Cisco
Catalyst Switches have a feature called SPAN (Switch Port Analyzer). This feature is used for directing all traffic from a source port or source VLAN to a single port.
Or in other words this feature copies all traffic from a source port or source VLAN
to a destination interface. sometimes SPAN is referred to as session monitoring
because of the commands used to configure SPAN.
Switch Port
Analyzer is very useful for many applications and also a number of reasons:
SPAN is
useful for data collection purposes.
If you want to use Wireshark to capture traffic from an interface that is
connected to a workstation, server, phone, or anything else you want to sniff.
all traffic
from VoIP VLAN can be delivered to a single switch port to so you can record
the calls in a VoIP network.
Another common use of this feature is to (IDS/IPS)
SPAN session source can be a port or ports and VLAN. This is
why this offers us great flexibility in monitoring traffic. we can be transmitted,
received, or both directions to the destination interface.
If the destination port for SPAN is on the Local switch (same switch) this we call SPAN. If the
destination SPAN is on a different switch, then we call this remote SPAN or
RSPAN.
In RSPAN, a specific VLAN need to be configured across
the entire switching path from the source port or VLAN to the RSPAN destination
port to carry the traffic that you are copying. So, the traffic can travel
from the source switch to the destination switch. This requires that the RSPAN VLAN
be included in any trunk in that path too.
Restriction of
SPAN and RSPAN.
You can
configure the source interface whatever you want switch port, routed port,
access port, trunk port, EtherChannel, etc but you can’t mix interfaces and VLANs.
Do not
overload an interface with the entire VLAN.
When you
configure the destination interface (port). The previous configuration is
overwritten. When you remove the SPAN configuration the original configuration is restored.
Destination
port do not support any layer 2 protocol like STP, CDP, VTP, DTP, etc.
NetFlow is a
software feature set in Cisco IOS that is designed to provide network
administrators information about what is happening in the network. NetFlow is
a protocol that monitors and analyzes network traffic flow. NetFlow has been included
in Cisco IOS for a long time and has evolved through several versions 1, 5, and 9
current version is 9. It's also called Cisco Flexible NetFlow.
Flexible NetFlow is an extension of Traditional
NetFlow. it is advanced and next-generation NetFlow technology. This flexible
NetFlow provides deep packet inspection with uses NBAR for 2 to 7 layers of data
can be analyzed.
We have
three types of flows in flexible NetFlow
Normal cache
Permanent cache
Immediate cache
Flexible NetFlow
components are: -
Records: flow
are a set of predefined and user-defined key fields such as source IP address,
source port destination IP address, and so on).
Flow monitors:
this component is used to monitor network traffic. this is applied to an
interface, flow monitor includes records, cache, and optionally a flow exporter.
this component (flow monitor) collects information about flows.
Flow exporters:
flow exporters export the cached flow information to a server running a NetFlow
collector.
Flow samplers:
this component is used to reduce the load on NetFlow-enabled devices. Sampler allows
specifying the sample size of traffic.
IP SLA (Internet protocol service level agreement) is a
great feature of the Cisco Internetwork Operating System (Cisco IOS). It is
used to measure the ongoing behavior of the network. the measurement can be
simple as using ping where we check the round-trip time or something more
advanced like a VoIP RTP packet where we check the delay, and jitter and calculate
a MOS score that gives you an indication of what the voice quality will be.
IP SLA primarily acts as a tool and gathers data about a network.
We can configure IP SLA on the router and then the router sends
packets, receive a response, and gather information about whether a response was
received and measurement delay, jitter, packet loss, response times, and
latency. We can combine IP SLA with static routes, policy-based
routing, and routing protocols like OSPF or EIGRP.
Why do we need it? how its work?
As you can see from the above topology, we have a customer router connected to two ISPs with serial interfaces, and also, we have configured default routes with different AD in order to provide backup if one ISP or link fails, we can switch to another ISP. Now our customer router can reach the server on the internet and it can.
but it's not very much reliable. because as long as the interface is up and the next hop is reachable the default route will be in the routing table. now if ISP 1 is having an issue with connectivity and ISP 1 cannot reach that server on the internet but our router still uses them for all the traffic. We don’t want this to happen to prevent this we are going to
combine IP SLA with default routes.
now our router is configured with IP SLA now we check end-to-end connectivity. IP SLA ping to the server and get a reply from the server. if somehow the ping fails then we switch over to ISP2, this method is reliable.
we can also use different measurements (operation) besides ping and RTP.
