Herramientas Útiles para Capturar Tráfico en Switches

Herramientas útiles para
capturar tráfico en switches

Catalyst 9000
Routing y Switching
Camilo Hernández Díaz - TAC - Technical Leader
Gerardo Trejo Ortega – TAC- Escalation Engineer
Martes 16 de mayo de 2023

Conecte, Interactúe,
¡Colabore! Spotlight Awards
Soluciones ¡Nuevos ganadores cada mes!
¡Acepte las soluciones correctas y felicite a quienes le Destaca por tu esfuerzo y compromiso para mejorar la
ayudaron! Los foros de discusión tienen muchas entradas, de comunidad y ayudar a otros miembros. Los Premios Spotlight
las cuales no todas cuentan con una respuesta correcta o se otorgan mensualmente para destacar a los miembros más
válida. destacados.
Ayude a otros usuarios a encontrar las respuestas correctas en ¡Ahora también puedes nominar a un candidato! Haga clic aquí
el motor de búsqueda de la comunidad indicando que la duda
fue resuelta al activar la opción “Aceptar como solución”.
Agradecimientos
¡Resalte el esfuerzo de otros miembros!
Los votos útiles motivan a otros miembros que colaboran en la
comunidad, a seguir ayudándonos a contestar las preguntas
abiertas, y ofreciéndoles la oportunidad de ganar premios
además de ser una muestra valiosa de ¡nuestro
reconocimiento!
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Camilo Gerardo
Hernández Trejo
Technical Leader Escalation Engineer ¡Conéctate!
Camilo es Cisco TAC Technical Leader para Gerardo es Ingeniero en Comunicaciones y www.slido.com
Enterprise Switching. Tiene nueve años de Electrónica egresado de la ESIME Culhuacán
experiencia en el portafolio de Cisco Catalyst del Instituto Politécnico Nacional (IPN). Se Evento #4491746
Switching, y diseño de capa 2 y resolución de unió a Cisco en 2016 como parte de la Passcode: kvv9pw
problemas en plataformas Cisco IOS/IOS XE. primera generación del programa de
incubadora. https://app.sli.do/event/iGL
Camilo tiene un título en Ingeniería en 5tc3CXWUr3oJTFJaHRG
Electrónica, obtenido en su país de origen, Actualmente es Escalation Engineer del Cisco
Colombia. Actualmente reside en la Ciudad TAC para Enterprise Switching. Ha trabajado
de México. con el portafolio de switches Catalyst 9000 y
tiene más de seis años de experiencia en la
resolución de problemas de switches Cisco Descargue la
IOS/IOS XE.
presentación
https://bit.ly/CL2doc-may23
Agenda
1. Embedded Packet Captures (EPCs) 3. Remote SPAN (RSPAN)
• Embedded Wireshark
• RSPAN configuración y verificación
• Cómo configurar, verificar y desplegar
• RSPAN mejores prácticas y consideraciones
información de las EPCs.
• Consideraciones de plataforma
2. Switched Port Analyzer (SPAN) 4. Encapsulation Remote SPAN (ERSPAN)

• ERSPAN configuración y verificación
• SPAN/flow-based SPAN (FSPAN) configuración
y verificación • ERSPAN mejores prácticas y consideraciones
• Consideraciones del SPAN
Polling Question #1
¿Cuál es la herramienta de captura de
paquetes que ha utilizado?
A. EPC
B. SPAN
C. RSPAN
D. ERSPAN
Escanee el QR o vaya a Slido.com
Evento #4491746 Passcode: kvv9pw
E. Todas las anteriores
https://app.sli.do/event/iGL5tc3CXWUr3oJTFJaHRG
F. Ninguna
1. Embedded Packet Captures
Embedded Wireshark
• Referred to Embedded Wireshark (EWS) or Embedded Packet Capture (EPC).
• Locally hosted capture tool (Wireshark) on IOS-XE only. It´s a separate CPU process than IOSd.
• It really captures traffic by using an ACL with “log” entry. A Copy of the traffic is sent to CPU.
• Traffic is rate-limited at 1000pps by default. This is to protect CPU.
• Fastest / easiest capture tool, but reliability is sometimes compromised. We will see why…
EPC Configuration
• Can be configured for any interface, VLAN or control-plane. ACLs can be used to match the
interesting traffic:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# ip access-list extended TAC
Switch(config-ext-nacl)# permit icmp host 192.168.0.1 any
Switch(config-ext-nacl)# end
Switch# monitor capture TAC interface Te1/0/1 {in|out|both} buffer circular size 100
Switch# monitor capture TAC access-list TAC
Switch# monitor capture TAC start

