Transcription

Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o mCH A P T E R60Monitoring Network Traffic Using SPANThis chapter describes the Switched Port Analyzer (SPAN) features provided in switches in the CiscoMDS 9000 Family. It includes the following sections: About SPAN, page 60-2 SPAN Sources, page 60-2 SPAN Sessions, page 60-5 Specifying Filters, page 60-5 SD Port Characteristics, page 60-5 Configuring SPAN, page 60-6 Monitoring Traffic Using Fibre Channel Analyzers, page 60-10 Default SPAN Settings, page 60-12Cisco MDS 9000 Family Fabric Manager Configuration GuideOL-8007-10, Cisco MDS SAN-OS Release 3.x60-1

Chapter 60Monitoring Network Traffic Using SPANAbout SPANSe n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o mAbout SPANThe SPAN feature is specific to switches in the Cisco MDS 9000 Family. It monitors network trafficthrough a Fibre Channel interface. Traffic through any Fibre Channel interface can be replicated to aspecial port called the SPAN destination port (SD port). Any Fibre Channel port in a switch can beconfigured as an SD port. Once an interface is in SD port mode, it cannot be used for normal data traffic.You can attach a Fibre Channel Analyzer to the SD port to monitor SPAN traffic (see the“Configuringthe Cisco Fabric Analyzer” section on page 66-19.SD ports do not receive frames, they merely transmit a copy of the SPAN source traffic. The SPANfeature is non-intrusive and does not affect switching of network traffic for any SPAN source ports (seeFigure 60-1).Figure 60-1SPAN TransmissionSPAN source portFibre Channel trafficfc1/2Fibre Channel trafficfc3/1fc9/1Fibre Channel analyzer85478Cisco MDS 9000 switchSD portSPAN SourcesSPAN sources refer to the interfaces from which traffic can be monitored. You can also specify VSANas a SPAN source, in which case, all supported interfaces in the specified VSAN are included as SPANsources. You can choose the SPAN traffic in the ingress direction, the egress direction, or both directionsfor any source interface: Ingress source (Rx)—Traffic entering the switch fabric through this source interface is spanned orcopied to the SD port (see Figure 60-2).Figure 60-2SPAN Traffic from the Ingress DirectionIngress source portFibre Channel trafficfc1/2fc3/1fc9/1SD port Fibre Channel analyzer85479Cisco MDS 9000 switchEgress source (Tx)—Traffic exiting the switch fabric through this source interface is spanned orcopied to the SD port (see Figure 60-3).Cisco MDS 9000 Family Fabric Manager Configuration Guide60-2OL-8007-10, Cisco MDS SAN-OS Release 3.x

Chapter 60Monitoring Network Traffic Using SPANSPAN SourcesSe n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o mFigure 60-3SPAN Traffic from Egress DirectionEgress source portFibre Channel trafficfc1/2fc3/1fc9/1Fibre Channel analyzerSD port85480Cisco MDS 9000 switchIPS Source PortsSPAN capabilities are available on the IP Storage Services (IPS) module. The SPAN feature is onlyimplemented on the FCIP and iSCSI virtual Fibre Channel port interfaces, not the physical GigabitEthernet ports. You can configure SPAN for ingress traffic, egress traffic, or traffic in both directions forall eight iSCSI and 24 FCIP interfaces that are available in the IPS module.NoteYou can configure SPAN for Ethernet traffic using Cisco switches or routers connected to the Cisco MDS9000 Family IPS modules.Allowed Source Interface TypesThe SPAN feature is available for the following interface types: Physical ports such as F ports, FL ports, TE ports, E ports, and TL ports. Interface sup-fc0 (traffic to and from the supervisor):– The Fibre Channel traffic from the supervisor module to the switch fabric through the sup-fc0interface is called ingress traffic. It is spanned when sup-fc0 is chosen as an ingress source port.– The Fibre Channel traffic from the switch fabric to the supervisor module through the sup-fc0interface is called egress traffic. It is spanned when sup-fc0 is chosen as an egress source port. PortChannels– All ports in the PortChannel are included and spanned as sources.– You cannot specify individual ports in a PortChannel as SPAN sources. Previously configuredSPAN-specific interface information is discarded. IPS module specific Fibre Channel interfaces:– iSCSI interfaces– FCIP interfacesCisco MDS 9000 Family Fabric Manager Configuration GuideOL-8007-10, Cisco MDS SAN-OS Release 3.x60-3

