Thursday, October 9, 2014

RSPAN on Dell PowerConnect N-Series switches

What is RSPAN?
What is SPAN?

 RSPAN means Remote Switched Port ANalyzer.  It is an extension of SPAN.  So to understand RSPAN (there's really not much to it), you need to understand what SPAN is and what it does.

SPAN is the same as port mirroring, but usually in reference to Cisco products.  Port mirroring allows you to copy (or mirror) traffic from a given port (or ports) to another port (or ports).  The ports that are being copied are called source ports.  The ports that are being copied to are called destination or target ports.  The traffic which is being copied from source ports to destination ports can be specified to be going in either direction.  If you don't specify a direction, it's usually both ingress and egress traffic being mirrored to the destination port.

Port mirroring is useful when it comes to diagnosing network problems.  By using port mirroring you can listen in on traffic in order to see what may be hosing a network.  You can always just do a normal Wireshark packet capture without using port mirroring, but then you're limited to listening only to the traffic that is destined to or flooded to the particular host running Wireshark.  Port mirroring allows your Wireshark client to capture traffic which may be destined to other devices, or which may be passing through ports that you're interested in.

Another very nice thing about port mirroring is that on some switches you can select the CPU as a source port.  This is useful if the switch has high CPU utilization and you want to know why.  In a healthy network, you shouldn't see too much traffic hitting the CPU because packet and frame matching should be handled by the switch ASICs.  Packets and frames are processed much more efficiently when they are handled by the switch ASICs.  So by doing CPU packet captures with a Wireshark client plugged into the destination port, it's sort of like a doctor with his stethoscope listening in on a patient's heart.  Except here, you're listening in on packets hitting the the switch CPU.

One caveat about the destination port is that, depending on the product, the device that is connected to the target port will not have access to network resources through that port.  It's solely a listening client.  It cannot participate.

What is RSPAN?

 RSPAN means Remote Switched Port ANalyzer.  It builds off of ordinary SPAN and tends to some of the limitations of SPAN.  It allows you to probe deeper into the network.

 What problems does RSPAN solve?

 RSPAN makes it so that your source and destination ports do not have to be on the same switch.  That's the limitation that RSPAN allows you to break through.  Take the following example.  If you have several IP phones connected to two switches uplinked to one another, and you want their voice streams copied to, say, a VoIP analyzer appliance on yet another switch, you have to use RSPAN.  RSPAN is made precisely for this type of application.


If you want to do this, you must use RSPAN
















RSPAN is able to do this by introducing the concept of an RSPAN VLAN.  This is a VLAN which is specifically for bridging mirrored traffic from source ports to destination ports across switches.

Here's how it works.  This example uses three switches, two with the source ports, and another with the destination ports.
  1. Create a VLAN the ordinary way.  This VLAN is going to be the RSPAN VLAN.  This needs to be done on both switches.

    en
    config
    vlan data
    vlan 997
    end
  2. Configure the VLAN to be the RSPAN VLAN.  This needs to be done on both switches.

    en
    config
    int vlan 997
    remote-span
    end
  3. Configure a monitor session on the switch with the source ports and designate one of its ports as a 'reflector' port.  Make sure that the reflector port is a trunk port which allows the RSPAN VLAN (switch mode trunk allows all VLANs by default).

    en
    config
    monitor session 1 source int gi1/0/1 both
    monitor session 1 destination remote vlan 997 reflector-port gi1/0/48
    monitor session 1 mode
    int gi1/0/48
    switch mode trunk
    end
  4. Configure a monitor session on the switch with the destination port or ports and specify the RSPAN VLAN.  Make sure the port on the other end of the source switch's reflector port is set to trunk mode which allows the RSPAN VLAN.

    en
    config
    monitor session 1 source remote vlan 997
    monitor session 1 destination interface gi1/0/20
    monitor session 1 mode
    int gi1/0/48
    switch mode trunk
    end
Bam.  That's it.  


Configuration example

 Examples are always good.  I see no particular reason to not use the same scenario as before.  Let's use some specific ports this time.



















Based on what we already know about how to configure RSPAN, let's consider how we might go through this scenario.

  1. Create the RSPAN VLAN.  This is going to be done on all three switches.

    en
    config
    vlan data
    vlan 997
    exit
    int vlan 997
    remote-span
    end
  2. Create the monitor sessions on the top two n3048 switches.  Configure the appropriate ports as source ports.  Configure a reflector port.  Make sure that the reflector port is set to trunk mode which allows the transit of the RSPAN VLAN.  This configuration will work for both of the n3048 switches.

    en
    config
    monitor session 1 source int gi1/0/1 both
    monitor session 1 source int gi1/0/2 both
    monitor session 1 source int gi1/0/3 both
    monitor session 1 source int gi1/0/11 both
    monitor session 1 source int gi1/0/12 both
    monitor session 1 source int gi1/0/13 both
    monitor session 1 destination remote vlan 997 reflector-port gi1/0/47
    monitor session 1 mode
    int gi1/0/47
    switch mode trunk
    end
  3. Create the monitor session on the bottom n2048 switch.  This is going to be the 'destination' switch, if you will (the switch with the destination port(s)).  Specify the RSPAN VLAN in the monitor session and the destination port.  Make sure that the port connecting to the source switch's reflector port is set to trunk mode which allows the transit of the RSPAN VLAN.

    en
    config
    monitor session 1 source remote vlan 997
    monitor session 1 destination interface gi1/0/1
    monitor session 1 mode
    int gi1/0/48
    switch mode trunk
    end
That's it!  E facile.
Posted by at

2 comments:

  1. gibsonherryAugust 16, 2017 at 10:30 PM

    It was really nice to read article written on this blog. I would also like to add few techniques with best of my knowledge which can help reader more and more.
    vCloud Suite 7 Enterprise

    ReplyDelete
  2. UnknownMay 31, 2019 at 11:33 AM

    This is great thanks. Now I have to complicate it, what if instead of switch-switch--switch--aggregator it's switch--router --vpn--router--switch--aggregator? How do you deal with that vpn in the middle?

    ReplyDelete

Subscribe to: Post Comments (Atom)