SPAN RSPAN and ERSPAN

By : Khawar NehalApplied Technology Research Centerhttp://atrc.net.pkkhawar@atrc.net.pk24 November 2015

SPAN RSPAN and ERSPAN

Hierarchy of this topic

Courses / ICT / Networking / Cisco / CCIE / SPAN RSPAN and ERSPAN

SPAN RSPAN and ERSPAN

Switch port Analyzer (SPAN) is an efficient, high performance traffic monitoring system. It duplicated network traffic to one or more monitor interfaces as it transverse the switch.

SPAN RSPAN and ERSPAN

SPAN is used for troubleshooting connectivity issues and calculating network utilization and performance, among many others. There are three types of SPANs supported on Cisco products, which are illustrated in below diagram.

Local Span

Local SPAN: Mirrors traffic from one or more interface on the switch to one or more interfaces on the same switch.

Remote SPAN

Remote SPAN (RSPAN): An extension of SPAN called remote SPAN or RSPAN. RSPAN allows you to monitor traffic from source ports distributed over multiple switches, which means that you can centralize your network capture devices.

Remote SPAN

RSPAN works by mirroring the traffic from the source ports of an RSPAN session onto a VLAN that is dedicated for the RSPAN session.

Remote SPAN

This VLAN is then trunked to other switches, allowing the RSPAN session traffic to be transported across multiple switches. On the switch that contains the destination port for the session, traffic from the RSPAN session VLAN is simply mirrored out the destination port.

ERSPAN

Encapsulated remote SPAN (ERSPAN): encapsulated Remote SPAN (ERSPAN), as the name says, brings generic routing encapsulation (GRE) for all captured traffic and allows it to be extended across Layer 3 domains.

ERSPAN

ERSPAN is a Cisco proprietary feature and is available only to Catalyst 6500, 7600, Nexus, and ASR 1000 platforms to date. The ASR 1000 supports ERSPAN source (monitoring) only on Fast Ethernet, Gigabit Ethernet, and port-channel interfaces.

Configuration Example:

Configuring Local SPAN: Local SPAN configures using monitor session command specifying source and destination on the same switch.

Configuration Example:

Switch1# configure terminal

Switch1(config)# monitor session 1 source interface fastEthernet0/2

Switch1(config)# monitor session 1 destination interface fastEthernet0/24

Switch1(config)#end

Local SPAN configuration syntax on Cisco IOS release 12.2(33)SXH and beyond as shown below.

monitor session 1 type local

source int fa0/2

destination int fa0/24

Configuring RSPAN:

Step1: In order to configure RSPAN you need to have an RSPAN VLAN, those VLANs have special properties and cant be assigned to any access ports.

Configuring RSPAN:

To create a VLAN for RSPAN on Cisco IOS, you must create the VLAN via the config-vlan configuration mode, as opposed to using the older VLAN database configuration mode.

Configuring RSPAN:

During the process of defining VLAN parameters, you must specify that the new VLAN is an RSPAN VLAN by configuring the remote-span VLAN configuration command.

Configuring RSPAN:

Switch1# configure terminal

Switch1(config)# vlan 200

Switch1(config-vlan)# remote-span

Switch1(config-vlan)# end

Switch1# show vlan remote-span

Remote SPAN VLANs

------------------------------------------------------------------------------

200

Configuring RSPAN:

Switch2# configure terminal

Switch2(config)# vlan 200

Switch2(config-vlan)# remote-span

Switch2(config-vlan)# end

Switch2# show vlan remote-span

Remote SPAN VLANs

------------------------------------------------------------------------------

200

Configuring RSPAN:

Step2: Then configure the RSPAN on Source switch: Unlike SPAN, where the source and destination ports exist on the same switch, the source and destination ports for an RSPAN session reside on different switches. This requires a separate RSPAN source session to be configured, as well as a separate RSPAN destination session to be configured.

Configuring RSPAN:

Switch1# configure terminalSwitch1(config)# monitor session 1 source interface fastEthernet0/2 rxSwitch1(config)# monitor session 1 destination remote vlan 200reflector-port fastEthernet0/24Switch1(config)# exitSwitch1# show monitorSession 1---------Type : Remote Source SessionSource Ports : Rx : Fa0/2Reflector Port : Fa0/24Dest RSPAN VLAN : 200

Step 3

Step3: Configure the RSPAN on destination switch:

Switch2# configure terminal

Switch2(config)# monitor session 1 source remote vlan 200

Switch2(config)# monitor session 1 destination interface fastEthernet0/3

Switch2(config)# exit

Configuring RSPAN:

The RSPAN VLAN should be allowed in ALL trunks between the involved switches (Source and Destination switches in this case); if you have enabled "pruning" in your network, remove the RSPAN VLAN from the pruning, with the command: switchport trunk pruning vlan remove under the interface configure as trunk.