Chapter 60Monitoring Network Traffic Using SPANSPAN SourcesSe n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o mVSAN as a SourceWhen a VSAN as a source is specified, then all physical ports and PortChannels in that VSAN areincluded as SPAN sources. A TE port is included only when the port VSAN of the TE port matches thesource VSAN. A TE port is excluded even if the configured allowed VSAN list may have the sourceVSAN, but the port VSAN is different.You cannot configure source interfaces (physical interfaces, PortChannels, or sup-fc interfaces) andsource VSANs in the same SPAN session.Guidelines to Configure VSANs as a SourceThe following guidelines apply when configuring VSANs as a source: Traffic on all interfaces included in a source VSAN is spanned only in the ingress direction. If a VSAN is specified as a source, you cannot perform interface-level SPAN configuration on theinterfaces that are included in the VSAN. Previously configured SPAN-specific interfaceinformation is discarded. If an interface in a VSAN is configured as a source, you cannot configure that VSAN as a source.You must first remove the existing SPAN configurations on such interfaces before configuringVSAN as a source. Interfaces are only included as sources when the port VSAN matches the source VSAN. Figure 60-4displays a configuration using VSAN 2 as a source:– All ports in the switch are in VSAN 1 except fc1/1.– Interface fc1/1 is the TE port with port VSAN 2. VSANs 1, 2, and 3 are configured in theallowed list.– VSAN 1 and VSAN 2 are configured as SPAN sources.Figure 60-4VSAN as a SourceTE portAllowed list VSAN 1,VSAN 2 and VSAN 3Fibre ChanneltrafficVSAN 1, VSAN 3fc2/1VSAN 2 as sourceVSAN 1 VSAN 2fc1/1VSAN 2fc9/1SD port85481Cisco MDS 9000 switchFor this configuration, the following apply:– VSAN 2 as a source includes only the TE port fc1/1 that has port VSAN 2.– VSAN 1 as a source does not include the TE port fc1/1 because the port VSAN does not matchVSAN 1.See the “Configuring an Allowed-Active List of VSANs” section on page 22-6 or the “AboutPort VSAN Membership” section on page 25-7.Cisco MDS 9000 Family Fabric Manager Configuration Guide60-4OL-8007-10, Cisco MDS SAN-OS Release 3.x

Chapter 60Monitoring Network Traffic Using SPANSPAN SessionsSe n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o mSPAN SessionsEach SPAN session represents an association of one destination with a set of source(s) along withvarious other parameters that you specify to monitor the network traffic. One destination can be used byone or more SPAN sessions. You can configure up to 16 SPAN sessions in a switch. Each session canhave several source ports and one destination port.To activate any SPAN session, at least one source and the SD port must be up and functioning. Otherwise,traffic is not directed to the SD port.TipA source can be shared by two sessions, however, each session must be in a different direction—oneingress and one egress.You can temporarily deactivate (suspend) any SPAN session. The traffic monitoring is stopped duringthis time.Specifying FiltersYou can perform VSAN-based filtering to selectively monitor network traffic on specified VSANs. Youcan apply this VSAN filter to all sources in a session (see Figure 60-4). Only VSANs present in the filterare spanned.You can specify session VSAN filters that are applied to all sources in the specified session. These filtersare bidirectional and apply to all sources configured in the session.Guidelines to Specifying FiltersThe following guidelines apply to SPAN filters: PortChannel configurations are applied to all ports in the PortChannel. If no filters are specified, the traffic from all active VSANs for that interface is spanned by default. While you can specify arbitrary VSAN filters in a session, traffic can only be monitored on the portVSAN or on allowed-active VSANs in that interface.SD Port CharacteristicsAn SD port has the following characteristics: Ignores BB credits. Allows data traffic only in the egress (Tx) direction. Does not require a device or an analyzer to be physically connected. Supports only 1 Gbps or 2 Gbps speeds. The auto speed option is not allowed. Multiple sessions can share the same destination ports. If the SD port is shut down, all shared sessions stop generating SPAN traffic. The outgoing frames can be encapsulated in Extended Inter-Switch Link (EISL) format.Cisco MDS 9000 Family Fabric Manager Configuration GuideOL-8007-10, Cisco MDS SAN-OS Release 3.x60-5

