15. Capture the Packet over Data Plan SPAN RSPAN ERSPAN
Next important topic we have that capture the packet at the label of data plane. For that we are using the popular technique that is switch port analyzer. This is nothing but a technique that we can mirror the port or we can send one copy of the traffic that is going via the port to certain destination. So here in the diagram you can see that we have source for this fan means the traffic is coming and that traffic we want to copy and we want to send to certain destination. So for that you have to define the source and then you have to define the destination. Now at the destination and we can use again the popular tool such as wireshark to analyze the traffic that will go and verify in our lab section.
Now adding span in our tool belt we have other option with a span as well. Suppose we want to do or we want to take the copy in case of remote or we want to have the capture for the remote packet and that remote packet is layer two extended. So in that case we can go and use the remote span or remote switchboard analyzer. Again you can see that same thing that you have the source but you have the destination and you are extending over the layer two domain. Then again at the destination end you have this leafing tool where you can go and analyze the packet. So we have options related to a span related to RSPAN as well. Now here you can see the configuration that is quite a straightforward and again we are going to have this configuration for local span. So you have to go and define the monitor session what interface is your source, what interface is your destination and that’s it. Then you can open this referral and you can check the package that is going through. Now in case of remote span you have to go and define the VLAN for remote span and again you have two configuration. You have configuration related to source, then you have configuration related to destination. So at the label of RSPAN source you have to go and again enable the monitor station. One source monitor session, one destination.
Then at the destination end, again you have to define the source and the destination. Now in some of the switch platform you have different type of configuration, in some of the switch platform you have different type of configuration. But obviously the end goal is the same. The last flavor we have is the encapsulated remote span. So here you can see the difference between RSPAN and ers fan is that one span session you are extending over layer two and other that is the erspan you are extending over layer three domain correct? So in this case for example I’m using GRE as an encapsulation. Again I have the erspan source and erspan destination. But these package that I want to analyze it is expanded over the GRE session.
16. SPAN Lab
As we discussed earlier that for erspan we are encapsulating the traffic over source and destination IP with the ers fan. So here we can see the configuration for up to one where we have to go and start the monitor session or type ers fan. We should define the source interface and the destination addresses from other side where I have the destination where I have the wireshark at that side of router we should go and give er span destination the destination interface and then the source er span ID and the IP address. So this way we can go and capture and then analyze the packets that is coming from the source we are sending to the destination where we have the sniffer and there we can analyze the packet. Now in this lab what I want to show you is that how we can go and do the configuration for this fan.
So one of the interface that we want to create the mirror or the copy of that we’ll go and send those copies to the server. So for example let me show my diagram, let me share my diagram. So here you can see that I have one switch and then I have one host connected what I will do that this particular interface. So let me show you the interface once 15 this will be the source of the traffic and then I will send this to the one slash 14 that will become the destination for the traffic so let me quickly open the CLI. Meanwhile you can see the configuration is very straightforward for switch we have VLAN configured and then for the host that is also routed but we are taking this as a host and here you can see the IP and the configuration as well. Now if I ping from here to the switch that is 192-16-8562 so you can see the reach ability is there. Then I can go to the switch and if I enable the line VTY say login local so we can go and check the TCP package as well if you want and then I should go and give say username admin password admin say enable password is also admin. So not only that we can go and check the ping packets or ICMP packets but we can go and check the internet packets as well. Now in the same line if you are at the line VTY level and if you want to check the SSH traffic. So you can go here and you can do input output as a SSH, for example, and then you should have some IP domain name configured.
And then you have to generate the crypto key. Once I have the domain, once I have the key, once I have the transport input configured, then I can go and give the version as to so I can go and verify the SSH as well. So let’s go here to switch number one and configure this monitor say monitor session one. What is your source? Source interface is fascinated one last 15 and likewise we can go and give monitor session one. The destination interface is fast ethernet 114 where you have connected the sniffer. So here you can see the configuration again we have seen this that with different platform your configuration may vary but the concept is same. You are mirroring from one place and you are sending to the other place. Now, here you can see I have my wireshark and I can go and start my capture. So continue without saving. Some other traffic capturing has been started. All right, so let’s go here, and first of all, let’s do the ping for some bigger number.
And then I can go here and I can check to monitor session one. You can see this is the configuration. Now if I go to the wireshark here you can see this is at the server end as per our diagram here you can see that here we are sending this plan session and we are getting the packets. I can go and stop this. Now you’re getting this ICMP request and response if you want to filter it you can go and filter and you can analyze this. There’s no problem on that. Now let’s try to get some packets related to telephone is going on. I should go and stop this. So let me stop this sequence and then if I do SSH 56 two and let me go here to the workshop here you can see that we have the packets for SSH and yeah, we are able to capture you can see the encryption and all those things correct. So likewise, we can go and analyze all type of packets. So we are inside switch number two and here you can see your SSH and packet transmission is happening. All right so this is the way that we can go and enable able this plan and then we can verify it as well. Okay.