GRE

Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an Internet Protocol network.

QFP

The Cisco QuantumFlow Processor - The Engine in the ASR 1000 Series.

To be put simply, the Cisco QuantumFlow Processor (QFP) is everything on a chip. Gone are the days where you bought a large router - let's pick on the 7200-series - and also had to buy daughter cards or rely on the main CPU for encryption, firewalls, network management, QoS, etc.

ASR

Aggregation Services Routers

ASR

Much more bandwidth is available now than during the times of 300-bps modems, but the same business principles of saving as much bandwidth as possible still applies. It is particularly important for enterprises to conserve bandwidth, but it also important for service providers.

ASR

Both segments must have a network architecture that can offer higher levels of service for critical customers or Layer 7 applications. For this reason, routers capable of offering quality of service (QoS) that is flexible, scalable, and high-performing is more important than ever.

ASR

QoS on Cisco ASR 1000 Series Aggregation Services Routers offers powerful advanced and flexible hardware QoS capability. The Cisco ASR 1000 Series Router hardware, includes the Cisco QuantumFlow Processor (Cisco QFP) and its two chips: Cisco QFP Engine and Cisco QFP Traffic Manager.

ASR

Cisco ASR 1000 Series has software QoS features and capabilities which can be applied in several different architectures and deployments.

Configuring ERSPAN:

In this example we will capture received traffic on the ASR 1002 (GigabitEthernet0/1/0) and send to Catalyst 6509 Gig2/2/1. This traffic will simply be captured, encapsulated in GRE by ASR 1002 natively by the QFP chipset and routed over to the Catalyst 6509.

Configuring ERSPAN:

A sniffing station on the 6500 attached to GE2/2/1 will see the complete Ethernet frame (L2 to L7) information.

Configuring ERSPAN:

Configuring source interface, direction of traffic, and ERSPAN session ID on the ASR 1002.

ASR1002(config)# monitor session 1 type erspan-source

ASR1002(config-mon-erspan-src)# source interface gig0/1/0 rx

ASR1002(config-mon-erspan-src)# no shutdown

ASR1002(config-mon-erspan-src)# destination

ASR1002(config-mon-erspan-src-dst)# erspan-id 101

ASR1002(config-mon-erspan-src-dst)# ip address 10.1.1.1

ASR1002(config-mon-erspan-src-dst)# origin ip address 172.16.1.1

Configuring ERSPAN:

Configuring Catalyst 6509 to receive traffic from the source session on the ASR 1002

SW6509(config)# monitor session 2 type erspan-destination

SW6509(config-mon-erspan-dst)# destination interface gigabitEthernet2/2/1

SW6509(config-mon-erspan-dst)# no shutdown

SW6509(config-mon-erspan-dst)# source

SW6509(config-mon-erspan-dst-src)# erspan-id 101

SW6509(config-mon-erspan-dst-src)# ip address 10.1.1.1

Configuring ERSPAN:

You can use the show monitor session command to verify the configuration:ASR1002#sh monitor session 1Session 1---------Type : ERSPAN Source SessionStatus : Admin EnabledSource Ports : RX Only : Gi0/1/0Destination IP Address : 10.1.1.1MTU : 1464Destination ERSPAN ID : 101Origin IP Address : 172.16.1.1

Configuring ERSPAN:

To monitor the statistics of monitored traffic, you need to use "show platform hardware qfp active feature erspan state" command:ASR1002#show platform hardware qfp active feature erspan stateERSPAN State:Status : ActiveComplexes : 1CPPs : 1Capabilites :Max sessions : 1024Max outputs : 128Encaps type : ERSPAN type-IIGRE protocol : 0x88BEMTU : 1464IP TOS : 0IP TTL : 255COS : 0

Configuring ERSPAN:

System Statistics:DROP src session replica : 0 / 0DROP term session replica: 0 / 0DROP receive malformed : 0 / 0DROP receive invalid ID : 0 / 0DROP recycle queue full : 0 / 0DROP no GPM memory : 0 / 0DROP no channel memory : 0 / 0Client Debug Config:Enabled: Info, WarnData Path Debug Config:0x00000000ASR1002#

Configuring ERSPAN:

Note: 10.1.1.1 is SW6509s loopback. 172.16.1.1 Is ASR1002's loopback. ip address in destination session and ip address in source session should match. If they do not then you are likely to see dropped packets in the status.

Thank You

That was all for SPAN, RSPAN and ERSPAN.

If you have questions, please send them to : cisco-training@atrc.net.pk

SPAN RSPAN and ERSPAN

By : Khawar NehalApplied Technology Research Centerhttp://atrc.net.pkkhawar@atrc.net.pk24 November 2015