Chapter 60Monitoring Network Traffic Using SPANConfiguring SPANSe n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o mNote The SD port does not have a port VSAN. SD ports cannot be configured using Storage Services Modules (SSMs). The port mode cannot be changed if it is being used for a SPAN session.If you need to change an SD port mode to another port mode, first remove the SD port from all sessionsand then change the port mode.Guidelines to Configure SPANThe following guidelines apply for SPAN configurations: You can configure up to 16 SPAN sessions with multiple ingress (Rx) sources. You can configure a maximum of three SPAN sessions with one egress (Tx) port. In a 32-port switching module, you must configure the same session in all four ports in one portgroup (unit). If you wish, you can also configure only two or three ports in this unit (see the “32-PortSwitching Module Configuration Guidelines” section on page 19-2). SPAN frames are dropped if the sum of the bandwidth of the sources exceeds the speed of thedestination port. Frames dropped by a source port are not spanned.Configuring SPANTo monitor network traffic using SD ports, follow these steps:Step 1Configure the SD port.Step 2Attach the SD port to a specific SPAN session.Step 3Monitor network traffic by adding source interfaces to the session.To configure an SD port for SPAN monitoring using Device Manager, follow these steps:Step 1Right-click the port you want to configure and select Configure.You see the general port configuration dialog.Step 2Under Mode, choose SD.Step 3Click Apply to accept the change.Step 4Close the dialog box.Creating SPAN SessionsTo create SPAN sessions using Device Manager, follow these steps:Cisco MDS 9000 Family Fabric Manager Configuration Guide60-6OL-8007-10, Cisco MDS SAN-OS Release 3.x

Chapter 60Monitoring Network Traffic Using SPANConfiguring SPANSe n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o mStep 1Choose Interface SPAN. You see the SPAN dialog box.Step 2Click the Sessions tab.Step 3Click Create.You see the Create SPAN Sessions dialog box shown in Figure 60-5.Figure 60-5Create SPAN Sessions Dialog BoxStep 4Choose the session ID (from 1-16) using the up or down arrows and click Create.Step 5Repeat Step 4 for each session you want to create.Step 6Enter the destination interface in the Dest Interface field for the appropriate session.Step 7Enter the filter VSAN list in the Filter VSAN List field for the appropriate session.Step 8Choose active or in active admin status in the Admin drop-down list.Step 9Click Apply to save your changes.Step 10Close the two dialog boxes.Editing SPAN SourcesTo edit a SPAN source using Device Manager, follow these steps:Step 1Choose Interface SPAN.You see the SPAN dialog box.Step 2Click the Sources tab.You see the dialog box shown in Figure 60-6.Cisco MDS 9000 Family Fabric Manager Configuration GuideOL-8007-10, Cisco MDS SAN-OS Release 3.x60-7

