1
00:00:00,880 --> 00:00:09,040
Span or switched port and Eliza also called Porta murthering or port Mont. a train is a way to configure

2
00:00:09,280 --> 00:00:17,140
a switch to make copies of Ethernet frames that are received on certain ports or certain villans.

3
00:00:17,320 --> 00:00:24,100
You could say as an example that all traffic arriving on port gigabit to 1 0 1 gets copied out of another

4
00:00:24,100 --> 00:00:26,590
port gigabit 1 0 2.

5
00:00:27,040 --> 00:00:34,020
Or you could say that all traffic that's received or sent on the line 1 is copied out if gigabit 1 0

6
00:00:34,030 --> 00:00:41,620
to spend becomes really important when you want to monitor traffic that's not destined to a specific

7
00:00:41,620 --> 00:00:42,700
device.

8
00:00:42,940 --> 00:00:49,540
As an example you may have a network analyzer or intrusion detection system that needs to monitor traffic

9
00:00:49,660 --> 00:00:51,820
that traverses your network.

10
00:00:51,820 --> 00:00:59,800
You can configure a switch to either make copies of frames out of a local port or as you'll learn later

11
00:01:00,220 --> 00:01:07,270
use what is called Remote span where you copy frames from a local switch to a remote switch so that

12
00:01:07,300 --> 00:01:11,110
a remote monitoring station can receive the traffic.

13
00:01:11,120 --> 00:01:18,590
Now in this typology I'm not using Jeana's three Jeana's three and Cisco viral do not currently support

14
00:01:18,590 --> 00:01:19,790
spam.

15
00:01:19,790 --> 00:01:28,130
So what I'm using or physical Cisco rodders which are connected to 29 50 physical Siska switches which

16
00:01:28,130 --> 00:01:32,740
in turn are connected to 37 50 Cisco switches.

17
00:01:32,800 --> 00:01:39,840
I've got a PC connected to the thirty seven fifty switch and it's running Wireshark and we'll use it

18
00:01:39,850 --> 00:01:42,460
to capture traffic from the network.

19
00:01:42,460 --> 00:01:48,340
Now I'm going to demonstrate in a moment that when traffic is sent from one to router to another which

20
00:01:48,340 --> 00:01:55,480
you unicast traffic such as pings or Telma it's all sent from one to rodded to the traffic will be sent

21
00:01:55,480 --> 00:02:03,280
to the first 21:15 which in turn will be sent to the first 30 750 which in turn will be sent to the

22
00:02:03,310 --> 00:02:10,540
30 7:52 switch and that will continue until the traffic arrives that brought it to the capturing PC

23
00:02:11,040 --> 00:02:15,510
will not have visibility of unicast traffic.

24
00:02:15,670 --> 00:02:21,400
Because when the Mac address table of switch one is populated it's simply going to switch the traffic

25
00:02:21,760 --> 00:02:28,720
from this interface to for example this interface to forward the traffic Gerada to traffic is only going

26
00:02:28,720 --> 00:02:37,050
to be sent out of this face if it's sent to unknown unicast addresses multicast addresses or broadcast

27
00:02:37,050 --> 00:02:41,810
addresses or specifically sent to the capturing device.

28
00:02:41,880 --> 00:02:48,510
So the capturing device will have no visibility of traffic sent from Rodda one to rodded to unlace we

29
00:02:48,510 --> 00:02:53,680
enable spanne or port monitoring on the thirty seven fifty switch.

30
00:02:53,970 --> 00:02:59,880
So firstly demonstrate that traffic sent from Radio 1 to Ratatouille is not received by the capturing

31
00:02:59,880 --> 00:03:00,810
PC.

32
00:03:01,050 --> 00:03:08,390
And then we'll configure span on the switch so that the PC is able to capture the traffic using Y shock.

33
00:03:08,820 --> 00:03:20,290
The console of the thirty seven fifty switch show mac address table some mac addresses all listed in

34
00:03:20,290 --> 00:03:20,840
the table

35
00:03:24,220 --> 00:03:37,180
what I'll do now is ping from Route 1 to Rodda to show IP interface brief Ratto one has the IP address

36
00:03:37,690 --> 00:03:46,430
and router to has the same IP address which we can see on the console of rockety.

37
00:03:46,530 --> 00:03:48,420
So there's the IP address of rockety

38
00:03:51,640 --> 00:03:54,770
Rodda one is once again able to ping wrote it too.

39
00:03:55,090 --> 00:04:02,730
So when we look at the MAC address table office which one previously we only had those three MAC addresses

40
00:04:02,730 --> 00:04:03,950
in the table.

41
00:04:04,140 --> 00:04:10,750
But now notice we have this MAC address as well as the MAC address in the table.

42
00:04:11,040 --> 00:04:17,700
I have configured the MAC address of Rotto one as follows.

43
00:04:17,700 --> 00:04:24,630
So I'm using a Cisco Venda code MAC address and to make it simple I've specified the MAC address of

44
00:04:24,630 --> 00:04:26,670
router one as follows.

45
00:04:27,410 --> 00:04:29,430
On route to I've done something similar.

46
00:04:29,630 --> 00:04:36,720
So the MAC address is the Cisco Venda code zeros and two.