TCP Connections
UDP
DNS
DHCP
HTTP
FTP
let's see the configuration of IP SLA.
Configure the topology as per the diagram
Assign the IP addresses as per our topology
Assign IP on PC-1 10.1.1.2 and PC-2 40.1.1.2
Configure the default route between R-1 to ISP-1 Primary
configure default route between R-1 and ISP-2 with a backup link using AD 12
Configure Static route from ISPs
verify the backup link between R-1 and ISPs
configure IPSLA
make sure the backup will work even ISP side link is down.
R1(config)#interface serial 2/0
R1(config-if)#ip address 1.1.1.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit
*May 16 12:07:59.435: %LINK-3-UPDOWN: Interface Serial4/0, changed state to up
*May 16 12:08:00.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial4/0, changed state to up
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 10.1.1.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit
*May 16 12:08:21.963: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*May 16 12:08:22.963: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config)#interface serial 2/1
R1(config-if)#ip address 3.1.1.2 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit
*May 16 12:09:25.947: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/1, changed state to up
*May 16 12:11:27.531: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/1, changed state to up
R1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.1.1.1 YES manual up up
Serial2/0 1.1.1.1 YES manual up up
Serial2/1 3.1.1.2 YES manual up up
R2(config)#interface serial 2/0
R2(config-if)#ip address 1.1.1.2 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface fastEthernet 1/1
R2(config-if)#ip address 2.2.2.1 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet1/1 2.2.2.1 YES manual up up
Serial2/0 1.1.1.2 YES manual up up
R3(config)#interface serial 2/1
R3(config-if)#ip address 3.3.3.1 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#exit
R3(config)#interface fastEthernet 1/0
R3(config-if)#ip address 4.1.1.2 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#exit
R3#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet1/0 4.1.1.2 YES manual up up
Serial2/1 3.3.3.1 YES manual up up
R4(config)#interface fastEthernet 1/0
R4(config-if)#ip address 4.1.1.1 255.0.0.0
R4(config-if)#no shutdown
R4(config-if)#exit
R4(config)#interface fastEthernet 0/0
R4(config-if)#ip address 40.1.1.1 255.0.0.0
R4(config-if)#no shutdown
R4(config-if)#exit
R4#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 40.1.1.1 YES manual up up
FastEthernet1/0 4.1.1.1 YES manual up up
FastEthernet1/1 2.2.2.2 YES manual up up
PC-1
PC-2
R1(config)#ip route 0.0.0.0 0.0.0.0 1.1.1.2
R1(config)#ip route 0.0.0.0 0.0.0.0 3.1.1.1 12
R2(config)#ip route 10.0.0.0 255.0.0.0 1.1.1.1
R2(config)#ip route 40.0.0.0 255.0.0.0 2.2.2.2
R3(config)#ip route 10.0.0.0 255.0.0.0 3.1.1.2
R3(config)#ip route 40.0.0.0 255.0.0.0 4.1.1.1
R4(config)#ip route 10.0.0.0 255.0.0.0 2.2.2.1
R4(config)#ip route 10.0.0.0 255.0.0.0 4.1.1.2
R4(config)#ip route 1.0.0.0 255.0.0.0 2.2.2.1
R4(config)#ip route 3.0.0.0 255.0.0.0 4.1.1.2
\
{now ping 40.1.1.2 from PC-1}
PC1> ping 40.1.1.2 -1
84 bytes from 40.1.1.2 icmp_seq=1 ttl=61 time=90.686 ms
84 bytes from 40.1.1.2 icmp_seq=2 ttl=61 time=91.024 ms
84 bytes from 40.1.1.2 icmp_seq=3 ttl=61 time=91.986 ms
84 bytes from 40.1.1.2 icmp_seq=4 ttl=61 time=91.668 ms
84 bytes from 40.1.1.2 icmp_seq=5 ttl=61 time=91.013 ms
PC1> ping 40.1.1.2 -3
