-
Catalyst 6500 Series Software Configuration Guide, 8.7
-
Catalyst 6500 Series Switch Software Configuration Guide (Full-book PDF)
-
Index
-
Preface
-
Product Overview
-
Command-Line Interfaces
-
Configuring the Switch IP Address and Default Gateway
-
Configuring Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet Switching
-
Configuring Ethernet VLAN Trunks
-
Configuring EtherChannel
-
Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling
-
Configuring Spanning Tree
-
Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard
-
Configuring VTP
-
Configuring VLANs
-
Configuring InterVLAN Routing
-
Configuring CEF for PFC2/PFC3
-
Configuring MLS
-
Configuring Access Control
-
Configuring NDE
-
Configuring GVRP
-
Configuring MVRP
-
Configuring Dynamic Port VLAN Membership with VMPS
-
Checking Status and Connectivity
-
Configuring Online Diagnostics
-
Administering the Switch
-
Configuring Redundancy
-
Configuring NSF with SSO MSFC Redundancy
-
Modifying the Switch Boot Configuration
-
Working with the Flash File System
-
Working with System Software Images
-
Working with Configuration Files
-
Configuring System Message Logging
-
Configuring DNS
-
Configuring CDP
-
Configuring UDLD
-
Configuring DHCP Snooping and IP Source Guard
-
Configuring NTP
-
Configuring Broadcast Suppression
-
Configuring Layer 3 Protocol Filtering
-
Configuring the IP Permit List
-
Configuring Port Security
-
Configuring Switch Access Using AAA
-
Configuring 802.1x Authentication
-
Configuring MAC Authentication Bypass
-
Configuring Web-Based Proxy Authentication
-
Tracking Host Aging
-
Configuring Network Admission Control
-
Configuring Unicast Flood Blocking
-
Configuring SNMP
-
Configuring RMON
-
Configuring SPAN, RSPAN and the Mini Protocol Analyzer
-
Using Switch TopN Reports
-
Configuring Multicast Services
-
Configuring QoS
-
Configuring Automatic QoS
-
Configuring ASLB
-
Configuring the Switch Fabric Module
-
Configuring a VoIP Network
-
Configuring aCEF
-
Configuring MSFC IOS Features
-
Acronyms
-
Table Of Contents
Configuring SPAN, RSPAN and the Mini Protocol Analyzer
Understanding How SPAN and RSPAN Work
Understanding How the Mini Protocol Analyzer Works
Mini Protocol Analyzer Session
SPAN, RSPAN and Mini Protocol Analyzer Session Limits
Configuring SPAN on the Switch
Configuring RSPAN on the Switch
RSPAN Configuration Guidelines
Configuring a Single RSPAN Session
Modifying an Active RSPAN Session
Adding the RSPAN Source Ports in Intermediate Switches
Configuring Multiple RSPAN Sessions
Adding Multiple Network Analyzers to an RSPAN Session
Configuring the Mini Protocol Analyzer on the Switch
Mini Protocol Analyzer Hardware Requirements
Understanding How the Mini Protocol Analyzer Works
Mini Protocol Analyzer Configuration Guidelines
Configuring the Mini Protocol Analyzer from the CLI
Configuring SPAN, RSPAN and the Mini Protocol Analyzer
This chapter describes how to configure Switched Port Analyzer (SPAN), Remote SPAN (RSPAN), and the Mini Protocol Analyzer on the Catalyst 6500 series switches.
Note
For complete syntax and usage information for the commands that are used in this chapter, refer to the Catalyst 6500 Series Switch Command Reference publication.
This chapter consists of these sections:
•
•
•
•
•
•
Note
Understanding How SPAN and RSPAN Work
These sections describe the concepts and terminology that are associated with SPAN and RSPAN configuration:
SPAN Session
A SPAN session is an association of destination ports with a set of source ports, configured with the parameters that specify the monitored network traffic. You can configure multiple SPAN sessions in a switched network. The SPAN sessions do not interfere with the normal operation of the switches. You can enable or disable the SPAN sessions with the command-line interface (CLI) or SNMP commands. When enabled, a SPAN session might become active or inactive based on various events or actions, and this would be indicated by a syslog message. The "Status" field in the show span and show rspan commands displays the operational status of a SPAN or RSPAN session.