. . .
Switch# monitor capture TAC stop
Switch# monitor capture TAC export location flash:TAC.pcap
• Matching IPv4/IPv6 packets, or MAC (non-IP packets). Match any for all packets also exists.
Switch# monitor capture TAC interface Te1/0/1 {in|out|both} buffer circular size 100
Switch# monitor capture TAC match {ipv4|ipv6|mac} host x.x.x.x host x.x.x.x
• Packets can be stored in local buffer, or directly into flash directory.

Switch# monitor capture TAC interface Te1/0/1 {in|out|both} match any file location flash:TAC.pcap
Verify EPC settings
• EPC configuration:
Switch# show monitor capture TAC para
monitor capture TAC interface TenGigabitEthernet1/0/1 IN
monitor capture TAC access-list TAC
monitor capture TAC buffer size 100 circular
monitor capture TAC limit pps 1000
• EPC status:
Switch# show monitor capture TAC
Status Information for Capture TAC
Target Type:
Interface: TenGigabitEthernet1/0/1, Direction: IN
Status : Active
Filter Details:
Access-list: TAC
Buffer Details:
Buffer Type: CIRCULAR
Buffer Size (in MB): 100
File Details:
File not associated
Limit Details:
Number of Packets to capture: 0 (no limit)
Packet Capture duration: 0 (no limit)
Packet Size to capture: 0 (no limit)
Maximum number of packets to capture per second: 1000
Packet sampling rate: 0 (no sampling)
Displaying packets from EPC
• Packets in local buffers can be displayed in CLI:
Switch# show monitor capture TAC buffer brief
1 0.000000 192.168.0.1 -> 192.168.0.2 ICMP 114 Echo (ping) request id=0x0000, seq=0/0, ttl=254
• But we can also display existing .pcap files (exported, saved in flash by EPC, or even
transferred):
Switch# show monitor capture file flash:TAC.pcap
• Display filters can be configured to further reduce the packets to be inspected. Internal fields can
also be checked:
Switch# show monitor capture TAC buffer display-filter "icmp.seq eq 2" detailed
Frame 3: 114 bytes on wire (912 bits), 114 bytes captured (912 bits) on interface 0
Ethernet II, Src: 00:be:75:8d:69:d8 (00:be:75:8d:69:d8), Dst: ca:fe:ca:fe:ca:fe (ca:fe:ca:fe:ca:fe)
Internet Protocol Version 4, Src: 192.168.0.1, Dst: 192.168.0.2
Internet Control Message Protocol
Sequence number (BE): 2 (0x0002)
Reference: https://wiki.wireshark.org/DisplayFilters
Additional platform limitations for EPC
• Traffic can be also dropped on rate-limiters. Filtering is important:

Switch# monitor capture TAC stop
Capture statistics collected at software:
Packets received - 1637813
Bytes dropped in asic – 7265104
• Egress EPC occurs before all rewrite actions happen. Don’t trust fields on egress EPCs, such as:
o MPLS labels
o Dot1Q tags
o SRC and DST MACs
o TTL
o DSCP markings
o MACSec encapsulation (also applies for Ingress EPC).
But why?
Embedded captures
happen here
ASICs and TCAMS Packet fields

modification occurs
here
Port Lists
MACSec
encryption
2. Switchport Analyzer
Polling Question #2
Cuando ha utilizado SPAN, ¿le ha ayudado
a resolver algún problema?
A. Análisis de latencia/ TCP/UDP
B. Output Drops / Congestión
C. Pérdida aleatoria paquetes (Random Packet

