on interface Gigabit Ethernet 1/0/1 and the other on Gigabit Ethernet 1/0/47. Both ports are assigned to VLAN 100. Because other devices are already connected there, you must connect your analyzer to a different switch port. If you connect your analyzer to another port on VLAN 100, what will your packet capture show?

Recall that, by definition, switches learn where MAC addresses are located and forward packets directly to those ports. The only time a packet is flooded to ports other than the specific destination is when the destination MAC address has not already been located or when the packet is destined for a broadcast or multicast address. Therefore, your packet capture will show only the broadcast and multicast packets that are being flooded to the analyzer’s switch port. None of the conversation between the two hosts of interest will be overheard.

Catalyst switches can use the Switched Port Analyzer (SPAN) feature to mirror traffic from one source switch port or VLAN to a destination port. This allows a monitoring device, such as a network analyzer or “sniffer,” to be attached to the destination port for capturing traffic.

When packets arrive on the source port or VLAN, they are specially marked so that they can be copied to the SPAN destination port as they are delivered to the normal destination port. In this way, the packet capture receives an exact copy of the packets that are being forwarded to and from the SPAN source.

SPAN is available in two different forms:

Image

Image Local SPAN: Both the SPAN source and destination are located on the local switch. The source is one or more switch ports.

Image Remote SPAN (RSPAN): The SPAN source and destination are located on different switches. Mirrored traffic is copied over a special-purpose VLAN across trunks between switches from the source to the destination.

The sections that follow describe each of these SPAN forms in more detail.

Using Local SPAN

A local SPAN session exists on only one switch or one logical switch stack. In other words, you must identify one or more source interfaces and a destination interface where monitored traffic will be copied or mirrored. Figure 16-1 illustrates the basic local SPAN operation where the goal is to monitor all traffic coming from PC A. Interface Gi1/0/1, where PC A is connected, is identified as the SPAN source. A network analyzer is connected to interface Gi1/0/48, which is identified as the SPAN destination. As Ethernet frames arrive from PC A on interface Gi1/0/1, the switch makes copies of them and forwards them to the analyzer.

Image

Image

Figure 16-1 Using Local SPAN to Monitor Received Traffic

Figure 16-2 shows how SPAN works with traffic in the opposite direction. In this case, the SPAN session is monitoring traffic going toward PC A. As Ethernet frames exit the switch going toward the SPAN source (PC A), they are copied to the SPAN destination (the analyzer). When you configure a SPAN session, you can specify the direction of traffic that will be mirrored, as either received, transmitted, or both.

Image

Figure 16-2 Using Local SPAN to Monitor Transmitted Traffic

The SPAN source can be identified as one or more physical switch ports on the switch. The ports can belong to the same VLAN or different VLANs. In addition, a trunk port can be used as a SPAN source, causing traffic from all VLANs that are active on the trunk to be copied to the SPAN destination. You can apply a VLAN filter to the SPAN source to limit which VLANs will be monitored on the trunk.

A SPAN source can also be a switch port that is a member of an EtherChannel. In this case, only traffic passing over that physical port in the EtherChannel will be copied to the SPAN destination, allowing you to monitor a single link in the channel. To monitor all traffic passing across an entire EtherChannel, you can identify a port-channel interface as the SPAN source.

To monitor traffic passing within one or more VLANs on the switch, you can identify the VLANs as the SPAN source. This is essentially the same as local SPAN, but is often called VLAN-based SPAN or VSPAN. All switch ports that are active on a source VLAN become sources themselves.

The destination is identified as a physical interface located on the same switch as the source. Frames that are copied or mirrored from the SPAN source are copied into the SPAN destination port’s egress queue. Because the frames are merely copied within the switch, the original data is not affected and is still forwarded normally.

What happens if the SPAN source and destination ports are operating at different speeds? This easily could happen if the source is a VLAN with many hosts, or if the source is a 10-Gigabit Ethernet port and the destination is a Gigabit Ethernet port.

Mirrored frames are copied into the destination port’s egress queue, as if normal Layer 2 switching had decided to forward them there. If the destination port becomes congested, the mirrored frames might be dropped from the queue and not transmitted out the destination port. Therefore, if the bandwidth of SPAN source traffic exceeds that of the SPAN destination port, some mirrored traffic might not be seen at the destination port.