Chapter 60Monitoring Network Traffic Using SPANConfiguring SPANSe n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o mFigure 60-6SPAN Sources TabStep 3Enter the VSAN list name in the VSAN List field.Step 4Click Edit Interface List.You see the Source Interfaces dialog box.Step 5Click Create.You see the Source Interfaces Interface Sources dialog box shown in Figure 60-7.Figure 60-7Source Interfaces Interface Sources Dialog BoxStep 6Click the browse button to display the list of available FC ports.Step 7Choose a port and click OK.Step 8Click the direction (receive or transmit) you want.Step 9Click Create to create the FC interface source.Step 10Click Close in each of the three open dialog boxes.NoteWhen using Generation 2 Fabric Switches, you cannot create an additional active SPAN session whenyou already have one.Deleting SPAN SessionsTo delete a SPAN session using Device Manager, follow these steps:Step 1Choose Interface SPAN.You see the SPAN dialog box.Cisco MDS 9000 Family Fabric Manager Configuration Guide60-8OL-8007-10, Cisco MDS SAN-OS Release 3.x

Chapter 60Monitoring Network Traffic Using SPANConfiguring SPANSe n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o mStep 2Click the Sessions tab.Step 3Click the SPAN session you want to delete.Step 4Click Delete.The SPAN session is deleted.Step 5Close the dialog box.SPAN Conversion BehaviorSPAN features (configured in any prior release) are converted as follows: If source interfaces and source VSANs are configured in a given session, then all the source VSANsare removed from that session.For example, before Cisco MDS SAN-OS Release 1.0(4):Session 1 (active)Destination is fc1/9No session filters configuredIngress (rx) sources arevsans 10-11fc1/3,Egress (tx) sources arefc1/3,Once upgraded to Cisco MDS SAN-OS Release 1.1(1):Session 1 (active)Destination is fc1/9No session filters configuredIngress (rx) sources arefc1/3,Egress (tx) sources arefc1/3,Session 1 had both source interfaces and source VSANs before the upgrade. After the upgrade, thesource VSANs were removed (rule 1). If interface level VSAN filters are configured in source interfaces, then the source interfaces are alsoremoved from the session. If this interface is configured in both directions, it is removed from bothdirections.For example, before Cisco MDS SAN-OS Release 1.0(4):Session 2 (active)Destination is fc1/9No session filters configuredIngress (rx) sources arevsans 12fc1/6 (vsan 1-20),Egress (tx) sources arefc1/6 (vsan 1-20),Once upgraded to Cisco MDS SAN-OS Release 1.1(1):Session 2 (inactive as no active sources)Destination is fc1/9No session filters configuredNo ingress (rx) sourcesCisco MDS 9000 Family Fabric Manager Configuration GuideOL-8007-10, Cisco MDS SAN-OS Release 3.x60-9

Chapter 60Monitoring Network Traffic Using SPANMonitoring Traffic Using Fibre Channel AnalyzersSe n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o mNo egress (tx) sourcesNoteThe deprecated configurations are removed from persistent memory once a switchover or a newstartup configuration is implemented.Session 2 had a source VSAN 12 and a source interface fc1/6 with VSAN filters specified in CiscoMDS SAN-OS Release 1.0(4). When upgraded to Cisco MDS SAN-OS Release 1.1(1) the followingchanges are made:– The source VSAN (VSAN 12) is removed (rule 1).– The source interface fc1/6 had VSAN filters specified—it is also removed (rule 2).Monitoring Traffic Using Fibre Channel AnalyzersYou can use SPAN to monitor traffic on an interface without any traffic disruption. This feature isspecially useful in troubleshooting scenarios where traffic disruption changes the problem environmentand makes it difficult to reproduce the problem.Without SPANYou can monitor traffic using interface fc1/1 in a Cisco MDS 9000 Family switch that is connected toanother switch or host. You need to physically connect a Fibre Channel analyzer between the switch andthe storage device to analyze the traffic through interface fc1/1 as shown in Figure 60-8.Figure 60-8Fibre Channel Analyzer Usage Without SPANFC Analyzer usage without SPANStoragedevicefc1/1CiscoMDS 9000switchStoragedevicefc1/1RXTX TX1 FC Analyzer 2RX85651CiscoMDS 9000switchThis type of connection has the following limitations: It requires you to physically insert the FC analyzer between the two network devices. It disrupts traffic when the Fibre Channel analyzer is physically connected. The analyzer captures data only on the Rx links in both port 1 and port 2. Port 1 captures trafficexiting interface fc1/1 and port 2 captures ingress traffic into interface fc1/1.Cisco MDS 9000 Family Fabric Manager Configuration Guide60-10OL-8007-10, Cisco MDS SAN-OS Release 3.x

