1/31/13

Configuring SPAN On Cisco Catalyst Switches - Monitor & Capture Network Traffic/Packets

Thursday, 31 January 2013

Me e t The Te am !

Fre e C isco Lab

Ne ws

Site Map - Alte rnative Me nu

R e com m e nde d W e bsite s

search...

Username

Home

Networking Topics

Cisco KnowledgeBase

Linux Tutorials Hot Downloads

Microsoft KB

Cisco VPN Client Software Download (Windows General Topics & Reviews Downloads Site Related 32bit - 64bit, Linux 32bit - 64bit, MacOS)

Recommendations Network Security Articles Cisco UC500 / CCME Articles

- Nework Security Scanner - Server Anti-Spam - Web Monitoring & Web Security - NEW! Free Packet Sniffer !! - NEW! Network Fax Server !!

IP Phone 7945, 7965, 7975 Factory Reset Procedure, SCCP Firmware Upgrade & CME DHCP Server Setup

Firewall.cx Newsletter Receive Free notification on new articles!

Popular articles covering Cisco VPN (IPSec/GRE/mGRE) and DMVPN Technologies:

Understanding Cisco Dynamic Multipoint VPN (DMVPN) *New* Dynamic Multipoint VPN (DMVPN) Deployment Models & Architectures *New* Configuring Cisco Dynamic Multipoint VPN (DMVPN) Configuring Site to Site IPSec VPN Tunnel Between Cisco Routers Configuring Point-to-Point GRE VPN Tunnels on Cisco Routers Cisco GRE and IPSec - GRE over IPSec - Selecting and Configuring GRE IPSec Tunnel or Transport Mode Configuring Cisco SSL VPN AnyConnect (WebVPN) on Cisco IOS Routers *New*

Name E-mail
Subscribe

***************

Hom e

C isco Knowle dge Base

C isco Switche s

C onfiguring SPAN O n C isco C atalyst Switche s - Monitor & C apture Ne twork Traffic/Pack e ts

Firewall.cx Forums Community Forums Facebook Fans Show your support for Firewall.cx!

Configuring SPAN On Cisco Catalyst Switches - Monitor & Capture Network Traffic/Packets
(2 votes, average 5.00 out of 5)
Written by Administrator Tuesday, 29 January 2013 00:00 Share Tw eet Like Send 42 people like this.

Firewall.cx
Like 1,272

Social Media Channels

Being able to monitor your network traffic is essential when it comes to troubleshooting problems, performing a security audit or even casually checking your network for suspicious traffic.

Back in the old days whenever there was a need to monitor or capture network traffic, a hub would be introduced somewhere in the network link and, thanks to the hubs inefficient design, it would copy all packets incoming from one port out to all the rest of the ports, making it very easy to monitor network traffic. Those interested in hub fundamentals can read our Hubs & Repeaters article.

Of course switches work on an entirely different principle and do not replicate unicast packets out of every port on the switch, but keep them isolated unless its a broadcast or multicast.

Thankfully, monitoring network traffic on Cisco Catalyst switches is a straightforward process and does not require the presence of a hub. The Cisco method is called Switched Port Analyser also known as SPAN.

Download Your Free Network Scanner

Understanding SPAN Terminology

Ingress Traffic: Traffic that enters the switch Egress Traffic: Traffic that leaves the switch Source (SPAN) port: A port that is monitored Source (SPAN) VLAN: A VLAN whose traffic is monitored Destination (SPAN) port: A port that monitors source ports. This is usually the point to which a network analyser is connected. Remote SPAN (RSPAN): When Source ports are not located on the same switch as the Destination port. RSPAN is an advanced feature that requires a special VLAN to carry the monitored traffic and is not supported by all switches. RSPAN explanation and configuration will be covered in another article.

Download Free Network Analyzer System Login Username

Password

Remember Me
Login

www.firewall.cx/index.php?option=com_content&view=article&id=940:cisco-switches-span-monitoring&catid=145:cisco-switches&Itemid=192

1/5

1/31/13
Login With Facebook

Configuring SPAN On Cisco Catalyst Switches - Monitor & Capture Network Traffic/Packets

Register for this site Forgot Username? Forgot Password?