17. Cisco IP SLA
Next important topic we have cisco IPSLA. Now Cisco IPSLA is a mechanism in the existing van or in the existing network that is giving us the capability that dynamically we can track certain services, certain IPS, and according to that dynamically, again it can change the path. So suppose if you every link is down, then you can go via the secondary link or there is other option as well related to loss, jitter, latency, et cetera. So let’s try to understand this Ipslea workflow, how it is working, we are going to understand about Ipsla’s operation and then obviously we’ll do the configuration and we will verify as well in the lab now what features that IPSLA provide us. Here you can see that with help of IPSLA we can go and understand and collect the parameters related to loss, latency, jitter, packet sequencing, path per hop, how it is going and the connectivity.
And according to these parameters we can go and change it dynamically, correct? So how it looks like, how we will go and configure it, we should go and enable the IPSLA. Say for example Ipslea one, I want to check this particular destination. So what I can do that, say for example, I can send the ICMP eco packets just to check that this destination is there or not. And suppose if I have multiple path, so if one path is down automatically you will go and then because one path is already down, you can go by the second path. That’s the overall idea behind this. So this frequency five, that is the overall rate that we are sending the eco packets to the destination. That is one one one. In this case we have started this IPSLA and it is a start now. And maybe we can give forever. So life forever is started now. And finally we have to glue this with the tracking.
So again over the configuration mode we’ll go and enable the track one for Ipslor, one for reachability. So what this track will do, it will start tracking this particular destination with the ICMP eco packet. Now, how it is working behind the scene again, we’ll see in the lab that for IP route, with IP route actually I have two IP router statement. We know that by default IP route has a higher ad value with respect to any other protocol. And then you can give some bigger ad value. Say for example 30. So the best one is the first line, it will go and hit the first line. So this will be the primary. And then you have enable the track on this. So primary path with tracking, that is ICMP echo or frequency of five.
That means if this track is down, that means if destination is down, obviously you’ll get this track is down, you will start going via the other link, correct? Once you do this configuration, then we have the verification command, we can go and check through Ipsley application SLA configuration history and stats. So let me quickly show you the lab setup. So here you can see that we have the lab setup and in this lab, for example, this is my source and one one one over R one is the destination. You can see that I can reach to R One, loop back via R two and then I can go and reach via R three. So what configuration I have done? Obviously we have the IP assignment to all the interfaces, et cetera. Let me quickly go and open the party. So I just wanted to show you here that what configuration I have for router number one. So for example, at the moment the IPSL is not started and you can see that we have the IP route command and we should go and check this R four because R four is the source generator. I can go here and I can show you this. Let me quickly show you this IP route configuration at the moment it is this is the preferred and this is the backup. Again, it depends upon what type of IP route statements you have. So what does it mean at this point of time with this statement is that 34 three. So this path, because you can see the IP assignment here, this is the IP and then the IPS over these interfaces are of the range of say 24 00:24 and here the IP address is ten 134 00:24. So these are the IPS we are using. Router two means two, router four means four. Like that we have the IP commands. All right? So now, here you can see clearly that with this rule, if I do and do the trace route for the destination, obviously it will go via R three.
And now, if I go and change this, say for example, this statement to 50 and if you check this now, so that means this is the lower the traffic will go via this direction. Okay? And that’s the case. What I want, I want this traffic should go via this direction, and we should go and track this with IPSLA so I can go here and I can enable, say, IPSLA One, and then I can set the frequency and other restaurants. So let’s see that. What are the other things that we can go and set here? So now you can see that once you go and enable the IPSLA you have this ICMP Eco. What is your destination? You want to check this and to send the packets you can go and use the frequency for example of pipe and if you have any time out you can go and use the timeout thousand.
So what does it mean that within 1 second default is 5000 5000 millisecond means 5 seconds so frequency is fine per second you are sending one ICMP Eco packet. Great. So once we have this, we should go and start this. Here you can see that Ipslip scheduling and start time is now and then the lifetime is forever correct? So once we have all the configuration related to Ipsley, we should go and enable the track as well. So what is that track? Save one and then what you want to track say Ipsley one. Now since we have all this configuration, we should go and apply this track to the IP router statement. So what I can do here, first of all, let me delete this, otherwise you will find multiple entries. Now I can go here and then I can give track as one. Now the track has been glued and you can see this track is glued with the IPSLA. Then you can go and check the route.
So you have two routes now, one is the primary, one is the secondary obviously with the tracking. So now if I go and check Show IP track or let’s try to check Show Track One. And here you can see this track is up, it is working with a static IP routing. Now what we can do here that we can go and shut down the interface, any of the interface that will not allow us to reach to this destination. So for example E 10 so you can go here interface E one plus zero I can do shut down and then you can go and check the output here on four. So now here you can see this is track is down because in this direction we have the track. And now if you go and check Show IP route so you will find that the static route entry so you have seen both. Now it is 34 three and the track is also up. So this is the way that we can go and verify the IPSLA.