Recently I needed to renew my Cisco CCNPs, that is both CCNP Routing and Switching as well as CCNP Security. While working with Cisco products (well now they own SourceFire, so exclude these) is not within my daily duties, I still thought it was important for me to maintain these two credentials. As a result, I've put together my notes below focusing on the key points I used to study. I believe that someone else may find them useful.
- SPAN
- Supports SPAN session entirely within one switch
- All source ports, source VLANs and destination ports are all part of the same switch
- Copies traffic from one or more source port or VLANs to a destination port for analysis
- Sources can be ports or VLANs
- Cannot mix source port and source VLANs in the same session
- Up to 2 source sessions (local and RSPAN sessions) support
- Can run both local SPAN and a RSPAN source session in the same switch
- Supports up to 66 source and RSPAN destination sessions
- Can have up to 64 destination ports in a SPAN session
- Can have two separate SPAN or RSPAN source sessions
- Both switched and routed ports can be configured as SPAN sources and destinations
- SPAN sessions can be configured on disabled ports
- If configured on disabled ports, the session does not become active unless a destination port and at least one source port or VLAN is enabled for that session
- The combination or SPAN and RSPAN in a single session
- RSPAN source session cannot have a local destination port
- RSPAN destination session cannot have a local source port
- RSPAN destination session and a RSPAN source session that are using the same RSPAN VLAN cannot run on the same switch
- Default confiuration for local SPAN session port is to send all packets untagged
- SPAN does not typically monitor BPDU, CDP, VTP, DTP, STP, PAgP
- Supports a max of 2 sessions (local or RSPAN)
- You cannot mix ports and VLANs in a single session
- Source ports can be monitored in multiple SPAN sessions
- Each source port can be configured with a direction or ingress, egress or both to be monitored
- Source ports
- Association of a destination port with aset of source ports or VLANs on a single switch
- Can have multiple SPAN session in a switched network
- SPAN sessions does not interfere with normal operations of the switch
- SPAN can be enabled or disabled via CLI or SNMP
- SPAN or RSPAN destination and source session remains inactive until the destination port or source port or RSPAN VLAN becomes active
- Destination Port
- If configuration change is made to the port while it is acting as a SPAN destination, the change does not take effect until the SPAN destination configuration has been removed
- If the destination port was in an EtherChannel group, it is removed from the group
- Can be an Ethernet physical port
- It cannot be a secure port
- It cannot be a source port
- It cannot be an EtherChannel group or VLAN
- Can participate in only one SPAN session at a time
- Does not participat in Layer 2 protocols such as STP, VTP, CDP, DTP, PAgP`
- Destination port which belongs to any source VLAN of any SPAN session is excluded from the source list and is not monitored
- If the destination port was a routed port, it no longer is a routed port
- Also called the monitor port
- destination port does not forward any traffic except those required for the SPAN session
- By default active destination port disables incoming traffic
- If incoming traffic is enabled on the destination port, the traffic is switch in the native VLAN of the destination port
- The destination port does not particpate in spanning tree while the SPAN session is active
- Only one destination port allowed per SPAN session
- Same port cannot be a destination for multiple SPAN sessions
- Destination port cannot be configured as a source port or a reflector port
- EtherChannel ports cannot be SPAN destination ports
- For multicast packets, only a single packet is sent to the SPAN. It does not reflect the number of times the multicast packet is sent
- A private-VLAN port cannot be a SPAN destination port
- A secoure port cannot be a SPAN destination
- Do not enable port security on port with monitored egress when ingress forwarding is enabled on the destination port
- For RSPAN source sessions, do not enable port security on any ports with monitored egress
- 802.1x port can be a SPAN Source
- While 802.1x can be configured on SPAN destination, 802.1x is disabled until the port is removed as a SPAN destination
- Source Port
- Traffic can be categorized as ingress, egress or both
- Can monitor one or more source ports in a single SPAN session
- Source ports can be in any VLAN
- VLANs can be source port. This means all ports in the specified VLANs are source ports for the SPAN session