A SPAN or RSPAN destination session remains inactive after system power up until the destination ports are operational. An RSPAN source session remains inactive until any of the source ports are operational or the RSPAN VLAN becomes active.
Destination Port
A destination port (also called a monitor port) is an access port where SPAN sends the packets for analysis. After a port becomes an active destination port, it does not forward any traffic except that required for the SPAN session. By default, an active destination port disables the incoming traffic (from the network to the switching bus), unless you specifically enable the port. If the incoming traffic is enabled for the destination port, it is switched in the native VLAN of the destination port. The destination port does not participate in spanning tree while the SPAN session is active. See the caution statement in the "Configuring SPAN from the CLI" section for information on how to prevent loops in your network topology.
Multiple destination ports can be specified in each local SPAN session but a destination port cannot be a destination port for multiple SPAN sessions. An access port that is configured as a destination port cannot be configured as a source port. EtherChannel ports cannot be SPAN destination ports.
If the trunking mode of a SPAN destination port is "on" or "nonegotiate" during the SPAN session configuration, the SPAN packets that are forwarded by the destination port have the encapsulation as specified by the trunk type; however, the destination port stops trunking, and the show trunk command reflects the trunking status for the port prior to the SPAN session configuration.
Source Port
A source port is an access port that is monitored for network traffic analysis. The traffic through the source ports can be categorized as ingress, egress, or both. You can monitor one or more source ports in a single SPAN session with the user-specified traffic types (ingress, egress, or both) applicable for all the source ports.
You can configure the source ports in any VLAN. You can configure the VLANs as the source ports (src_vlans), which means that all the ports in the specified VLANs are the source ports for the SPAN session.
The source ports are administrative (Admin Source), operational (Oper Source), or both. The administrative source ports are the source ports or the source VLANs that are specified during the SPAN session configuration. The operational source ports are the source ports that are monitored by the destination port. For example, when the source VLANs are used as the administrative source, the operational source is all the ports in all the specified VLANs.
The operational sources are always the active ports. If a port is not in the spanning tree, it is not an operational source. All physical ports in an EtherChannel source are included in the operational sources if the logical port is included in the spanning tree.
The destination port, if it belongs to any of the administrative source VLANs, is excluded from the operational source.
You can configure a port as a source port in multiple active SPAN sessions, but you cannot configure an active source port as a destination port for any SPAN session.
If a SPAN session is inactive, the "oper source" field is not updated until the session becomes active.
The trunk ports can be configured as the source ports and can be mixed with the nontrunk source ports; however, the encapsulation of the packets that are forwarded by the destination port are determined by the trunk settings of the destination port during the SPAN session configuration.
Ingress SPAN
Ingress SPAN copies the network traffic that is received by the source ports for analysis at the destination ports.
Egress SPAN
Egress SPAN copies the network traffic that is transmitted from the source ports for analysis at the destination ports.
VSPAN
VLAN-based SPAN (VSPAN) is analysis of the network traffic in one or more VLANs. You can configure VSPAN as ingress SPAN, egress SPAN, or both. All the ports in the source VLANs become the operational source ports for the VSPAN session. The destination ports, if they belong to any of the administrative source VLANs, are excluded from the operational source. If you add or remove the ports from the administrative source VLANs, the operational sources are modified accordingly.
Use the following guidelines for VSPAN sessions:
•
•
–
–
•
•
•
•
•
Trunk VLAN Filtering
Trunk VLAN filtering is analysis of network traffic on a selected set of VLANs on the trunk source ports. You can combine trunk VLAN filtering with the other source ports that belong to any of the selected VLANs, and you can also use trunk VLAN filtering for RSPAN. Based on the traffic type (ingress, egress, or both), SPAN sends a copy of the network traffic in the selected VLANs to the destination ports.
Use trunk VLAN filtering only with the trunk source ports. If you combine trunk VLAN filtering with the other source ports that belong to the VLANs that are not included in the selected list of filter VLANs, SPAN includes only the ports that belong to one or more of the selected VLANs in the operational sources.
