Cisco Catalyst SPAN and Remote SPAN Configuration

To analyze network traffic passing through ports or VLANs you can configure SPAN or remote SPAN to mirror the traffic to another port on the switch or on another switch that has been connected to a network analyzer. The network analyzer can be Wireshark or Riverbed Cascade Pilot what capture or analyze the traffic. Cascade Pilot is here quite interesting because you can filter the traffic before and then send it to Wireshark for a deep analysis.

Back to the configuration, SPAN mirrors traffic received or sent (or both) on source ports or source VLANs to a destination port for analysis. The SPAN session does not affect the switching of network traffic on the source. Except for traffic on the destination, ports do not receive or forward traffic there are shown as monitoring interfaces.

 

Configure local SPAN session:

Define the source interface which traffic you want to mirror

monitor session 1 source interface GigabitEthernet 0/41

or VLAN as source

monitor session 1 source vlan 500

Define the destination interface

monitor session 1 destination interface GigabitEthernet 0/10

 

Configure remote SPAN session (1st switch):

At first create an remote SPAN VLAN

vlan 2010
  name RSPAN_VLAN
  remote-span
  exit

Then like the local SPAN session define the source

monitor session 1 source interface gi 0/47

or VLAN

monitor session 1 source vlan 500

At the end of the configuration of the 1st switch you configure the remote SPAN VLAN as destination

monitor session 1 destination remote vlan 2010

 

Configure remote SPAN session (2nd switch):

Like on the other switch you need to create at first an remote SPAN VLAN

vlan 2010
  name RSPAN_VLAN
  remote-span
  exit

Then as source you configure the RSPAN VLAN

monitor session 1 source remote vlan 2010

In the end the destination interface

monitor session 1 destination interface gi 0/18

Important is to verify that the RSPAN VLAN is allowed between these two switches on thier Trunk Interfaces!

 

With the following command you can verify the monitoring session you configured

show monitor session 1

ASA and PPPoE example

Just a short example what you need to configure when use PPPoE on Cisco ASA…

vpdn group myconnection request dialout pppoe
vpdn group myconnection localname [email protected]
vpdn group myconnection ppp authentication pap
vpdn username [email protected] password aeb1puj43

interface Vlan 2
	nameif outside
	security-level 0
	pppoe client vpdn group myconnection
	ip address pppoe setroute
	no shutdown
	exit

Configure syslog server on F5 BIG-IP

Syslog servers are a great idea they centralise all your logs from your Servers and networking devices.

I used for the syslog server the following command

bigpipe syslog remote server 'syslog-srv.local-domain.com' host 10.1.1.100 add

After that everything looked fine and I saw syslog messages but I got lots of informational messages and the following debug message.

debug snmpd[PID]: error on subcontainer 'ia_addr' insert (-1)

For the debug message I found a solution on AskF5: http://support.f5.com/kb/en-us/solutions/public/12000/100/sol12136.html?sr=16487442

There is saw that I went the wrong way of configuring syslog on my load balancer, I also needed to set the log level for remote syslog server. Here the solution from F5: http://support.f5.com/kb/en-us/solutions/public/11000/700/sol11723.html

1. Log in to the command line of the BIP-IP

2. Create in /tmp/syslog.inc file with the syslog configuration.

syslog include "
filter f_remote_loghost {
level(notice..emerg);
};
destination d_loghost {
udp(\"10.1.1.100\" port(514));
};
log {
source(s_syslog_pipe);
filter(f_remote_loghost);
destination(d_loghost);
};
"

3. To remove the currently configured remote syslog servers, type the following command:
Important: This step disables all remote logging.