Loss)
https://app.sli.do/event/iGL5tc3CXWUr3oJTFJaHRG D. Otro tipo de problemas
Switchport Analyzer
• SPAN is a “mirroring” tool. Traffic to be captured on a port will get copied and redirected out of
another port.
• SPAN mirroring is achieved by modifying destination port list to include the additional ports.
• In a way, SPAN can be considered more reliable than EPC.
• SPAN captures are not rate-limited on its own, but traffic mirroring is subject to interface HW limits
• If we are mirroring traffic received on a 10Gbps port out of a 1Gbps, traffic loss is to be expected/output drops.
• ACL/VLAN filtering is also supported - called Filtered SPAN: FSPAN
SPAN Configuration
• SPAN can be configured to capture on any physical interface, port-channel or L2 VLAN (SPAN Source).
SPAN Destination port can be one or many physical interfaces. Ether-channels or any other logical interfaces
cannot be SPAN destination.
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# monitor session 1 source interface Te1/0/1 {rx|tx|both}
Switch(config)# monitor session 1 filter ip access-group TAC
Switch(config)# monitor session 1 destination interface Te1/0/2
• A PC with Wireshark can be then connected into de SPAN Destination port, and captures can be started
to sniff the traffic. This PC will not be able to connect to the network as the interfaces will be logically
down:
Switch# show interface Te1/0/2
TenGigabitEthernet1/0/2 is up, line protocol is down (monitoring)
• Network access can be granted to the PC by configuring an ingress VLAN

Switch(config)# monitor session 1 destination interface Te1/0/2 ingress vlan 10
Verifying SPAN Configuration
• SPAN configuration can be easily checked:
Switch# show monitor session 1
Session 1
---------
Type : Local Session
Source Ports :
RX Only : Te1/0/1
Destination Ports : Te1/0/2
Encapsulation : Native
Ingress : Enabled, default VLAN = 10
Ingress encap : Untagged
IP Access-group : TAC
• Additional commands to check SPAN at platform level:

show monitor session 1 debug
show platform software swspan switch active R0 {source|destination} sess-id 0
show platform software swspan switch active F0 {source|destination} sess-id 0
show platform software fed switch active monitor 0
show platform hardware fed switch active qos replication stats asic all
Additional SPAN considerations
• SPAN will capture, by default, all IPv4 and IPv6 packets, as well as well-known L2 frames such as
ARPs.
• L2 control-plane packets, such as CDP, LLDP, LACP, PAgP, STP BPDUs, etc, might not be captured
with default encapsulation (native).
Dot1Q tags, and egress port level changes such as QinQ encapsulation and VLAN mapping changes
are also not reflected on SPAN by default. This can be changed too by changing encapsulation to
replicate:
Switch(config)# monitor session 1 destination interface Te1/0/2 encapsulation replicate
• Traffic will then be mirrored as it is to the SPAN Destination port. PC must have a way to read Dot1Q
tags, else, traffic can be dropped on the PC NIC card.
Reference https://wiki.wireshark.org/CaptureSetup/VLAN
Embedded captures
happen here
ASICs and TCAMS Packet fields

modification occurs
here
SPAN captures
happen here
Port Lists
MACSec
encryption
Polling Question #3
¿Alguna vez ha usado RSPAN o ERSPAN?
A. Sí
B. No
C. No los conocía

https://app.sli.do/event/iGL5tc3CXWUr3oJTFJaHRG
3. Remote SPAN
Remote SPAN
• RSPAN mirroring is used when the SPAN Source and Destination port cannot be on the same switch (local).
• RSPAN itself, is not a mirroring feature, but rather relies on RSPAN VLAN to replicate the traffic through the
trunks in a L2 network.
• RSPAN VLAN has some special considerations, i.e., MAC learning is disabled on this VLAN, and access ports on
the RSPAN VLAN are put in the inactive state.
• RSPAN requires additional planning and configuration across different switches. Bad RSPAN
configuration/planning can lead to bandwidth problems, L2 loops, etc.
• For the complete list of considerations and configuration guidelines, please refer to the Catalyst 9000 Series
switch configuration guide.
Topology
© 2021 Cisco
© 2023and/or its affiliates.
Cisco and/or Allrights
its affiliates. All rights reserved.
reserved. Cisco Confidential
Cisco Confidential
RSPAN Configuration
• RSPAN requires configuration on the Source switch, the Destination switch and Intermediate
switches’ configuration.
RSPAN Source configuration
RSPANSOURCE(config)# vlan 100
RSPANSOURCE(config-vlan)# remote-span
RSPANSOURCE(config)# monitor session 1 source interface Gig1/0/1 {rx|tx|both}
RSPANSOURCE(config)# monitor session 1 filter ip access-group TAC
RSPANSOURCE(config)# monitor session 1 destination remote vlan 100
Intermediary Switches’ configuration

RSPANSMID(config)# vlan 100
RSPANSMID(config-vlan)# remote-span
RSPAN Destination configuration