When a VLAN is cleared, it is removed from the VLAN filter list. A SPAN session is disabled if the VLAN filter list becomes empty.
Trunk VLAN filtering is not applicable to the VSPAN sessions.
SPAN Traffic
All network traffic, including the multicast and bridge protocol data unit (BPDU) packets, can be monitored using SPAN (RSPAN does not support monitoring of BPDU packets or Layer 2 protocol packets such as CDP, DTP, and VTP). Multicast packet monitoring is enabled by default.
In some SPAN configurations, multiple copies of the same source packet are sent to the SPAN destination ports. For example, a bidirectional (both ingress and egress) SPAN session is configured for sources a1 and a2 to a destination port d1. If a packet enters the switch through a1 and gets switched to a2, both the incoming and outgoing packets are sent to destination port d1. Both packets would be the same (if a Layer 3 rewrite occurs, the packets are different). For the RSPAN sessions with the sources that are distributed in multiple switches, the destination ports might forward multiple copies of the same packet.
Understanding How the Mini Protocol Analyzer Works
The Mini Protocol Analyzer copies network traffic from a source port (see the "Source Port" section for an explanation of a source port). A Mini Protocol Analyzer session differs from a SPAN session in that the copied source port traffic from a Mini Protocol Analyzer session travels over the switch backplane where it is written to an output file. By default, the output file is stored on the flash memory of the switch. No destination port is required for the Mini Protocol Analyzer.
Once the file is created, you open and view the file using the Ethereal Network Protocol Analyzer. The Ethereal Network Protocol Analyzer is open source software and is available from http://www.ethereal.com.
You specify a single port as the source port. The source port can be either an access port or a trunk port. You cannot specify a VLAN as a source port. The Mini Protocol Analyzer also captures double tagged frames on dot1qtunnel, PAgP and LACP channel ports.
The functional differences between the Mini Protocol Analyzer and SPAN are as follows:
•
•
•
Mini Protocol Analyzer Session
A Mini Protocol Analyzer session is an association of a source port with the output file to which the source port traffic is mirrored. You can filter the type of traffic that is monitored by the following criteria:
•
•
•
•
By default, all traffic is captured. If you specify any combination of source and destination filters, only the traffic that matches those source and destination filters will be captured. The source and destination filters are applied on a Boolean logical OR basis—if traffic meets any of the criteria specified in any of the filters, it will be captured.
If you specify a filter based on the packet size, the packets that are larger than the specified size are captured and truncated to the specified size. You can specify a maximum of 16 filters for a Mini Protocol Analyzer session. Enter the set packet-capture snap-length command to specify the length to which the packets are truncated. The packet length is not counted against the maximum number of filters.
You can specify the filtering criteria either before or after you begin the Mini Protocol Analyzer session. If you specify the filtering criteria before you start the Mini Protocol Analyzer session, only the traffic that meets the filtering criteria is captured and sent to the output file. You can also filter the captured traffic after the Mini Protocol Analyzer session completes by using the Filter function of the Ethereal Network Protocol Analyzer.
You enable or disable a Mini Protocol Analyzer session using CLI or SNMP commands.
A Mini Protocol Analyzer session becomes active when both of the following criteria are met:
•
•
SPAN, RSPAN and Mini Protocol Analyzer Session Limits
You can configure (and store in NVRAM) a maximum of 30 SPAN sessions or 29 SPAN sessions and (store in the Flash memory) one Mini Protocol Analyzer session in a Catalyst 6500 series switch.
See Table 48-1 for the supported combinations of SPAN, RSPAN, and Mini Protocol Analyzer sessions. You can configure multiple ports or VLANs as sources for each SPAN session, and you can configure a single source port for each Mini Protocol Analyzer session.
Table 48-1 SPAN RSPAN and Mini Protocol Analyzer Session Limits
rx or both SPAN sessions
21
tx SPAN sessions
4
Mini Protocol Analyzer sessions
1
tx, rx, or both RSPAN source sessions
12
RSPAN destinations
24
Total SPAN sessions
303
1 Each RSPAN source session or Mini Protocol Analyzer session reduces the limit for rx or both SPAN sessions by one.
2 Supervisor Engine 720 supports two RSPAN source sessions.
3 2 rx or both SPAN sessions + 4 tx SPAN sessions + 24 RSPAN destination sessions = 30 total SPAN sessions. A Mini Protocol Analyzer session counts as one rx or both SPAN session.