Connect 7@40.1.1.2 seq=1 ttl=61 time=105.601 ms
SendData 7@40.1.1.2 seq=1 ttl=61 time=106.607 ms
Close 7@40.1.1.2 seq=1 ttl=61 time=121.265 ms
Connect 7@40.1.1.2 seq=2 ttl=61 time=92.187 ms
SendData 7@40.1.1.2 seq=2 ttl=61 time=90.703 ms
Close 7@40.1.1.2 seq=2 ttl=61 time=106.370 ms
Connect 7@40.1.1.2 seq=3 ttl=61 time=90.521 ms
SendData 7@40.1.1.2 seq=3 ttl=61 time=107.727 ms
Close 7@40.1.1.2 seq=3 ttl=61 time=120.897 ms
Connect 7@40.1.1.2 seq=4 ttl=61 time=75.339 ms
SendData 7@40.1.1.2 seq=4 ttl=61 time=106.885 ms
Close 7@40.1.1.2 seq=4 ttl=61 time=121.503 ms
Connect 7@40.1.1.2 seq=5 ttl=61 time=106.025 ms
SendData 7@40.1.1.2 seq=5 ttl=61 time=105.729 ms
Close 7@40.1.1.2 seq=5 ttl=61 time=122.395 ms
{from the above output our PC-1 can ping 40.1.1.2 somewhere on the internet. now trace the 40.1.1.2 from router 1}
R1#traceroute 40.1.1.2
Type escape sequence to abort.
Tracing the route to 40.1.1.2
1 1.1.1.2 16 msec 28 msec 32 msec
2 2.2.2.2 60 msec 68 msec 52 msec
3 40.1.1.2 76 msec 76 msec 84 msec
{as you can see router 1 is using our primary interface serial 2/0 because we made this interface primary}
{now shutdown the ISP - 1 interface serial 2/0 to ensure the backup link is working or not}
R2(config)#interface serial 2/0
R2(config-if)#shutdown
R2(config-if)#exit
*May 16 13:25:24.551: %LINK-5-CHANGED: Interface Serial2/0, changed state to administratively down
*May 16 13:25:25.551: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to down
{now trace 40.1.1.2 from router 1 and make sure router 1 uses a backup link serial 2/1 in order to reach 40.1.1.2.}
R1#traceroute 40.1.1.2
Type escape sequence to abort.
Tracing the route to 40.1.1.2
1 3.3.3.1 32 msec 28 msec 32 msec
2 4.1.1.1 44 msec 60 msec 72 msec
3 40.1.1.2 64 msec 76 msec 84 msec
{as you can see the above output router 1 is using a backup link which is serial 2/1 in the failover primary link.}
{what will happen if the interface between ISP-1 and router-4 goes down. router 1 will use a backup link or not. let's verify it, first, bring the interface UP which we shut down.}
R2(config)#interface serial 2/0
R2(config-if)#no shutdown
R2(config-if)#exit
*May 16 13:33:07.427: %LINK-3-UPDOWN: Interface Serial2/0, changed state to up
*May 16 13:33:08.431: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up
R2(config)#interface fastEthernet 1/1
R2(config-if)#shutdown
R2(config-if)#exit
*May 16 14:04:05.183: %LINK-5-CHANGED: Interface FastEthernet1/1, changed state to administratively down
*May 16 14:04:06.183: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to down
R1#traceroute 40.1.1.1
Type escape sequence to abort.
Tracing the route to 40.1.1.1
1 1.1.1.2 20 msec 24 msec 36 msec
2 1.1.1.2 !H !H !H
R1#ping 40.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 40.1.1.1, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)
R1#show run | include ip route
ip route 0.0.0.0 0.0.0.0 1.1.1.2
ip route 0.0.0.0 0.0.0.0 3.3.3.1 12
{as you can see router 1 is not using a backup link because the default route is still in the routing table and it's working but the link is down from the ISP side. now we need IP SLA to track end-to-end reachability}
(First, bring the link UP)
R2(config)#interface fastEthernet 1/1
R2(config-if)#no shutdown
R2(config-if)#exit
*May 16 14:07:36.903: %LINK-3-UPDOWN: Interface FastEthernet1/1, changed state to up
*May 16 14:07:37.903: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to up
