Traffic capture

4.7.a i SPAN

Switched Port Analyzer

With SPAN it’s possible to configure a source port to monitor and a destination port where all monitored traffic is going to. To read the data a packet sniffer on a PC is needed.

// Graphics missing - Coming soon //

“SPAN” CLI configuration commands:

## Configuring SPAN with a source interface
Switch(config)# monitor session <id> source interface <src-if>
Switch(config)# monitor session <id> destination interface <dst-if>

## Configuring SPAN with a source VLAN
Switch(config)# monitor session <id> source vlan <vlan-id>
Switch(config)# monitor session <id> destination interface <dst-if>

“SPAN” CLI show commands:

## Showing configured SPAN sessions
Switch# show monitor

4.7.a ii RSPAN

Remote Switched Port Analyzer

General information on “RPSAN”:

• RSPAN needs to be configured on both switches (source and destination)
• Allows mirrored frames to be sent over the trunk via a separate VLAN which only carries those mirrored frames
• VTP handles the RSPAN VLAN like any other VLAN
• MAC address learning is disabled for the RSPAN VLAN
• Source and destination ports must be configured on both switches (source and destination)
• All switches in between source and destination must have and carry the RSPAN VLAN along

“RSPAN” CLI configuration commands:

## Configuring a RSPAN VLAN
Switch(config)# vlan <vlan-id>
Switch(config-vlan)# remote-span

## Configuring RSPAN on source switch
Switch(config)# monitor session <id> source interface <src-if>
Switch(config)# monitor session <id> destination remote vlan <rspan-vlan>

## Configuring RSPAN on destination switch
Switch(config)# monitor session <id> source remote vlan <rspan-vlan>
Switch(config)# monitor session <id> destination interface <dst-if>

“RSPAN” CLI show commands:

## Showing configured RSPAN sessions
Switch# show monitor

4.7.a iii ERSPAN

Encapsulated Remote Switched Port Analyzer

General information about “ERSPAN”:

• Allows for SPAN over Layer 3
• Cisco proprietary feature only available on certain “high-end” switches (Catalyst 6500, Nexus, ASR)
• Instead of using a dedicated VLAN (= Layer 2), Routing (= Layer 3) is used
• Supported port types depends on the switch model
• Combines GRE (Generic Routing Encapsulation) with SPAN
• GRE tunnel is automatically created when configuring the ERSPAN session
• Both switches must be able to reach other directly
• Usually the loopback interface of the devices (if available) is used as source/target

Configuration steps:

• Source:
  1. Create monitor session
  2. Set source interface and traffic direction
  3. Configure destination settings
  4. Set ERSPAN-ID
  5. Set destination IP address
  6. Set source IP address
  7. Enable monitor session
• Destination:
  1. Create monitor session
  2. Set destination interface
  3. Configure source settings
  4. Set ERSPAN-ID
  5. Set source IP address
  6. Enable monitor session

Additional configuration parameters:

• The traffic source can also be a VLAN
• Precedence, DSCP, TTL and MTU can be set
• VRFs can be used

“ERSPAN” CLI configuration commands:

## Configuring ERSPAN on the source device
Switch(config)# monitor session <id> type erspan-source
Switch(config-mon-erspan-src)# source interface <if> [rx | tx | both]
Switch(config-mon-erspan-src)# destination
Switch(config-mon-erspan-src-dst)# erspan-id <id>
Switch(config-mon-erspan-src-dst)# ip address <dst-ip>
Switch(config-mon-erspan-src-dst)# origin ip address <src-ip>
Switch(config-mon-erspan-src-dst)# no shutdown

## Configuring ERSPAN on the destination device:
Switch(config)# monitor session <id> type erspan-destination
Switch(config-mon-erspan-src)# destination interface <if>
Switch(config-mon-erspan-src)# source
Switch(config-mon-erspan-src-dst)# erspan-id <id>
Switch(config-mon-erspan-src-dst)# ip address <src-ip>
Switch(config-mon-erspan-src-dst)# no shutdown

“ERSPAN” CLI show commands:

## Showing configured RSPAN sessions
Switch# show monitor

4.7.a iv Embedded Packet Capture

General information about “Embedded Packet Capture”:

• IOS-integrated packet capture facility
• Consumes CPU and memory during its operations
• Result can be exported by FTP, TFTP and to the local disk
• ACLs can be used to limit the traffic to capture
• Buffer is stored in the DRAM and will not persist through reloads
• Capture configuration is not stored in NVRAM and will not persist through reloads
• When exported to PCAP format, L2 information won’t be preserved

“Embedded Packet Capture” configuration steps:

1. Create the capture buffer
2. Define the capture point
3. Associate the capture point the with capture buffer
4. Start the capture point
5. Optionally: Stop the capture point

“Embedded Packet Capture” CLI configuration commands:

## Configuring EPC capture buffer
Router# monitor capture buffer [BUF-NAME] size <size> max-size <max-size> [linear | circular]
Router# monitor capture buffer [BUF-NAME] filter access-list [ACL]

## Configuring EPC capture point
Router# monitor capture point ip [cef | process-switched] [POINT-NAME] <if> [in | out | both]

## Associating EPC capture point with EPC capture buffer
Router# monitor capture point associate [POINT-NAME] [BUF-NAME]

## Starting/stopping the EPC capture point
Router# monitor capture point start [POINT-NAME]
Router# monitor capture point stop [POINT-NAME]

## Exporting the EPC capure buffer
Router# monitor capture buffer [BUF-NAME] export [options]

## Deleting the EPC configuration
Router# no monitor capture buffer [BUF-NAME]
Router# no monitor capture point ip [cef | process] [POINT-NAME] <if> [rx | tx | both]

“Embedded Packet Capture” CLI show commands:

## Showing EPC capture buffer in the console
Router# show monitor capture buffer [BUF-NAME] dump