Can I SPAN a SPAN?

deanwebb · February 16, 2018, 07:40:15 AM

Got a situation in which we want to set up a SPAN port, but the switch only has 10G ports and the device that receives the SPAN only has 1G ports. Idea was to put a switch between them that had both kinds of ports, and then SPAN the SPAN.

My first question was, "Is this even doable?"

Is it? If it is, then if we want to inject traffic into the SPAN, we'd need to have the response port go to... the switch with only 10G interfaces, and we're back where we started, except we at least have read access to the traffic. If it's possible.

deanwebb · February 16, 2018, 07:47:58 AM

Oh yeah, need to add...

This is in a shop where there is zero budget, so only new gear we can add would be patch cables or anything of similar price. If you know a mirror port concentrator that goes for $5, suggest that solution. Otherwise, it's fancy cabling time and/or crazy haxx.

I did just now consider making that switch with 1G/10G interfaces into a router on a stick, effectively taking the shop down to 1G throughput. If it solves the problem, I suggest that and then let the network architects decide if it's a good fit or not.

Otanx · February 16, 2018, 09:34:34 AM

What switch models? I have done something similar with a Nexus 5K. Disable MAC learning on the switch, and it turns into a hub.

-Otanx

icecream-guy · February 16, 2018, 09:58:28 AM

RSPAN not an option?

-edit-
You can't SPAN a 10G port to a 1G port, anything over 1G will get dropped.

deanwebb · February 16, 2018, 10:05:09 AM

Quote from: ristau5741 on February 16, 2018, 09:58:28 AM
RSPAN not an option?

-edit-
You can't SPAN a 10G port to a 1G port, anything over 1G will get dropped.

Need the SPAN to be where we can both monitor and inject traffic - this is a NAC thing for ForeScout. (DISCLAIMER: Hi, I work for ForeScout.) RSPAN gives read, but not write.

The traffic itself on the link doesn't even hit 1G, but the customer likes knowing that if ever, if EVER he needed 10G, it's there. Bandwidth usage is usually in the 100-200MB range.

(Side note: issue is now down to either buying new gear or modifying existing gear and understanding it can't be RMAd, so this is now an academic discussion, but I'd like to continue it as such. It's an interesting hypothetical.)

Otanx · February 16, 2018, 10:38:58 AM

I found these, but they are not cheap.
https://www.omnitron-systems.com/iconverter-10gxt-10-100-1000-to-10g-fiber-media-converter.php

Provantage has them for just under $1K. You may be able to find them cheaper. I wouldn't want to do it that way, but you could.

-Otanx

deanwebb · February 16, 2018, 10:44:52 AM

Quote from: Otanx on February 16, 2018, 10:38:58 AM
I found these, but they are not cheap.
https://www.omnitron-systems.com/iconverter-10gxt-10-100-1000-to-10g-fiber-media-converter.php

Provantage has them for just under $1K. You may be able to find them cheaper. I wouldn't want to do it that way, but you could.

-Otanx

Ouch. I think the customer would rather bite the bullet on risking not being able to RMA a device due to breaking the seal on it.

Otanx · February 16, 2018, 10:56:18 AM

Setup SPAN on the 10G switch. Connect to the 10G/1G switch. The port receiving the SPAN has the port configured as an access port on an unused vlan. Now SPAN the access port, and send it to the tool. Now connect another port between the two switches with the appropriate VLAN for the tools return traffic.

-Otanx

deanwebb · February 16, 2018, 11:22:27 AM

Quote from: Otanx on February 16, 2018, 10:56:18 AM
Setup SPAN on the 10G switch. Connect to the 10G/1G switch. The port receiving the SPAN has the port configured as an access port on an unused vlan. Now SPAN the access port, and send it to the tool. Now connect another port between the two switches with the appropriate VLAN for the tools return traffic.

-Otanx

Can a SPAN monitor also be in a VLAN? I never tried that.

Otanx · February 16, 2018, 03:59:43 PM

I am not sure I have never had to receive data on a SPAN, and it probably depends on the switch vendor. Option B would be to SPAN the RX on the tool port, and then send that out to the other switch with an access port on the correct VLAN. However, SPANing a SPAN destination is not always allowed either.

-Otanx

wintermute000 · February 16, 2018, 04:08:53 PM

deanwebb, since when was spanning rx and tx not possible with RSPAN/ERSPAN? I assume that's what you mean by 'read not write'?

I'm skimming config guides now and the tx/rx/both keywords are plastered everywhere...

Agree RSPAN/ERSPAN is the correct 'solution' here if the customer is fine with 1Gb chokepoint and understands that back pressure can happen (i.e. SPAN out drops = source port drops, fun times)

sounds like you guys need an alliance with gigamon/ixia etc. for a pre-canned tap solution

EDIT: by 'read not write' alternative meaning is that you want the destination port to be able to also do normal traffic i.e. 'enabling MAC learning' in CSCO parlance? If so ERSPAN has no limitations but that comes with its own caveats e.g. needing L3 jumbo throughout

deanwebb · February 16, 2018, 05:22:43 PM

Good info... let me break down what we're doing and see if that's something that should work with an RSPAN.

When I said "read", that's MAC learning, picking up on HTTP/S headers, reading DHCP and DNS traffic, basically to learn about the endpoints sending and receiving that information. Info goes into the big NAC database and we classify endpoints based on that.

"Write" refers to the ability to enforce control policies by either blocking traffic or redirecting traffic by working with it in real time, on the wire. This will be more effective, of course, with TCP communications, but that's OK by us. So, for example, say an endpoint doesn't have AV running. One control option would be to intercept its web traffic and point it to a page that basically says, "No Internet until you get AV running". Once the end-user is complying with that policy, we detect that the AV is running and stop redirecting its web traffic to our compliance portal. This would be done if, for example, we were not able to switch VLANs or apply an ACL on the MAC address or switchport.

So, does RSPAN allow that kind of traffic interception/redirection for that use case?

wintermute000 · February 16, 2018, 08:00:45 PM

No, but neither does SPAN. You're talking about inline basically. Unless I've been asleep at the wheel this whole time and you can inject traffic back through a SPAN / block or modify it??? No way, its a straight up mirror.

You'd need to be L2 inline or logically l2 inline via gigamon etc

deanwebb · February 16, 2018, 09:06:06 PM

Quote from: wintermute000 on February 16, 2018, 08:00:45 PM
You'd need to be L2 inline or logically l2 inline via gigamon etc

That's normally what we do, L2 inline. This particular use case looked to not give that option unless we did the router on a stick thing.

wintermute000 · February 16, 2018, 09:17:14 PM

So why are you even talking about the downsides of RPSAN but considering a normal SPAN in the same paragraph when both have the SAME key downside to your requirement?

It seems to me RSPAN/ERSPAN is much easier and better than putting another switch in the middle, in an unconventional configuration to boot.

Out of curiosity what off-path enforcement options do you have? Dot1x? Switch integration? Can you push security policies, ACLs, etc? API driven integration into FWs/FW and WLAN management platforms?

BTW not a direct dig at your product, but L2 inline security appliances are a nightmare from a design, scaling, redundancy and capacity POV, esp in the DC, though much simpler/lower capacity campus situations are not as bad (esp if you can support port-channel, and the customer accepts fail-open)