Local SPAN Configuration

You can configure one or more simultaneous SPAN sessions on a Catalyst switch. The number of supported SPAN sessions depends on the switch model. For example, a Catalyst 3750-X can support two sessions, whereas a Catalyst 6500 can support up to 64. Each SPAN session is completely independent because there is no interaction between the mirroring processes of each one.

To configure a SPAN session, start by defining the source of the SPAN session data, using the following global configuration command:

Switch(config)# monitor session session-number source {interface type
member/mod/num
| vlan vlan-id}[rx | tx | both]

SPAN sessions must be numbered uniquely using the session-number parameter. If multiple SPAN sources are needed, you can repeat this command. The SPAN source must be a physical switch interface or a Layer 2 VLAN, not a logical VLAN interface or SVI. However, you cannot mix both interfaces and VLANs in the same SPAN session. Instead, you can create separate sessions to monitor each type of source.

Traffic can be selected for mirroring based on the direction it is traveling through the SPAN source. For example, you can select only traffic received on the source (rx), only traffic transmitted from the source (tx), or traffic in both directions (both). By default, both directions are used.

Next, identify the SPAN destination by using the following global configuration command. Be sure to enter the same session number so that the destination gets bound to the corresponding source:

Switch(config)# monitor session session-number destination interface type
member/mod/num [encapsulation replicate]

You can define only one destination for each SPAN session. In addition, different SPAN sessions cannot share a common destination. The destination must be a physical interface, not a VLAN SVI interface.

SPAN normally copies packets to the destination without any VLAN trunk tags. As well, SPAN does not normally copy Layer 2 protocols that are sent by the switch itself. Examples include Spanning Tree Protocol (STP) bridge protocol data units (BPDUs), Cisco Discovery Protocol (CDP), Virtual Trunking Protocol (VTP), Dynamic Trunking Protocol (DTP), and Page Aggregation Protocol (PAgP). If you want to capture any VLAN tagging information or the Layer 2 protocol packets, you can add the encapsulate replicate keywords.

Be aware that the SPAN destination interface can only transmit mirrored traffic by default. Any frames that are sent into the destination interface are simply dropped. In most cases, the one-way traffic is sufficient because network analyzers only receive frames to be captured and analyzed. If you connect a device that also needs to transmit data back into the network, you can override the default SPAN behavior. Add the following command syntax to the monitor session destination command to allow ingress traffic:

ingress {dot1q vlan vlan-id | isl | untagged vlan vlan-id}

Because the SPAN destination interface is not bound to any specific interface or trunking encapsulation, you must specify how the ingress traffic should be handled. If the ingress traffic uses 802.1Q encapsulation, use the dot1q keyword and identify the default VLAN number. If the ingress traffic uses Inter-Switch Link (ISL) encapsulation, enter the isl keyword. Otherwise, if the ingress traffic is not encapsulated, use the untagged keyword and identify to which VLAN the traffic should be sent.

If the SPAN source is a trunk port, you might want to mirror only traffic from specific VLANs on the trunk. You can specify a list of VLANs with the following global configuration command:

Switch(config)# monitor session session-number filter vlan vlan-range

Following the scenario from Figure 16-1, suppose you would like to monitor traffic going to and coming from a device connected to interface Gigabit Ethernet 1/0/1. You have connected a network analyzer to interface Gigabit Ethernet1/0/48. Because the source and destination devices are connected to the same logical switch, you can use a local SPAN session to monitor the traffic. Example 16-1 lists the commands that are necessary to set up the SPAN session.

Example 16-1 Configuring a Local SPAN Session


Switch(config)# monitor session 1 source interface gigabitethernet1/0/1 both
Switch(config)# monitor session 1 destination interface gigabitethernet1/0/48



Note

When local SPAN is enabled, STP is disabled on the destination port. This allows STP BPDUs to be captured and monitored but also allows the possibility for a bridging loop to form. Never connect a SPAN session’s destination port back into an active network. If the monitored packets need to be sent toward another switch, use RSPAN instead.


Remote SPAN

In a large switched network or one that is geographically separated, it might not always be convenient to take a network analyzer to the switch where a SPAN source is located. To make SPAN more extensible, Cisco developed the Remote SPAN (RSPAN) feature. With RSPAN, the source and destination can be located on different switches in different locations.