Recommended Downloads - Web Security - Server AntiSpam - Network Scanner - Packet Sniffers - IDS Security Manager - Web-Proxy Monitor - FTP / TFTP Servers - Cisco VPN Client - nChronos Network Analysis Server - Network Fax Server More Articles Download The Complete Cisco Catalyst Switching Portfolio. Includes Catalyst 6500, 4500, 4900, 3750-X, 3560X, 3560-E, 2960, 2960S & 2360 Series Datasheets End-of-Sale and Endof-Life Announcement for the Cisco Catalyst 3750G, 3560G, 3750E, and 3560-E Series Switches Installation and Setup of Cisco SG500-52P 500 Series Stackable Managed Switches Err-disabled Port State, Enable & Disable Autorecovery Feature Forcing A Cisco Catalyst Switch To Use 3rd Party SFP Modules VLAN Security Tips Best Practices Installation of a Cisco Catalyst 4507R-E Layer 3 Switch

The network diagram above helps us understand the terminology and implementation of SPAN. Source SPAN ports are monitored for received (RX), transmitted (TX) or bidirectional (both) traffic. Traffic entering or exiting the Colasofts Capsa Enterprise) on the Destination SPAN port, and configure it to capture and analyse the traffic. The amount of information you can obtain from a SPAN session really depends on how well the captured data can be interpreted and understood. Tools such as Capsa Enterprise will not only show the captured packets but automatically diagnose problems such as TCP retransmissions, DNS failures, slow TCP responses, ICMP redirect messages and much more. These capabilities help any engineer to quickly locate network problems which otherwise could not be easily found.

SPAN ports is mirrored to the Destination SPAN port. Typically, you would connect a PC with a network analyser (we trust and use

Basic Characteristics and Limitations of Source Port

A source port has the following characteristics: It can be any port type such as EtherChannel, Fast Ethernet, Gigabit Ethernet and so forth. It can be monitored in multiple SPAN sessions. It cannot be a destination port (thats where the packet analyser is connected) Each source port can be configured with a direction (ingress, egress, or both) to monitor. For EtherChannel sources, the monitored direction applies to all physical ports in the group. Source ports can be in the same or different VLANs. For VLAN SPAN sources, all active ports in the source VLAN are included as source ports.

Basic Characteristics and Limitations of Destination Port

Each SPAN session must have a destination port that receives a copy of the traffic from the source ports and VLANs. A destination port has these characteristics: A A A A A A destination destination destination destination destination destination port port port port port port must reside on the same switch as the source port (for a local SPAN session). can be any Ethernet physical port. can participate in only one SPAN session at a time. in one SPAN session cannot be a destination port for a second SPAN session. cannot be a source port. cannot be an EtherChannel group.

Limitations of SPAN on Cisco Catalyst Models

Following are the limitations of SPAN on various Cisco Catalyst switches:

Who's Online We have 104 guests online Statistics Members : 5477 Content : 777 Web Links : 10 Content View Hits : 101143249 Top Website Visitors 37.1% 17.1% 7.4% 5.4% 4.4% United States India United Kingdom Australia Canada

Cisco Catalyst 2950 switches are only able to have one SPAN session active at a time and can monitor source ports. These switches cannot monitor VLAN source. Cisco Catalyst switches can forward traffic on a destination SPAN port in Cisco IOS 12.1(13)EA1 and later Cisco Catalyst 3550, 3560 and 3750 switches can support up to two SPAN sessions at a time and can monitor source ports as well as VLANs The Catalyst 2970, 3560, and 3750 Switches do not require the configuration of a reflector port when you configure an RSPAN session. The Catalyst 3750 Switches support session configuration with the use of source and destination ports that reside on any of the switch stack members. Only one destination port is allowed per SPAN session and the same port cannot be a destination port for multiple SPAN sessions. Therefore, you cannot have two SPAN sessions that use the same destination port.

