The monitoring port receives copies of transmitted and received traffic for all monitored ports. In this architecture, a packet that is destined for multiple destinations is stored in memory until all copies are forwarded. If the monitoring port is 50 percent oversubscribed for a sustained period of time, the port likely becomes congested and holds part of the shared memory. There is a possibility that one or more of the ports that are monitored also experience a slowdown.
This diagram is a high-level overview of the path of a packet through the switch. The actual implementation is, in fact, much more complex:. The data path corresponds to the real transfer of data within the switch, from the control path, where all the decisions are taken. When a packet enters the switch, a buffer is allocated in the Packet Buffer Memory a shared memory. While the data is copied into shared memory, the control path determines where to switch the packet. In order to make this determination, a hash value is computed from this information:.
This virtual path entry in the VPT holds several fields that relate to this particular flow. The fields include the destination ports.
The packet structure in the PDT is now updated with a reference to the virtual path and counter. In the example in this section, the packet is to be transmitted to two different ports, so the counter initializes to 2. Finally, the packet structure is added to the output queue of the two destination ports. From there, the data copies from the shared memory into the output buffer of the port, and the packet structure counter decrements. When it reaches 0, the shared memory buffer releases. With use of the SPAN feature, a packet must be sent to two different ports, as in the example in the Architecture Overview section.
The send of the packet to two ports is not an issue because the switching fabric is nonblocking. If the destination SPAN port is congested, packets are dropped in the output queue and are correctly released from the shared memory. Therefore, there is no impact on the switch operation.
Every line card in the switch starts to store this packet in internal buffers. EARL sends the result index to all the line cards via the result bus.
The knowledge of this index allows the line card to decide individually whether it should flush or transmit the packet as the line card receives the packet in its buffers. Whether one or several ports eventually transmit the packet has absolutely no influence on the switch operation. Therefore, when you consider this architecture, the SPAN feature has no impact on the performance. With these versions, only one SPAN session is possible. The session stays in the configuration, even when you disable SPAN.
With the issue of the set span enable command, a user reactivates the stored SPAN session. The action often occurs because of a typographical error, for example, if the user wants to enable STP.
Severe connectivity issues can result if the destination port is used to forward user traffic. Caution : This issue is still in the current implementation of the CatOS. Be very careful of the port that you choose as a SPAN destination.
When you configure a SPAN session to monitor the port, the destination interface shows the state down monitoring , by design. The creation of a bridging loop typically occurs when the administrator tries to fake the RSPAN feature. Also, a configuration error can cause the problem. There are two core switches that are linked by a trunk.
In this instance, each switch has several servers, clients, or other bridges connected to it. The administrator creates a SPAN session that monitors the whole VLAN 1 on each core switch, and, to merge these two sessions, connects the destination port to the same hub or the same switch, with the use of another SPAN session. The administrator achieves the goal. A sniffer eventually captures the traffic. The only problem is that the traffic is also reinjected into core 2 through the destination SPAN port.
The reinjection of the traffic into core 2 creates a bridging loop in VLAN 1. Note : Because of the introduction of the inpkts input packets option on the CatOS, a SPAN destination port drops any incoming packet by default, which prevents this failure scenario.
Note : Even when the inpkts option prevents the loop, the configuration that this section shows can cause some problems in the network. Network problems can occur because of MAC address learning issues that are associated with learning enabled on the destination port. See these sections of this document for information about the performance impact for the specified Catalyst platforms:.
If you try to configure SPAN in this situation, the switch tells you:. On the Catalyst Series Switches, you can have only one assigned monitor port at any time. If you select another port as the monitor port, the previous monitor port is disabled, and the newly selected port becomes the monitor port. With this issue, the Virtual Private Network VPN module is inserted into the chassis, where a switch fabric module has already been inserted. Note : If you delete the session, the VPN service module drops the multicast traffic.
You cannot capture corrupted packets with SPAN because of the way that switches operate in general. When a packet goes through a switch, these events occur:. If the switch receives a corrupted packet, the ingress port usually drops the packet. Therefore, you do not see the packet on the egress port. A switch is not completely transparent with regard to the capture of traffic.
Similarly, when you see a corrupted packet on your sniffer in the scenario in this section, you know that the errors were generated at step 3, on the egress segment. If you think that a device sends corrupted packets, you can choose to put the sending host and the sniffer device on a hub. The hub does not perform any error checks. Therefore, unlike the switch, the hub does not drop the packets.
In this way, you can view the packets. If you no longer need this, you should be able to enter the no monitor session service module command from within the config mode of CAT, and then immediately enter the new desired SPAN configuration.
A reflector port receives copies of sent and received traffic for all monitored source ports. If a reflector port is oversubscribed, it could become congested. This could affect traffic forwarding on one or more of the source ports. If the bandwidth of the reflector port is not sufficient for the traffic volume from the corresponding source ports, the excess packets are dropped.
A Gigabit port reflects at 1 Gbps. If you check for unused sessions with the show monitor command, session 1 is used:. When a firewall blade is in the Catalyst chassis, this session is automatically installed for the support of hardware multicast replication because an FWSM cannot replicate multicast streams.
If multicast streams sourced behind the FWSM must be replicated at Layer 3 to multiple line cards, the automatic session copies the traffic to the supervisor through a fabric channel. You can use the no monitor session service module command in order to disable the SPAN reflector. Also, make sure that no Layer 3 device is present in path of session source to session destination. Supervisor with PFC3A that has hardware version 3.
Network Engineering Stack Exchange is a question and answer site for network engineers. It only takes a minute to sign up. Connect and share knowledge within a single location that is structured and easy to search. We have 4x1G Etherchannel on trunk and for troubleshooting i want to monitor one of its physical port.
Sign up to join this community. The best answers are voted up and rise to the top. Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams? You can choose if you want to forward transmitted, received or both directions to the destination interface.
The configuration is pretty straight-forward so let me give you some examples…. As you can see, by default it will copy traffic that is transmitted and received both to the destination port. If you only want the capture the traffic going in one direction you have to specify it like this:. Just add rx or tx and you are ready to go. This filter above will only forward VLAN 1 — to the destination. I am unable to use session 1 for this because I am already using source interfaces for that session.
Deal with bandwidth spikes Free Download. Web Vulnerability Scanner Free Download. Network Security Scan Download Now. This is usually the point to which a network analyser is connected.
RSPAN explanation and configuration will be covered in another article. It can be monitored in multiple SPAN sessions. For EtherChannel sources, the monitored direction applies to all physical ports in the group.
0コメント