Configuring SPAN on the Switch
These sections describe how to configure SPAN:
•
•
SPAN Hardware Requirements
All Catalyst 6500 series switch supervisor engines support SPAN.
Understanding How SPAN Works
SPAN selects the network traffic for analysis by a network analyzer such as a SwitchProbe device or other Remote Monitoring (RMON) probe. SPAN mirrors the traffic from one or more source ports on any VLAN, from one or more VLANs, or from the sc0 console interface to the destination ports for analysis (see Figure 48-1). In Figure 48-1, all traffic on Ethernet port 5 (the source port) is mirrored to Ethernet port 10. A network analyzer on Ethernet port 10 receives all network traffic from Ethernet port 5 without being physically attached to it.
Figure 48-1 SPAN Configuration
For SPAN configuration, the source ports and the destination ports must be on the same switch.
SPAN does not affect the switching of network traffic on the source ports; a copy of the packets that are received or transmitted by the source ports is sent to the destination ports.
SPAN Configuration Guidelines
This section describes the guidelines for configuring SPAN:
•
•
•
•
•
•
•
•
•
•
•
•
Caution
In software release 8.4(1) and later releases, the create keyword has been removed from the set span command. When you enable a SPAN session without the create keyword, and another session is available, the first session is not overwritten.
Configuring SPAN from the CLI
To configure SPAN, you specify the source, the destination ports, the direction of the traffic through the source that you want to mirror to the destination ports, and if the destination port can receive the packets.
To configure a SPAN port, perform this task in privileged mode:
Caution
This example shows how to configure SPAN so that both the transmit and receive traffic from port 1/1 (the SPAN source) is mirrored on port 2/1 (the SPAN destination):
Console> (enable) set span 1/1 2/1Destination : Port 2/1Admin Source : Port 1/1Oper Source : Port 1/1Direction : transmit/receiveIncoming Packets: disabledLearning : enabledMulticast : enabledFilter : -This example shows how to set VLAN 522 as the SPAN source and port 2/1 as the SPAN destination:
Console> (enable) set span 522 2/1Destination : Port 2/1Admin Source : VLAN 522Oper Source : Port 3/1-2Direction : transmit/receiveIncoming Packets: disabledLearning : enabledMulticast : enabledFilter : -Console> (enable)This example shows how to set VLAN 522 as the SPAN source and port 2/12 as the SPAN destination. Only the transmit traffic is monitored. The normal incoming packets on the SPAN destination port are allowed.
Console> (enable) set span 522 2/12 tx inpkts enableDestination : Port 2/12Admin Source : VLAN 522Oper Source : Port 2/1-2Direction : transmitIncoming Packets: enabledLearning : enabledMulticast : enabledFilter : -Console> (enable)This example shows how to set port 3/2 as the SPAN source and port 2/2 as the SPAN destination:
Console> (enable) set span 3/2 2/2 tx createDestination : Port 2/1Admin Source : port 3/1Oper Source : Port 3/1Direction : transmit/receiveIncoming Packets: disabledDestination : Port 2/2Admin Source : port 3/2Oper Source : Port 3/2Direction : transmitIncoming Packets: disabledLearning : enabledMulticast : enabledFilter : -Console> (enable)To disable SPAN, perform this task in privileged mode:
This example shows how to disable SPAN on the switch:
Console> (enable) set span disable 2/1This command will disable your span session.Do you want to continue (y/n) [n]?yDisabled port 2/1 to monitor transmit traffic of VLAN 522Console> (enable)Configuring RSPAN on the Switch
These sections describe how to configure RSPAN:
•
•
RSPAN Hardware Requirements
The RSPAN supervisor engine requirements are as follows:
•
–
–
–
–
–
–
–
•
No third party or other Cisco switches can be placed in the end-to-end path for RSPAN traffic.