RSPANSDEST(config)# vlan 100
RSPANSDEST(config-vlan)# remote-span
RSPANSDEST(config)# monitor session 1 source remote vlan 100
RSPANSDEST(config)# monitor session 1 destination interface Gig1/0/2
RSPAN Verification
• Verification and platform commands for SPAN are the exact same required for RSPAN
Source:
RSPANSOURCE# show monitor session 1
Session 1
---------
Type : Remote Source Session
Source Ports :
Both : Gi1/0/1
Dest RSPAN VLAN : 100
IP Access-group : TAC
Destination:
RSPANSDEST# show monitor session 1
Session 1
---------
Type : Remote Destination Session
Source RSPAN VLAN : 100
Destination Ports : Gi1/0/2
Encapsulation : Native
Ingress : Disabled
• The only additional thing to check is that remote-span is configured for the RSPAN VLAN for all
switches:
RSPAN#show vlan remote-span
Remote SPAN VLANs
------------------------------------------------------------------------------
100
RSPAN best practices and considerations
• Filtering is even more relevant in RSPAN, as the trunks forwarding the replicated traffic via RSPAN
VLAN are likely forwarding production traffic.
• All traffic in the RSPAN VLAN is always flooded. Seek to be as linear as possible with RSPAN
configuration. Enable it only on the required devices.
• RSPAN does not support BPDU packet monitoring or other Layer 2 device protocols. The traffic
replicated via RSPAN will not contain the original Dot1Q/VLAN tag, as this will be replaced with the
RSPAN VLAN tag.
4. Encapsulation Remote SPAN
Encapsulation Remote SPAN
• ERSPAN mirroring is used when the SPAN Source and Destination port cannot be on the same
switch (local) and there can also be a Cloud/ISP in the middle
• ERSPAN itself is not a mirroring feature, but instead relies on GRE tunneling to carry traffic for an L3
network.
• ERSPAN only needs to have layer 3 connectivity between the source and the destination.
• The IP to create the tunnel can be of any range that is not being used and the GRE tunnel will be
seen as directly connected.
• ERSPAN uses GRE technology, it adds an IP header which should be preferred in the final MTU
calculations.
• It also uses only one session ID and one ID for each flow.
• C9000 family supports ERSPAN source except C9200.
• A Network Advantage license is required to enable this feature.
Topology
© 2021 Cisco
Cisco Confidential
ERSPAN Configuration
• ERSPAN requires configuration on the Source switch and the Destination switch.
ERSPAN Source configuration
ERSPANSOURCE(config)# monitor session 1 type erspan-source
ERSPANSOURCE(config-mon-erspan-src)# source interface Ten1/0/1 {rx|tx|both}
ERSPANSOURCE(config-mon-erspan-src)# no shutdown
ERSPANSOURCE(config-mon-erspan-src)# destination
ERSPANSOURCE(config-mon-erspan-src-dst)# erspan-id 1 {#1-123}
ERSPANSOURCE(config-mon-erspan-src-dst)# ip address 1.1.1.2
ERSPANSOURCE(config-mon-erspan-src-dst)# origin ip address 1.1.1.1
ERSPAN Destination configuration

ERSPANDEST(config)# monitor session 1 type erspan-destination
ERSPANDEST(config-mon-erspan-src)# no shutdown
ERSPANDEST(config-mon-erspan-src)# destination interface Ten 1/0/2
ERSPANDEST(config-mon-erspan-dst)# source
ERSPANDEST(config-mon-erspan-dst-src)# erspan-id 1 {#1-123}
ERSPANDEST(config-mon-erspan-dst-src)# ip address 1.1.1.2
ERSPAN Verification
• Verification and platform commands for SPAN are the exact same required for ERSPAN.
Source:
ERSPANSOURCE# show monitor session 1
Session 1
---------
Type : ERSPAN Source Session
Status : Admin Enable
Source Ports :
Both : Ten 1/0/1
Destination IP Address : 1.1.1.2
MTU : 9000
Destination ERSPAN ID : 1
Origin IP Address : 1.1.1.1
Destination:
ERSPANDEST# show monitor session 1
Session 1
---------
Type : ERSPAN Destination Session
Status : Admin Enable
Destination Ports : Ten1/0/2
Source IP Address : 1.1.1.2
Source ERSPAN ID : 1
ERSPAN Verification
• To confirm the tunnel assigned to the ERSPAN.
ERSPAN_SOURCE#show platform software fed switch active ifm interfaces tunnel
Interface IF_ID State
----------------------------------------------------------------------
Tunnel1000000000 0x0000004d READY
The GRE tunnel that is created will have status UP and protocol Down, this is expected.
Tunnel verification
ERSPAN#show ip interface brief | include Tunnel
Tunnel1000000000 unassigned YES unset up down
• It is also possible to confirm if the platform supports ERSPAN destination.