The RSPAN source is identified on one switch where the source is connected, just as with local SPAN. The RSPAN destination is identified on another switch where the mirrored traffic will be collected. Then RSPAN will carry only the mirrored data over a special-purpose VLAN across trunk links and intermediate switches between the source and destination. As long as every switch along the way is RSPAN capable, the source can be located at the far-end switch, while the network analyzer might be conveniently located at the switch nearest you.

Figure 16-3 shows an example network that uses RSPAN to mirror traffic from the source on Switch A to the destination on Switch C. The switches are connected by trunk links that carry a VLAN that is set aside for RSPAN traffic. At the source switch, mirrored frames are copied and sent toward the RSPAN destination over the RSPAN VLAN. At the destination switch, packets are pulled off the RSPAN VLAN and copied to the RSPAN destination port.

Image

Image

Figure 16-3 Using RSPAN to Mirror Traffic Across Multiple Switches

The RSPAN VLAN has some important differences from a regular VLAN. First, MAC address learning is disabled on the RSPAN VLAN. This is to prevent intermediate switches that transport the RSPAN VLAN from trying to forward the mirrored packets to their real destination MAC addresses. After all, the purpose of SPAN or RSPAN is to simply mirror or copy interesting frames, not forward them normally.

An RSPAN-capable switch also floods the RSPAN packets out all its ports belonging to the RSPAN VLAN, in an effort to send them toward the RSPAN destination. Intermediate switches have no knowledge of the RSPAN source or destination; they know only of the RSPAN VLAN itself. Therefore, the RSPAN VLAN should be limited to the links that participate in RSPAN transport. In other words, the RSPAN VLAN should be allowed on trunks between switches, but should not be assigned to any other switch ports along the path.

Remote SPAN Configuration

RSPAN configuration begins with the definition of the special-purpose RSPAN VLAN. If you configure the RSPAN VLAN on a VTP server, VTP correctly propagates it to other intermediate switches. If you are not using VTP, be sure to configure this VLAN for RSPAN explicitly on each intermediate switch. Otherwise, the RSPAN packets will not be delivered correctly.

In addition, if VTP pruning is in use, the RSPAN VLAN will be pruned from unnecessary trunks, limiting the traffic impact in unrelated areas of the network.

Create and maintain one or more RSPAN VLANs for the special monitoring purpose only. Set aside one RSPAN VLAN for each RSPAN session that will be used. Do not allow any normal hosts to join an RSPAN VLAN. Define an RSPAN VLAN on each switch between the source and destination with the following configuration commands:

Switch(config)# vlan vlan-id
Switch(config-vlan)# remote-span

Next, you must identify the RSPAN source and destination on the two switches where the source and destination are connected. At the source switch, identify the source and destination with the following global configuration commands:

Switch(config)# monitor session session-number source {interface type member/
mod/num | vlan vlan-id}[rx | tx | both]
Switch(config)# monitor session session-number destination remote vlan
rspan-vlan-id

Here, the source is either a physical switch interface or a Layer 2 VLAN (not a VLAN SVI interface). Notice that the command syntax is identical to the local SPAN monitor session source command. The RSPAN destination is simply the RSPAN VLAN. This allows the mirrored packets to be copied into the special VLAN and sent on their way toward the final RSPAN destination.

As with a local SPAN session, you can also use the monitor session filter command to filter VLANs from a trunk interface that is used as a SPAN source.

At the destination switch, you must again identify the RSPAN source and destination by using the following global configuration commands:

Switch(config)# monitor session session-number source remote vlan
rspan-vlan-id
Switch(config)# monitor session session-number destination interface
type member/mod/num [encapsulation replicate]

Here the roles are reversed. RSPAN packets are pulled from the RSPAN VLAN and placed onto the destination, which is either a physical switch interface or a Layer 2 VLAN. As with local SPAN, you can add the ingress keyword and its parameters to allow traffic to be received and forwarded from the destination interface.


Note

Be aware that RSPAN traffic can increase the traffic load on a trunk, even though RSPAN is restricted to one special VLAN within the trunk. If the additional load is significant, the normal production and the monitored traffic contend with each other for available bandwidth. As a result, both types of traffic could suffer.

Also, RSPAN must allow the STP to run on the RSPAN VLAN to prevent bridging loops from forming. As a result, STP BPDUs normally are sent and received on the VLAN. You cannot monitor BPDUs with RSPAN.