Understanding How RSPAN Works
Note
RSPAN has all the features of SPAN (see the "Understanding How SPAN Works" section), plus support for the source ports and the destination ports that are distributed across multiple switches, allowing remote monitoring of multiple switches across your network (see Figure 48-2).
The traffic for each RSPAN session is carried over a user-specified RSPAN VLAN that is dedicated for that RSPAN session in all participating switches. The SPAN traffic from the sources, which cannot be in the RSPAN VLAN, is switched to the RSPAN VLAN and is forwarded to the destination ports that are configured in the RSPAN VLAN. The traffic type for the sources (ingress, egress, or both) in an RSPAN session can be different in the different source switches but is the same for all the sources in each source switch for each RSPAN session. Do not configure any ports in an RSPAN VLAN except those that are selected to carry the RSPAN traffic. Learning is disabled on the RSPAN VLAN.
Figure 48-2 RSPAN Configuration
RSPAN Configuration Guidelines
This section describes the guidelines for configuring RSPAN:
Tip
Tip
•
•
•
•
•
•
•
•
•
•
–
–
–
•
•
•
Configuring RSPAN
The first step in configuring an RSPAN session is to select an RSPAN VLAN for the RSPAN session that does not exist in any of the switches that will participate in RSPAN. With VTP enabled in the network, you can create the RSPAN VLAN in one switch and VTP propagates it to the other switches in the VTP domain.
Use VTP pruning to get an efficient flow of RSPAN traffic, or manually delete the RSPAN VLAN from all trunks that do not need to carry the RSPAN traffic.
Once the RSPAN VLAN is created, you configure the source and destination switches by entering the set rspan command.
To configure the RSPAN VLANs, perform this task in privileged mode:
Step 1
Configure the RSPAN VLANs.
set vlan vlan [rspan]
Step 2
Verify the RSPAN VLAN configuration.
show vlan
This example shows how to set VLAN 500 as an RSPAN VLAN and verify the configuration:
Console> (enable) set vlan 500 rspanvlan 500 configuration successfulConsole> (enable)Console> (enable) show vlan.display truncated.VLAN DynCreated RSPAN---- ---------- --------1 static disabled2 static disabled3 static disabled99 static disabled500 static enabledConsole> (enable)To configure the RSPAN source ports, perform this task in privileged mode:
This example shows how to specify ports 4/1 and 4/2 as the ingress source ports for RSPAN VLAN 500:
Console> (enable) set rspan source 4/1-2 500 rxRspan Type : SourceDestination : -Rspan Vlan : 500Admin Source : Port 4/1-2Oper Source : NoneDirection : receiveIncoming Packets: -Learning : -Multicast : enabledFilter : -Console> (enable)To configure the RSPAN source VLANs, perform this task in privileged mode:
This example shows how to specify VLAN 200 as a source VLAN for RSPAN VLAN 500 (selecting the optional rx keyword makes all the ports in the VLAN ingress ports):
Console> (enable) set rspan source 200 500 rxRspan Type : SourceDestination : -Rspan Vlan : 500Admin Source : VLAN 200Oper Source : NoneDirection : receiveIncoming Packets: -Learning : -Multicast : enabledFilter : -Console> (enable)To configure the RSPAN destination ports, perform this task in privileged mode:
Console> (enable) set rspan destination 3/1 500Rspan Type : DestinationDestination : Port 3/1Rspan Vlan : 500Admin Source : -Oper Source : -Direction : -Incoming Packets: disabledLearning : enabledMulticast : -Filter : -Console> (enable)To disable RSPAN, perform this task in privileged mode:
Disable RSPAN on the switch.
