ads

SPAN










The SPAN feature was introduced on switches because of the  differences that switches have with hubs. When a hub receives a packet on one port, the hub sends out a copy of that packet on all ports except on the one where the hub received the packet.

After a switch boots, it starts to build up a Layer 2 forwarding table on the basis of the source MAC address of the different packets that the switch receives.

 After this forwarding table is built, the switch forwards traffic that is destined for a MAC address directly to the corresponding port.

For example, using a hub ,if you want to capture Ethernet traffic that is sent by host A to host B, and both are connected to a hub, just attach a sniffer to this hub. All other ports see the traffic between hosts A and B:

On a switch, after the host B MAC address is learned, unicast traffic from A to B is only forwarded to the B port. Therefore, the sniffer does not see this traffic:

In this configuration, the sniffer only captures traffic that is flooded to all ports, such as:
  • Broadcast traffic
  • Multicast traffic with CGMP or Internet Group Management Protocol (IGMP) snooping disabled
  • Unknown unicast traffic
Unicast flooding occurs when the switch does not have the destination MAC in its content-addressable memory (CAM) table. The switch does not know where to send the traffic. The switch floods the packets to all the ports in the destination VLAN.

An extra feature is necessary that artificially copies Unicast packets that host A sends to the sniffer port:

In this diagram, the sniffer is attached to a port that is configured to receive a copy of every packet that host A sends.
This port is called a SPAN port.

Withe the Span enable we can make a copy of the traffic , and send another copy to the span destination port.


So we will have something similar in our real environment with 3550 switches :





SPAN Terminology

  • Ingress traffic-Traffic that enters the switch.
  • Egress traffic-Traffic that leaves the switch.
  • Source Port (SPAN)-A port that is monitored with use of the SPAN feature.
  • Source VLAN (SPAN) -A VLAN whose traffic is monitored with use of the SPAN feature.
  • Destination (SPAN) port -A port that monitors source ports, usually where a network analyzer is connected.
  • Reflector Port -A port that copies packets onto an RSPAN VLAN.
  • Monitor port-A monitor port is also a destination SPAN port in Catalyst 2900XL/3500XL/2950 terminology.

  • Local SPAN-The SPAN feature is local when the monitored ports are all located on the same switch as the destination port. This feature is in contrast to Remote SPAN (RSPAN), which this list also defines.
  • Remote SPAN (RSPAN)-Some source ports are not located on the same switch as the destination port. RSPAN is an advanced feature that requires a special VLAN to carry the traffic that is monitored by SPAN between switches. RSPAN is not supported on all switches. Check the respective release notes or configuration guide to see if you can use RSPAN on the switch that you deploy.

  • Port-based SPAN (PSPAN)-The user specifies one or several source ports on the switch and one destination port.
  • VLAN-based SPAN (VSPAN)-On a particular switch, the user can choose to monitor all the ports that belong to a particular VLAN in a single command.
  • ESPAN-This means enhanced SPAN version. This term has been used several times during the evolution of the SPAN in order to name additional features. Therefore, the term is not very clear. Use of this term is avoided in this document.
  • Administrative source-A list of source ports or VLANs that have been configured to be monitored.
  • Operational source-A list of ports that are effectively monitored. This list of ports can be different from the administrative source. For example, a port that is in shutdown mode can appear in the administrative source, but is not effectively monitored.

 This is what we have on the other switch:





This is our physical configuration




This is our configuration on the second switch




Now we are finally back to the original switch




SPAN SPAN Reviewed by ohhhvictor on 3:49:00 PM Rating: 5

No comments:

 photo imagen120.jpg
Theme images by 5ugarless. Powered by Blogger.