Chapter 60Monitoring Network Traffic Using SPANMonitoring Traffic Using Fibre Channel AnalyzersSe n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o mWith SPANUsing SPAN you can capture the same traffic scenario shown in Figure 60-8 without any trafficdisruption. The Fibre Channel analyzer uses the ingress (Rx) link at port 1 to capture all the frames goingout of the interface fc1/1. It uses the ingress link at port 2 to capture all the ingress traffic on interfacefc1/1.Using SPAN you can monitor ingress traffic on fc1/1 at SD port fc2/2 and egress traffic on SD port fc2/1.This traffic is seamlessly captured by the FC analyzer as shown in Figure 60-9.Figure 60-9Fibre Channel Analyzer Using SPANRX source in session 1 - SD port fc2/1CiscoMDS 9000switchTX source in session 2 - SD port fc2/2fc1/1StoragedeviceTXRXSD Portfc2/1SD Portfc2/2TXTXDropped *RX* The egress (TX) traffic coming out fromthe analyzer ports will be dropped.RXTX1285652TXFC AnalyzerConfiguring Fibre Channel Analyzers Using SPANTo configure Fibre Channel Analyzers using SPAN for the example in Figure 60-9, follow these steps:Step 1Configure SPAN on interface fc1/1 in the ingress (Rx) direction to send traffic on SD port fc2/1 usingsession 1.Step 2Configure SPAN on interface fc1/1in the egress (Tx) direction to send traffic on SD port fc2/2 usingsession 2.Step 3Physically connect fc2/1 to port 1 on the Fibre Channel analyzer.Step 4Physically connect fc2/2 to port 2 on the Fibre Channel analyzer.Single SD Port to Monitor TrafficYou do not need to use two SD ports to monitor bidirectional traffic on any interface as shown inFigure 60-9. You can use one SD port and one FC analyzer port by monitoring traffic on the interface atthe same SD port fc2/1.Cisco MDS 9000 Family Fabric Manager Configuration GuideOL-8007-10, Cisco MDS SAN-OS Release 3.x60-11

Chapter 60Monitoring Network Traffic Using SPANDefault SPAN SettingsSe n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o mFigure 60-10 shows a SPAN setup where one session with destination port fc2/1 and source interfacefc1/1 is used to capture traffic in both ingress and egress directions. This setup is more advantageous andcost effective than the setup shown in Figure 60-9—it uses one SD port and one port on the analyzer,instead of using a full, two-port analyzer.Figure 60-10Fibre Channel Analyzer Using a Single SD PortBidirectional source in session 1 - SD port fc2/1CiscoMDS 9000switchStoragedeviceTXfc1/1RXSD Portfc2/1TXDropped** The egress (TX) traffic coming out fromthe analyzer ports will be dropped.TXTX856531FC AnalyzerTo use this setup, the analyzer should have the capability of distinguishing ingress and egress traffic forall captured frames.Default SPAN SettingsTable 60-1 lists the default settings for SPAN parameters.Table 60-1Default SPAN Configuration ParametersParametersDefaultSPAN sessionActive.If filters are not specifiedSPAN traffic includes traffic through a specific interface from all activeVSANs.EncapsulationDisabled.SD portOutput frame format is Fibre Channel.Cisco MDS 9000 Family Fabric Manager Configuration Guide60-12OL-8007-10, Cisco MDS SAN-OS Release 3.x

60-1 Cisco MDS 9000 Family Fabric Manager Configuration Guide OL-8007-10, Cisco MDS SAN-OS Release 3.x 60 Monitoring Network Traffic Using SPAN This chapter describes the Switched Port Analyzer (SPAN) features provided in switches in the Cisco MDS 9000 Family. It includes the following sections: About SPAN, page 60-2 SPAN Sources, page 60-2