ERSPAN#show capability feature monitor erspan-destination
ERSPAN Destination Session:ERSPAN Destination Session Supported: TRUE
Maximum No of ERSPAN destination session: 8
ERSPAN Header Type supported: II and III
ERSPAN best practices and considerations
• The MTU must be the same on both sides, source and destination.
• It is suggested to use the higher MTU to avoid packet fragmentation, which causes latency
problems.
• Use the same network segment for the GRE tunnel.
Topology Lab
© 2021 Cisco
Cisco Confidential
ERSPAN Packet Analysis
Mirror Traffic (i.e ICMP)
IP Address ERSPAN
GRE Tunnel
ERSPAN ID
Q&A
Reference Links
• EPC
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-
3/configuration_guide/nmgmt/b_173_nmgmt_9300_cg/configuring_packet_capture.html
• SPAN and RSPAN

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-
3/configuration_guide/nmgmt/b_173_nmgmt_9300_cg/configuring_span_and_rspan.html
• ERSPAN
https://www.cisco.com/c/en/us/support/docs/switches/catalyst-9500-series-switches/218111-verify-span-and-
erspan-on-catalyst-9000.html
Clausura
Section title
¿Aún tiene dudas? Haga valer su opinión

Si hizo una pregunta en el panel de preguntas y respuestas o Responda a nuestra encuesta para…
regresa a la comunidad en los días posteriores a nuestro
• Sugerir nuevos temas
webinar ¡Nuestros expertos aún pueden ayudarlo!
• Calificar a nuestros expertos y el contenido
• Enviar sus comentarios o sugerencias
Participe en el foro Ask Me Anything (AMA) antes del viernes ¡Ayúdenos respondiendo a 5 preguntas de opción múltiple!
26 de mayo de 2023 Al término de esta sesión, se abrirá una encuesta en su
https://bit.ly/CL2ama-may23 navegador.
Nuestras
Redes Sociales
LinkedIn
Cisco Community
Twitter
@CiscoCommunity
YouTube
CiscoCommunity
Facebook
CiscoCommunity

Herramientas Útiles para Capturar Tráfico en Switches

Cargado por

Información del documento

Título original

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

Herramientas Útiles para Capturar Tráfico en Switches

Cargado por

Copyright:

Formatos disponibles

Herramientas útiles para

capturar tráfico en switches

Martes 16 de mayo de 2023

2. Switched Port Analyzer (SPAN) 4. Encapsulation Remote SPAN (ERSPAN)

¿Cuál es la herramienta de captura de

paquetes que ha utilizado?

• Traffic is rate-limited at 1000pps by default. This is to protect CPU.

Switch# monitor capture TAC start

• Packets can be stored in local buffer, or directly into flash directory.

• Traffic can be also dropped on rate-limiters. Filtering is important:

ASICs and TCAMS Packet fields

Cuando ha utilizado SPAN, ¿le ha ayudado

a resolver algún problema?

A. Análisis de latencia/ TCP/UDP

B. Output Drops / Congestión

C. Pérdida aleatoria paquetes (Random Packet

Escanee el QR o vaya a Slido.com

https://app.sli.do/event/iGL5tc3CXWUr3oJTFJaHRG D. Otro tipo de problemas

• In a way, SPAN can be considered more reliable than EPC.

• ACL/VLAN filtering is also supported - called Filtered SPAN: FSPAN

• Network access can be granted to the PC by configuring an ingress VLAN

• Additional commands to check SPAN at platform level:

ASICs and TCAMS Packet fields

¿Alguna vez ha usado RSPAN o ERSPAN?

Escanee el QR o vaya a Slido.com

Intermediary Switches’ configuration

RSPAN Destination configuration

ERSPAN Destination configuration

• It is also possible to confirm if the platform supports ERSPAN destination.

• Use the same network segment for the GRE tunnel.

Mirror Traffic (i.e ICMP)

• SPAN and RSPAN

¿Aún tiene dudas? Haga valer su opinión

También podría gustarte