Welcome to IE-LAB!

Generic filters
Generic filters

Introduction to SPAN and RSPAN for port mirroring

SPAN technology is mainly used to monitor the data flow on the switch, which is roughly divided into two types, Local Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN), the implementation method is slightly different. With SPAN technology, we can COPY or MIRROR the data stream of some ports on the switch that we want to be monitored. Send to the traffic analyzer connected to the destination Port , such as CISCO IDS or PC with SNIFFER tool. The Source Port and destination Port can be on the same switch (local SPAN) or on different switches ( Remote SPAN).

SPAN, known as Switched Port Analyzer, it is a port mirroring technology for switches. The main purpose is to provide network data flow to a certain network analyzer. SPAN does not affect the data exchange of the source port. It simply sends a copy of the packet sent or received by the source port to the destination Port .

RSPAN (Remote SPAN), which is similar to SPAN, provides remote monitoring of multilayer switches across a switched network.

1.SPAN Session

A SPAN session is a flow of data between a set of 1.  Source Ports and a destination port. It can monitor the incoming traffic of multiple ports or the outgoing traffic of one port at the same time, and can also monitor the incoming traffic of all ports in the VLAN, but cannot simultaneously go out to multiple ports.

Traffic and VLAN outbound traffic are monitored, you can set SPAN on a port that is down. but the SPAN session is inactive at this time.

But as long as the relevant interface is opened, SPAN becomes active.

The destination Port is preferably >= Source Port bandwidth, otherwise packet loss may occur.

2.SPAN Traffic

Use local SPAN to monitor all network traffic, including multicast, bridge protocol data unit (BPDU), and CDP, VTP, DTP, STP, PagP, and LACP packets. RSPAN cannot monitor Layer 2 protocols.

3.Traffic Types

There are three types of traffic being monitored, Receive (Rx) SPAN Source Port receive traffic, Transmit (Tx) SPAN Source Port transmit traffic, and Both a Source Port receive and send traffic.

4.SPAN port types

1.Source Port

SPAN source port, also called monitored port

The Source Port can be the actual physical port, VLAN, or Ethernet channel. The physical port can be in different VLANs. If the Source Portis a VLAN, all the physical ports in the VLAN are included. If the Source Port is an Ethernet channel, Then includes all the physical ports that make up this EtherChannel. If the Source Portis a trunk port, all VLAN traffic carried on the trunk port will be monitored. You can also use the filter vlan parameter to adjust only the VLAN data traffic specified in the filter vlan.

2.Destination Port

SPAN, which is the monitoring Port (for monitoring equipment).

A destination Port can only be a single physical port. A destination Port can only be used in one SPAN. The destination Port does not participate in other Layer 2 protocols.

Cisco Discovery Protocol (CDP),

VLAN Trunk Protocol (VTP),

Dynamic Trunking Protocol (DTP),

Spanning Tree Protocol (STP),

Port Aggregation Protocol (PagP),

Link Aggregation Control Protocol (LACP) and so on

By default, the destination Port does not forward any data stream except the SPAN Session. You can also enable the Layer 2 forwarding function of the destination Port by setting the ingress parameter. For example, there is such a need when connecting CISCO IDS. At this time, the IDS not only needs to receive the data stream of the SPAN Session, but the IDS itself also has communication traffic with other devices in the network, so you need to open the Layer 2 forwarding function of the destination Port. The bandwidth of the destination Port is preferably greater than or equal to the bandwidth of the controlled port. Otherwise, packet loss may occur.

3.Reflector Port

The reflective port is only used in RSPAN. It is on the same switch as the Source Port in RSPAN. It is used to forward the local Source Port traffic to the remote destination Port on the other switch in RSPAN. It can only be an actual physical port,it is invisible to all VLANs

RSPAN also uses a dedicated VLAN to forward traffic. The reflective port uses this private VLAN to send traffic through the TRUNK port to other switches. The remote switch then sends the data stream through the private VLAN to the analyzer on the destination Port .

Regarding the creation of RSPAN VLANs, all switches participating in RSPAN should be in the same VTP domain, not using VLAN 1, nor using 1002-1005, which is reserved for Token Ring and FDDI VLANs. If it is a standard VLAN of 2-1001, it can be created only on the VTP Server. Other switches will automatically learn it. If it is an extended VLAN of 1006-4094, you need to create this private VLAN on all switches. The reflective port is preferably >= Source Port bandwidth, otherwise packet loss may occur.

3 modes of SPAN:

      1. SPAN: The source port and the destination port are both on the same switch, and the source port can be one or more switch ports.
      2. VLAN-based Switched Port Analyzer (VSPAN): A variant of SPAN where the source port is not a physical port but a VLAN.
      3. Remote Switched Port Analyzer (RSPAN): The source and destination ports are on different switches

ERSPAN —- Enhanced Remoted

When you use SPAN to monitor a VLAN, you can only monitor the traffic received by all active ports in the VLAN. If the destination Port also belongs to this VLAN, the port is not in the monitoring range. When using SPAN to monitor VLANs, the routing data between VLANs is not monitored. For example, I open a SPAN to monitor the data flow in the inbound direction of a VLAN of a Layer 3 switch (which can only be in this direction). When a data stream is routed from other VLANs to this VLAN, the data stream is not in the monitoring range.

For more articles you can follow us on:

error: Content is protected !!
× How can I help you?