[[email protected]:Active] tmp # b syslog remote server none

4. Copy the changes into the configuration

[[email protected]:Active] tmp # bpsh < /tmp/syslog.inc

5. Refresh and start syslog deamon

[[email protected]:Active] tmp # syslog-ng -s

6. Save the configuration

[[email protected]:Active] tmp # b save all
/config/bigip_base.conf was renamed to /config/bigip_base.conf.bak (86 lines).
/config/bigip_sys.conf was renamed to /config/bigip_sys.conf.bak (66 lines).
/config/bigip.conf was renamed to /config/bigip.conf.bak (894 lines).
/config/bigip_local.conf was renamed to /config/bigip_local.conf.bak (1 lines).
[[email protected]:Active] tmp #

If the new logging configuration is not working as expected, make the desired changes to the /tmp/syslog.inc file and return to Step 2.

When the syslog-ng -s command reports the following error message:

# syslog-ng -s syntax error at 751

Remove the syslog include entries by typing the following command:

bigpipe syslog include none

Review the import configuration for syntax errors before attempting to re-import by typing the command listed in Step 2.

Redirect Cisco show commands

Short overview of how to redirect Cisco show commands… quite useful sometimes 😉

show <command> | redirect URL

The syntax to redirect the command output to the file location specified in the URL. The pipe (|) is required. Prefixes can be local file locations, like flash: or disk0:. Alternatively, you can specify network locations using the following:

ftp://username:[email protected]/directory/filename
tftp://location/directory/filename

Rcp: prefix is not supported.

Example: Redirect show tech-support

show tech-support | redirect tftp://10.1.1.100/show-tech_c2960s-01.txt

F5 iRule for layer 7 balancing

This is an iRule for F5 BIGIP to balance on the requested http path, so http://domain.com/appversion1-0 or http://domain.com/appversion2-0 . The benefit is that you have different server pools under the same domain.

With the iRule you can also access every member and open a status.txt or servername.txt with the following path http://domain.com/monitor/servername.txt?app=appversion1-0&node=1 .  This option is for monitoring reasons as you can monitor every node over the external URL.

I also use the status.txt for an http monitor to see if the server is online or offline. You can use that to set the web server offline without doing that over the F5 management console.

GET /monitor/status.txt HTTP/1.1\r\nHOST:\r\nConnection: Close\r\n\r\n
Enable: ONLINE
Disable: OFFLINE

In the servername.txt I write the name of the server.

This is the iRule:

when HTTP_REQUEST {
switch -glob [string tolower [HTTP::path]] {
"*appversion1-0*" { pool pool_http80_domain.com-appversion1-0}
"*appversion2-0*" { pool pool_http80_domain.com-appversion2-0}
"*monitor*" {

switch [URI::query [HTTP::uri] "app"] {
appversion1-0 {
switch [URI::query [HTTP::uri] "node"] {
1 { pool pool_http80_domain.com-appversion1-0 member 10.0.1.1 80 }
2 { pool pool_http80_domain.com-appversion1-0 member 10.0.1.2 80 }

default { HTTP::respond 200 content "<html><head><title>Member Status</title></head><body>INVALID OR MISSING QUERYSTRING: You must enter the URL in the following format http://domain.com/monitor/(status|servername).txt?app=AppVersionNumber&node=NodeNumber" "Content-Type" "text/html" }

}
}

appversion2-0 {
switch [URI::query [HTTP::uri] "node"] {
1 { pool pool_http80_domain.com-appversion2-0 member 10.0.2.1 80 }
2 { pool pool_http80_domain.com-appversion2-0 member 10.0.2.2 80 }

default { HTTP::respond 200 content "<html><head><title>Member Status</title></head><body>INVALID OR MISSING QUERYSTRING: You must enter the URL in the following format http://domain.com/monitor/(status|serversame).txt?app=AppVersionNumber&node=NodeNumber" "Content-Type" "text/html" }

}
}

default { HTTP::respond 200 content "<html><head><title>Member Status</title></head><body>INVALID OR MISSING QUERYSTRING: You must enter the URL in the following format http://domain.com/monitor/(status|servername).txt?app=AppVersionNumber&node=NodeNumber" "Content-Type" "text/html" }

}
}

default { pool pool_http80_domain-appversion1-0 }

}
}

The default app pool is appversion1-0 so everything that didn’t match is forwarded to that pool.