Suppose, for instance, that you would like to set up an RSPAN session for the scenario shown in Figure 16-3. The source is connected to Switch A port Gigabit Ethernet 1/0/1. The destination is a network analyzer connected to port Gigabit Ethernet 1/0/48 on Switch C. Switch B simply passes the RSPAN session traffic over VLAN 99, transported by trunk links to switches A and C. The corresponding configuration commands are listed in Examples 16-2, 16-3, and 16-4 for Switches A, B, and C, respectively. For Switch B, only the commands relevant to the RSPAN VLAN are listed. The trunk links are assumed to allow VLAN 99 toward Switches A and C.

Example 16-2 Configuring RSPAN on Switch A in Figure 16-3


Switch(config)# vlan 99
Switch(config-vlan)# remote-span
Switch(config-vlan)# exit
Switch(config)# monitor session 1 source interface gigabitethernet 1/0/1 both
Switch(config)# monitor session 1 destination remote vlan 99


Example 16-3 Configuring RSPAN on Switch B in Figure 16-3


Switch(config)# vlan 99
Switch(config-vlan)# remote-span
Switch(config-vlan)# exit


Example 16-4 Configuring RSPAN on Switch C in Figure 16-3


Switch(config)# vlan 99
Switch(config-vlan)# remote-span
Switch(config-vlan)# exit
Switch(config)# monitor session 1 source remote vlan 99
Switch(config)# monitor session 1 destination interface gigabitethernet 1/0/48


Managing SPAN Sessions

Like any other configuration commands, the monitor session source and monitor session destination commands are placed into the running configuration of the switch as you enter them. You can display SPAN sessions by searching for the commands in the switch configuration, asExample 16-5 shows.

Example 16-5 Displaying SPAN Sessions in the Switch Configuration


Switch# show running-config | include monitor
monitor session 1 source interface Gi1/0/1
monitor session 1 destination interface Gi1/0/48
Switch#


You can also see information about currently active SPAN sessions by entering the show monitor EXEC command. By default, all active sessions are displayed. You can use the session keyword to limit the output to specific sessions, all session, only local sessions, or only remote sessions. The command syntax follows:

Switch# show monitor [session {session-number | all | local | range range-list |
remote}] [detail]

In Example 16-6, two SPAN sessions are in use on a switch.

Example 16-6 Displaying the Currently Active SPAN Sessions


Switch# show monitor
Session 1
----------
Type : Local Session
Source Ports :
Both : Gi1/0/1
Destination Ports : Gi1/0/48
Encapsulation : Native
Ingress : Disabled

Session 2
----------
Type : Remote Source Session
Source Ports :
Both : Gi1/0/1
Dest RSPAN VLAN : 99
Switch#


You can delete a SPAN session after the packet analysis is complete. SPAN sessions are numbered, so you can delete them by referencing the session number. Use the following global configuration command to delete one or more sessions:

Switch(config)# no monitor session {session | range session-range} | local | all}

Session numbers can be given as an individual session, a range of sessions, all local SPAN sessions, or all sessions (local or remote).

When you finish using a SPAN session, you always should disable or delete it; otherwise, someone might try to connect to the port that is configured as the SPAN destination. You could spend a good bit of time troubleshooting that user’s connectivity problem only to find that you left a SPAN session active there.

Exam Preparation Tasks

Review All Key Topics

Review the most important topics in the chapter, noted with the Key Topic icon in the outer margin of the page. Table 16-2 lists a reference of these key topics and the page numbers on which each is found.

Image

Image

Table 16-2 Key Topics for Chapter 16

Complete Tables and Lists from Memory

There are no memory tables in this chapter.

Define Key Terms

Define the following key terms from this chapter, and check your answers in the glossary:

local SPAN

RSPAN

SPAN

VSPAN

Use Command Reference to Check Your Memory

This section includes the most important configuration and EXEC commands covered in this chapter. It might not be necessary to memorize the complete syntax of every command, but you should remember the basic keywords that are needed.

To test your memory of the VLAN and trunk-related commands, cover the right side of Table 16-3 with a piece of paper, read the description on the left side, and then see how much of the command you can remember.

Image

Table 16-3 IP SLA Configuration and Monitoring Commands

Remember that the CCNP exam focuses on practical or hands-on skills that are used by a networking professional.