47
00:04:36,740 --> 00:04:43,940
So at this point the first thirty seven fifty switch has learnt about the MAC addresses of Radu 1 and

48
00:04:44,000 --> 00:04:52,230
rodef two to keep things simple I haven't configured any villans all devices on villaine one let's capture

49
00:04:52,230 --> 00:04:53,420
traffic.

50
00:04:53,490 --> 00:04:57,800
Why shock on our PC.

51
00:04:58,050 --> 00:05:02,410
So it's currently receiving some traffic.

52
00:05:02,530 --> 00:05:14,540
But let's do a ping from Router one to Rodda to once again and all filter for ICMP traffic in the output.

53
00:05:14,550 --> 00:05:24,110
Here you can see that the PC is not receiving any ICMP traffic from router 1 to router to and in the

54
00:05:24,110 --> 00:05:33,950
same way if Rodda two pings are a one no ICMP traffic is shown on the capturing PC.

55
00:05:34,110 --> 00:05:42,490
But if one pings the Windows PC which has an IP address of 10.0 one that one to a triple to

56
00:05:46,170 --> 00:05:49,410
notice we see the ICMP packets.

57
00:05:49,470 --> 00:05:59,730
So who why shock is able to capture traffic from 10 1 on one going to 10 1 1 2 2 2 so the piece is not

58
00:05:59,730 --> 00:06:06,840
able to capture unicast traffic sent from Rodda one to route.

59
00:06:06,850 --> 00:06:11,690
TE What about multicast traffic.

60
00:06:11,940 --> 00:06:20,650
In this example you can see that the ICMP traffic was received to the multicast address so a one with

61
00:06:20,650 --> 00:06:27,140
IP address 10.0 wondered wondered one is sending traffic to the multicast address 2:39 wondered wondered

62
00:06:27,140 --> 00:06:30,360
one.

63
00:06:30,570 --> 00:06:36,140
You can see as an example that the source MAC address of router one destination MAC address is 0 1 0

64
00:06:36,140 --> 00:06:41,450
0 0 5 which is the multicast MAC address in IP version 4.

65
00:06:41,820 --> 00:06:43,980
As you can see over there.

66
00:06:44,490 --> 00:06:48,100
What about a broadcast of paying $10 one to one.

67
00:06:48,130 --> 00:06:49,680
The.

68
00:06:50,190 --> 00:06:55,340
And I'll just repeat this once as you can see here.

69
00:06:55,480 --> 00:07:00,050
Broadcast traffic is being received by the PC.

70
00:07:00,190 --> 00:07:08,460
So in other words unicast traffic cosigned from one to the capturing device is forded out of this port

71
00:07:10,680 --> 00:07:12,650
and that's based on the mac address.

72
00:07:15,350 --> 00:07:21,910
Shown here as learnt by the 750 switch on the PC

73
00:07:26,520 --> 00:07:28,030
on have changed

74
00:07:31,170 --> 00:07:32,880
the MAC address in Windows

75
00:07:36,040 --> 00:07:41,030
touse a bunch of zeros and a 1 so the MAC address is

76
00:07:44,120 --> 00:07:54,750
11 zeros followed by one and that was learnt by the switch on fast Ethernet 1 0 5 as shown over here.

77
00:07:54,980 --> 00:08:03,820
So unicast traffic gets forwarded to the PC multicast traffic gets forwarded to the PC and that's because

78
00:08:03,850 --> 00:08:10,000
multicast MAC addresses are not added to the MAC address table in the same way that a unique cost to

79
00:08:10,000 --> 00:08:12,070
MAC addresses are broadcast.

80
00:08:12,070 --> 00:08:15,330
Traffic is also forwarded to the PC.

81
00:08:15,550 --> 00:08:16,450
So to summarize

82
00:08:20,720 --> 00:08:28,710
I'll respond to the why Shaw captcha unicast traffic sent from a one to rodded 2 is not received by

83
00:08:28,710 --> 00:08:38,890
the capturing device multicast traffic is received broadcast traffic is received.

84
00:08:38,970 --> 00:08:45,180
If we want to capture traffic from Rodda one to write a two for troubleshooting as an example we would

85
00:08:45,180 --> 00:08:53,260
need to enable spanne on this port or Merlene to use the other term so that traffic sent and received

86
00:08:53,260 --> 00:09:00,370
on this port or the port on land one in the example is forded out of this port so that the capturing

87
00:09:00,370 --> 00:09:03,820
device can see the traffic as another example.

88
00:09:03,820 --> 00:09:12,520
If we telnet from rate a one to Ratatouille and log in the capturing device does not see the telnet

89
00:09:12,520 --> 00:09:18,870
traffic so we can't see the session from wrote a one to rodded too.

90
00:09:19,060 --> 00:09:22,160
And that's because the switch is doing what it's supposed to do.

91
00:09:22,300 --> 00:09:28,750
It's forwarding traffic from this interface to this interface and not sending it out of unnecessary

92
00:09:28,750 --> 00:09:29,860
ports.

93
00:09:29,860 --> 00:09:34,770
So knowledge configfs span so that the capturing device can see the unicast traffic.