Configuring SPAN On Cisco Catalyst Switches

Our test-bed was a Cisco Catalyst 3550 Layer 3 switch, however, the commands used are fully supported on all Cisco Catalyst 2940, 2950, 2955, 2960, 2970, 3550, 3560, 3560E, 3750, 3750E and 4507R Series Switches.

The diagram below represents a typical network setup where there is a need to monitor traffic entering (Ingress) and exiting (Egress) the port to which the router connects (FE0/1). This strategically selected port essentially monitors all traffic entering and exiting our network.

www.firewall.cx/index.php?option=com_content&view=article&id=940:cisco-switches-span-monitoring&catid=145:cisco-switches&Itemid=192

2/5

1/31/13
3.4% Germany

Configuring SPAN On Cisco Catalyst Switches - Monitor & Capture Network Traffic/Packets

Today:

989

Yesterday: 9728 This Week: 29704 Last Week: 53636 This Month: 210327 Last Month: 197257 Total: 2564872 from FE0/1 is to be mirrored out FE0/24 where our monitoring workstation is waiting to capture the traffic. POPULAR CISCO ARTICLES Router Introduction Cisco SDM Installation Cisco IP SLA Cisco SmartCare Service VLAN Security 4507R-E Installation CCME - UC500 GUI CallManager Express Intro VLAN Security & Tips Wireless LAN Key Generator Gold Cisco Lab Partners Next, configure FastEthernet 0/24 as the destination SPAN port: Catalyst-3550(config)# monitor session 1 destination interface fastethernet 0/24 Catalyst-3550(config)# monitor session 1 source interface fastethernet 0/1

Since router R1 connects to the 3550 Catalyst switch on port FE0/1, this port is configured as the Source SPAN port. Traffic copied

Because serious network procedures require serious tools, we opted to work with Colasofts Capsa Enterprise edition, our favourite

network analyser. With Caspa Enterprise, we were able to capture all packets at full network speed and easily identify TCP sessions

and data flows that we were interested in. If you havent tried Capsa Enterprise yet, we would highly recommend you do by visiting Colasofts website and downloading a copy. Once we have our network analyser setup and running, the first step is to configure FastEthernet 0/1 as a source SPAN port:

After entering both commands, we noticed our destinations SPAN port LED (FE0/24) began flashing in synchronisation with that of FE0/1s LED an expected behaviour considering all FE0/1 packets were being copied to FE0/24. Confirming the monitoring session and operation requires one simple command, show monitor session 1: Catalyst-3550# show monitor session 1 Session 1 --------Type : Local Session Source Ports : Both : Fa0/1 Destination Ports: Fa0/24 Encapsulation : Native Ingress: Disabled

POPULAR LINUX ARTICLES Linux Init & RunLevels Linux Groups & Users Performance Monitoring Linux Vim Editor Linux Samba Linux DHCP Server Linux Bind DNS File & Folder Permissions Linux OpenMosix Linux Network Config Best Rated Content Product Review - GFI LanGuard Network Security Scanner 2011 IPSec - Internet Protocol Security Understanding Cisco Dynamic Multipoint VPN - DMVPN, mGRE, NHRP TCP Window Size, Checksum & Urgent Pointer - Section 5 Static NAT - Part 1 Installation of a Cisco Catalyst 4507R-E Layer 3 Switch Introduction To Network Security Part 1 Firewall.cx - Cisco CCIE Experts & Cisco Press Authors Collaboration Annoucement Multicast IP Address List Quick Overview Of TCP Dynamic NAT - Part 2 Introduction To

