cisco ccie span rspan erspan
TRANSCRIPT
SPAN RSPAN and ERSPAN
By : Khawar NehalApplied Technology Research Centerhttp://[email protected] November 2015
SPAN RSPAN and ERSPAN
Hierarchy of this topic
Courses / ICT / Networking / Cisco / CCIE / SPAN RSPAN and ERSPAN
SPAN RSPAN and ERSPAN
Switch port Analyzer (SPAN) is an efficient, high performance traffic monitoring system. It duplicated network traffic to one or more monitor interfaces as it transverse the switch.
SPAN RSPAN and ERSPAN
SPAN is used for troubleshooting connectivity issues and calculating network utilization and performance, among many others. There are three types of SPANs supported on Cisco products, which are illustrated in below diagram.
Local Span
Local SPAN: Mirrors traffic from one or more interface on the switch to one or more interfaces on the same switch.
Remote SPAN
Remote SPAN (RSPAN): An extension of SPAN called remote SPAN or RSPAN. RSPAN allows you to monitor traffic from source ports distributed over multiple switches, which means that you can centralize your network capture devices.
Remote SPAN
RSPAN works by mirroring the traffic from the source ports of an RSPAN session onto a VLAN that is dedicated for the RSPAN session.
Remote SPAN
This VLAN is then trunked to other switches, allowing the RSPAN session traffic to be transported across multiple switches. On the switch that contains the destination port for the session, traffic from the RSPAN session VLAN is simply mirrored out the destination port.
ERSPAN
Encapsulated remote SPAN (ERSPAN): encapsulated Remote SPAN (ERSPAN), as the name says, brings generic routing encapsulation (GRE) for all captured traffic and allows it to be extended across Layer 3 domains.
ERSPAN
ERSPAN is a Cisco proprietary feature and is available only to Catalyst 6500, 7600, Nexus, and ASR 1000 platforms to date. The ASR 1000 supports ERSPAN source (monitoring) only on Fast Ethernet, Gigabit Ethernet, and port-channel interfaces.
Configuration Example:
Configuring Local SPAN: Local SPAN configures using monitor session command specifying source and destination on the same switch.
Configuration Example:
Switch1# configure terminal
Switch1(config)# monitor session 1 source interface fastEthernet0/2
Switch1(config)# monitor session 1 destination interface fastEthernet0/24
Switch1(config)#end
Local SPAN configuration syntax on Cisco IOS release 12.2(33)SXH and beyond as shown below.
monitor session 1 type local
source int fa0/2
destination int fa0/24
Configuring RSPAN:
Step1: In order to configure RSPAN you need to have an RSPAN VLAN, those VLANs have special properties and cant be assigned to any access ports.
Configuring RSPAN:
To create a VLAN for RSPAN on Cisco IOS, you must create the VLAN via the config-vlan configuration mode, as opposed to using the older VLAN database configuration mode.
Configuring RSPAN:
During the process of defining VLAN parameters, you must specify that the new VLAN is an RSPAN VLAN by configuring the remote-span VLAN configuration command.
Configuring RSPAN:
Switch1# configure terminal
Switch1(config)# vlan 200
Switch1(config-vlan)# remote-span
Switch1(config-vlan)# end
Switch1# show vlan remote-span
Remote SPAN VLANs
------------------------------------------------------------------------------
200
Configuring RSPAN:
Switch2# configure terminal
Switch2(config)# vlan 200
Switch2(config-vlan)# remote-span
Switch2(config-vlan)# end
Switch2# show vlan remote-span
Remote SPAN VLANs
------------------------------------------------------------------------------
200
Configuring RSPAN:
Step2: Then configure the RSPAN on Source switch: Unlike SPAN, where the source and destination ports exist on the same switch, the source and destination ports for an RSPAN session reside on different switches. This requires a separate RSPAN source session to be configured, as well as a separate RSPAN destination session to be configured.
Configuring RSPAN:
Switch1# configure terminalSwitch1(config)# monitor session 1 source interface fastEthernet0/2 rxSwitch1(config)# monitor session 1 destination remote vlan 200reflector-port fastEthernet0/24Switch1(config)# exitSwitch1# show monitorSession 1---------Type : Remote Source SessionSource Ports : Rx : Fa0/2Reflector Port : Fa0/24Dest RSPAN VLAN : 200
Step 3
Step3: Configure the RSPAN on destination switch:
Switch2# configure terminal
Switch2(config)# monitor session 1 source remote vlan 200
Switch2(config)# monitor session 1 destination interface fastEthernet0/3
Switch2(config)# exit
Configuring RSPAN:
The RSPAN VLAN should be allowed in ALL trunks between the involved switches (Source and Destination switches in this case); if you have enabled "pruning" in your network, remove the RSPAN VLAN from the pruning, with the command: switchport trunk pruning vlan remove under the interface configure as trunk.
