SPAN mirrors receive or transmit (or both) traffic on one or more source ports to a destination port for analysis.
A copy of the packets received or sent by the source interfaces are sent to the destination interface
Prerequisites:
Need to understand how optical tap works, here's some interesting information (ctto)
Link:https://community.fs.com/blog/do-you-know-about-optical-tap-test-access-point-cassettes.html
https://en.wikipedia.org/wiki/Network_tap#/media/File:Optical-tap-schema-wiki.gif
Setup:
Cisco Catalyst 4948
2 Routers connected via Optical Tap
Network Diagram:
:
Step 1: Connect physically the links as per above diagram. Connect UTP cable from switch to PC's ethernet port
Step 2: Configure 4948 Switch
Cisco 4948 Configuration:4948#conf t
interface TenGigabitEthernet1/49
description 10GE Conn to Router1 (via optical tap)
switchport access vlan 100
switchport mode access
ip access-group dhcp-traffic in
load-interval 30
udld port disable
no cdp enable
no shutdown
!
interface TenGigabitEthernet1/50
description 10GE Conn to Switch1 (via optical tap)
switchport access vlan 200
switchport mode access
ip access-group dhcp-traffic in
udld port disable
no cdp enable
no shutdown
interface GigabitEthernet1/47
description GE Connection to RemoteServer
load-interval 30
spanning-tree bpdufilter enable
no shutdown
monitor session 15 source interface Te1/49 - 50
monitor session 15 destination interface Gi1/47
monitor session 15 filter packet-type good rx
monitor session 15 filter ip access-group dhcp-traffic
[Optional]
If want to filter by traffic, e.g DHCP, you can configure an ACL and apply in interface accordingly
ip access-list extended dhcp-traffic
permit udp any eq domain any
permit udp any any eq domain
permit udp any range bootps bootpc any range bootps bootpc
deny ip any any
Step 3: Verify configuration and traffic. Status should be "monitoring"
4948-Switch#show monitor session all
Session 15
----------
Type : Local Session
Source Ports :
Both : Te1/49-52
Destination Ports : Gi1/47
Encapsulation : Native
Ingress : Disabled
Learning : Disabled
Filter Pkt Type :
RX Only : Good
IP Access-group : dhcp-traffic
4948-Switch#show int gi1/47
GigabitEthernet1/47 is up, line protocol is down (monitoring)
Hardware is Gigabit Ethernet Port, address is 649e.f3ec.0b6e (bia 649e.f3ec.0b6e)
Description: GE Connection to RemoteServer
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, link type is auto, media type is 10/100/1000-TX
input flow-control is on, output flow-control is on
Auto-MDIX on (operational: on)
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 3059552617
Queueing strategy: fifo
Output queue: 0/40 (size/max)
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec
Step 4: If confirmed have traffic, open any packet analyzer like "Wireshark" or "tcpdump" accordingly.
No comments:
Post a Comment