- Source ports are administaative or operational or both
- Admin source ports are specified during SPAN session configuration
- Operational source ports are monitored by destination ports
- Operational sources are always active ports
- If the port is not in the spanning tree it is not an operational source
- All physical ports in a EtherChannel source are included in operational sources if the logical port is includes in the spanning tree
- A port can be in multiple active SPAN sessions
- An active source port cannot be a destination or reflector port in a SPAN session
- If a SPAN session is inactive, the "oper source" field does not update until the session becomes active
- Both trunk and non trunk ports can be used as source ports
- Trunk settings on the destination port during the SPAN session determines the encapsulation of the packets that are forwarded by the destination port
- Source Ports can be EtherChannel, Fast Ethernet, Gigabit Ethernet, etc
- Traffic can be monitored on the entire EtherChannel or on specific ports as it participates in the channel
- Can be access port, trunk port, routed port or voice VLAN
- Source ports cannot also be a destination port
- Source ports can be in the same or different VLAN
- Can monitor multiple source ports in a single session
EtherChannel considerations
- When EtherChannel group is configured as a SPAN source, the entire group is monitored
- If a port is added or removed from the EtherChannel it is automatically added or removed from the SPAN source port list
- A physical port that belongs to an EtherChannel group can be conigured as a SPAN source port and still be part of the EtherChannel. In this case data from the physical interface is monitored as it participates in the EtherChanngel.
- Physical interfaces which are part of an EtherChannel group and configured as a SPAN destination are removed from the group
- When a destintion port is removed from a SPAN group it rejoins the EtherChannel group it was part of
- Ports removed from an EtherChannel group remain menbers of the group but are in the "inactie" or "suspended" state
- A physical destination interfance which is part of an EtherChannel group and the EtherChannel is a source, the port is removed from the EtherChannel group and from the list of monitored ports
- Soure VLANs
- Monitoring of network traffic in one or more VLANs
- Traffic is monitoroed on all port for the VLAN
- All active ports in the source VLAN are included as source ports
- ports can be monitored in both direction
- Only traffic on the monitored VLAN is sent to the destination port
- If destination port belongs to a source VLAN, it is excluded from the source list and not monitored
- For ports added or removed from the VLAN, traffic is adjusted accordingly
- Filter VLANs cannot be used in the same session with VLAN sources
- Only Ethernet VLANs can be monitored
Trunk VLAN Filtering
- Applies only to trunk ports or to voice VLAN ports
- Only allowed on port-based sessions and is not allowed in session with VLAN sources
- uses the filter keyword
- Analysis of traffic on a specified set of VLANs on trunked source ports
- Traffic is limited to the specified VLANs
- Trunked VLAN can be applied with source ports
- VLAN filtering can be used with RSPAN
- Use VLAN filtering only with trunk source port
- When VLAN is cleared it is removed from the VLAN filter list
- A SPAN session is disabled if the VLAN filter list becomes empty
- Trunk VLAN filtering not applicable to VPSAN sessions
- Trunk VLAN filtering is available for local and RSPAN sessions
- SPAN monitors all network traffic
- RSPAn does not support monitoring of BPDU packets
- RSPAN
- Consists of at least one RSPAN source session, a RSPAN VLAN and at least one RSPAN destination session
- Supports source ports, source VLANs and destination port on different switches
- Traffic is carried over a user specified RSPAN sessions in all participating switches
- Destination is always a physical port
- RSPAN strips off the VLAN tag and presents them on the destination port
- Results in each monitored packet being transmitted twice. One as normal traffic and the other as a monitoried packet
- All traffic in the RSPAN VLAN is always flooded
- No MAC Address learning occurs on the RSPAN VLAN
- RSPAN VLAN traffic only slows on trunk ports
- uses "remote-span" VLAN configurate mode
- STP can run on RSPAN VLAN trunks but not on SPAN destination ports
- if RSPAN VLAN ID is in the extended VLAN range, it must be manually configured on all intermedidate switches
- Normal to have multiple RSPAN VLANs in a network at the same time
References:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swspan.html
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4000/8-2glx/configuration/guide/span.html
No comments:
Post a Comment