GRE
Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an Internet Protocol network.
QFP
The Cisco QuantumFlow Processor - The Engine in the ASR 1000 Series.
To be put simply, the Cisco QuantumFlow Processor (QFP) is everything on a chip. Gone are the days where you bought a large router - let's pick on the 7200-series - and also had to buy daughter cards or rely on the main CPU for encryption, firewalls, network management, QoS, etc.
ASR
Aggregation Services Routers
ASR
Much more bandwidth is available now than during the times of 300-bps modems, but the same business principles of saving as much bandwidth as possible still applies. It is particularly important for enterprises to conserve bandwidth, but it also important for service providers.
ASR
Both segments must have a network architecture that can offer higher levels of service for critical customers or Layer 7 applications. For this reason, routers capable of offering quality of service (QoS) that is flexible, scalable, and high-performing is more important than ever.
ASR
QoS on Cisco ASR 1000 Series Aggregation Services Routers offers powerful advanced and flexible hardware QoS capability. The Cisco ASR 1000 Series Router hardware, includes the Cisco QuantumFlow Processor (Cisco QFP) and its two chips: Cisco QFP Engine and Cisco QFP Traffic Manager.
ASR
Cisco ASR 1000 Series has software QoS features and capabilities which can be applied in several different architectures and deployments.
Configuring ERSPAN:
In this example we will capture received traffic on the ASR 1002 (GigabitEthernet0/1/0) and send to Catalyst 6509 Gig2/2/1. This traffic will simply be captured, encapsulated in GRE by ASR 1002 natively by the QFP chipset and routed over to the Catalyst 6509.
Configuring ERSPAN:
A sniffing station on the 6500 attached to GE2/2/1 will see the complete Ethernet frame (L2 to L7) information.
Configuring ERSPAN:
Configuring source interface, direction of traffic, and ERSPAN session ID on the ASR 1002.
ASR1002(config)# monitor session 1 type erspan-source
ASR1002(config-mon-erspan-src)# source interface gig0/1/0 rx
ASR1002(config-mon-erspan-src)# no shutdown
ASR1002(config-mon-erspan-src)# destination
ASR1002(config-mon-erspan-src-dst)# erspan-id 101
ASR1002(config-mon-erspan-src-dst)# ip address 10.1.1.1
ASR1002(config-mon-erspan-src-dst)# origin ip address 172.16.1.1
Configuring ERSPAN:
Configuring Catalyst 6509 to receive traffic from the source session on the ASR 1002
SW6509(config)# monitor session 2 type erspan-destination
SW6509(config-mon-erspan-dst)# destination interface gigabitEthernet2/2/1
SW6509(config-mon-erspan-dst)# no shutdown
SW6509(config-mon-erspan-dst)# source
SW6509(config-mon-erspan-dst-src)# erspan-id 101
SW6509(config-mon-erspan-dst-src)# ip address 10.1.1.1
Configuring ERSPAN:
You can use the show monitor session command to verify the configuration:ASR1002#sh monitor session 1Session 1---------Type : ERSPAN Source SessionStatus : Admin EnabledSource Ports : RX Only : Gi0/1/0Destination IP Address : 10.1.1.1MTU : 1464Destination ERSPAN ID : 101Origin IP Address : 172.16.1.1
Configuring ERSPAN:
To monitor the statistics of monitored traffic, you need to use "show platform hardware qfp active feature erspan state" command:ASR1002#show platform hardware qfp active feature erspan stateERSPAN State:Status : ActiveComplexes : 1CPPs : 1Capabilites :Max sessions : 1024Max outputs : 128Encaps type : ERSPAN type-IIGRE protocol : 0x88BEMTU : 1464IP TOS : 0IP TTL : 255COS : 0
Configuring ERSPAN:
System Statistics:DROP src session replica : 0 / 0DROP term session replica: 0 / 0DROP receive malformed : 0 / 0DROP receive invalid ID : 0 / 0DROP recycle queue full : 0 / 0DROP no GPM memory : 0 / 0DROP no channel memory : 0 / 0Client Debug Config:Enabled: Info, WarnData Path Debug Config:0x00000000ASR1002#
Configuring ERSPAN:
Note: 10.1.1.1 is SW6509s loopback. 172.16.1.1 Is ASR1002's loopback. ip address in destination session and ip address in source session should match. If they do not then you are likely to see dropped packets in the status.
Thank You
That was all for SPAN, RSPAN and ERSPAN.
If you have questions, please send them to : [email protected]
SPAN RSPAN and ERSPAN
By : Khawar NehalApplied Technology Research Centerhttp://[email protected] November 2015