set rspan disable source [rspan_vlan | all]
set rspan disable destination [mod/port | all]
This example shows how to disable all the enabled source sessions:
Console> (enable) set rspan disable source allThis command will disable all remote span source session(s).Do you want to continue (y/n) [n]? yDisabled monitoring of all source(s) on the switch for remote span.Console> (enable)This example shows how to disable one source session by rspan_vlan number:
Console> (enable) set rspan disable source 903Disabled monitoring of all source(s) on the switch for rspan_vlan 903.Console> (enable)This example shows how to disable all the enabled destination sessions:
Console> (enable) set rspan disable destination allThis command will disable all remote span destination session(s).Do you want to continue (y/n) [n]? yDisabled monitoring of remote span traffic for all rspan destination ports.Console> (enable)This example shows how to disable one destination session by mod/port:
Console> (enable) set rspan disable destination 4/1Disabled monitoring of remote span traffic on port 4/1.Console> (enable)RSPAN Configuration Examples
These sections describe how to configure RSPAN:
•
•
•
•
•
Configuring a Single RSPAN Session
This example shows how to configure a single RSPAN session. Figure 48-3 shows an RSPAN configuration; see Table 48-2 for the commands to configure this RSPAN session. Table 48-2 assumes that you have already set up RSPAN VLAN 901 for this session on all the switches using the set vlan vlan rspan command. With VTP enabled in the network, you can create the RSPAN VLAN in one switch and VTP propagates it to the other switches in the VTP domain. Note that in the configuration example shown in Table 48-2, the RSPAN session may be disabled in Switch A or B or both without modifying the configuration in Switch C or Switch D.
Figure 48-3 Single RSPAN Session
Modifying an Active RSPAN Session
This example shows how to modify an active RSPAN session. Use Figure 48-3 for reference; see Table 48-3 for the commands to disable an RSPAN session and to add or remove the source ports from an RSPAN session.
Adding the RSPAN Source Ports in Intermediate Switches
This example shows how to add the RSPAN source ports in the intermediate switches. Figure 48-4 shows an RSPAN configuration; see Table 48-4 for the commands to configure this RSPAN session. Ports 2/1-2 in Switch C can be configured for the same RSPAN session.
Figure 48-4 Adding the RSPAN Source Ports in Intermediate Switches
Configuring Multiple RSPAN Sessions
This example shows how to configure multiple RSPAN sessions. Figure 48-5 shows an RSPAN configuration; see Table 48-5 for the configuration commands to configure this RSPAN session. This example is a typical scenario where the monitoring probes would be placed in the data center and the source ports in the access switches (other ports in any of the switches can also be configured for RSPAN). If there is no change in the route for the SPAN traffic, the destination switch and the intermediate switches need to be configured only once.
In Figure 48-5, two RSPAN sessions are used with RSPAN VLANs 901 (for probe 1) and 902 (for probe 2). The direction of traffic over trunks T1 through T6 is shown only for understanding; the direction of the trunks depends on the STP states of the trunks for the RSPAN VLAN(s). You need to configure the RSPAN VLANs in each of the switches for the RSPAN sessions. With VTP enabled in the network, you can create the RSPAN VLAN in one switch and VTP propagates it to the other switches in that VTP domain. With VTP disabled, create the RSPAN VLANs in each switch.
Figure 48-5 Configuring Multiple RSPAN Sessions
Adding Multiple Network Analyzers to an RSPAN Session
You can attach multiple network analyzers (probes) to the same RSPAN session. For example, in Figure 48-6, you can add probe 3 in Switch B to monitor RSPAN VLAN 901 using the set rspan destination 1/2 901 command. Similarly, you could add the source ports to Switch C.
Figure 48-6 Adding Multiple Probes to an RSPAN Session
Configuring the Mini Protocol Analyzer on the Switch
These sections describe how to configure the Mini Protocol Analyzer on the switch:
•
•
•
•
Mini Protocol Analyzer Hardware Requirements
Supervisor Engine 720 and Supervisor Engine 32 support the Mini Protocol Analyzer.
Understanding How the Mini Protocol Analyzer Works
A Mini Protocol Analyzer session mirrors the traffic from a single source port. The source port can be either an access port or a trunk port.
The Mini Protocol Analyzer does not affect the switching of network traffic on the source port. A copy of the packets that are received and transmitted by the source port is sent over the backplane where the copies are stored as a file in the Flash memory of the switch. The file can be stored in the following places:
•
•
When a Mini Protocol Analyzer session starts (when you enter the set packet-capture start command), the session monitors the source port traffic and stores it on the flash memory until one of the following conditions occur:
•
•
•
Mini Protocol Analyzer Configuration Guidelines
This section describes the guidelines for configuring the Mini Protocol Analyzer:
•
•