To display the detailed information from a saved version of the monitor configuration for a specific session, issue the show monitor session 1 detailcommand: Catalyst-3550# show monitor session 1 detail Session 1 --------Type : Local Session Source Ports : RX Only : None TX Only : None Both : Fa0/1 Source VLANs : RX Only : None TX Only : None Both : None Source RSPAN VLAN : None Destination Ports : Fa0/24 Encapsulation : Native Ingress: Disabled Reflector Port : None Filter VLANs : None Dest RSPAN VLAN : None Notice how the Source Ports section shows Fa0/1 for the row named Both. This means that we are monitoring both RX & TX packets for Fa0/1, while the Destination Port is set to Fa0/24. Turning to our Capsa Enterprise network analyser, thanks to its predefined filters we were able to catch packets to and from the worksation monitored:

www.firewall.cx/index.php?option=com_content&view=article&id=940:cisco-switches-span-monitoring&catid=145:cisco-switches&Itemid=192

3/5

1/31/13
Routers Comparing DMVPN Single Tier and Dual Tier Headend Architectures - IPSec VPN & mGRE Termination Software Review: Colasoft Capsa 7 Enterprise Network Analyzer Routed Protocols VLAN Security Making the Most of VLANs Dynamic Multipoint VPN (DMVPN) Deployment Models & Architectures Colasoft: nChronos v3 Server and Console Review Book Review: Securing Cisco IP Telephony Networks By Akhil Behl Double CCIE (Voice & Security) #19564 UDP Protocol - Header The TCP Header/Segment VLANs - IEEE 802.1q Trunk Link Protocol Analysis Understanding, Configuring & Tweaking Web-based Cisco Aironet Access Point. Network Interface Radio0 802.11a/b/g Settings Book Review: The Official VMware VCP5 Certification Guide VMware: End of Availability of ESX 4.x

Configuring SPAN On Cisco Catalyst Switches - Monitor & Capture Network Traffic/Packets

This completes our discussion on SPAN configuration and how to monitor/capture packets on a Cisco Catalyst switch. Upcoming articles will cover RSPAN and more advanced packet capturing techniques using dedicated VLANs for captured traffic and other complex scenarios.

RE L A T E D A RT I C L E S
Configuring Policy-Based Routing (PBR) with IP SLA Tracking - Auto Redirecting Traffic How To Configure Router On A Stick - 802.1q Trunk To Cisco Router How To Configure DNS Server On A Cisco Router How To Secure Your Cisco Router Using Cisco AutoSecure Feature Introduction To Routers

Add a comment...

Comment Darragh Delaney Claremorris You can download a free Windows based tool for setting up SPAN ports on Cisco switches at this link http://www.netfort.com/downloads/free-software. Reply Like Yesterday at 03:37 Canaan Kalengo Thats All You Need to Know this is cool. Reply
F acebook social plugin

1 Like 21 hours ago

Last Updated on Tuesday, 29 January 2013 10:55

www.firewall.cx/index.php?option=com_content&view=article&id=940:cisco-switches-span-monitoring&catid=145:cisco-switches&Itemid=192

4/5

1/31/13

Configuring SPAN On Cisco Catalyst Switches - Monitor & Capture Network Traffic/Packets
Subscribe To Receive Free Article Updates!

Name E-mail
Subscribe

SIMILAR TOPICS THAT MIGHT INTEREST Download The Complete Cisco Catalyst Switching Portfolio. Includes Catalyst 6500, 4500, 4900, 3750-X, 3560-X, 3560-E, 2960, 2960S & 2360 Series Datasheets End-of-Sale and End-of-Life Announcement for the Cisco Catalyst 3750G, 3560G, 3750-E, and 3560-E Series Switches Installation and Setup of Cisco SG500-52P - 500 Series Stackable Managed Switches Err-disabled Port State, Enable & Disable Autorecovery Feature Forcing A Cisco Catalyst Switch To Use 3rd Party SFP Modules VLAN Security Tips - Best Practices Installation of a Cisco Catalyst 4507R-E Layer 3 Switch

Friendly Sites: GFI.com Packetlife.net, HackingC isco, Fryguy's Blog, C C IE Journey, C olasoft, More Recommended Websites

Copyright 2000-2013 Firewall.cx - All Rights Reserved Information and images contained on this site is copyrighted material. Firewall.cx - Cisco IP Networking, VPN - IPSec, Security, Cisco Switching, Cisco Routers, Cisco VoIP- CallManager Express & UC500, Linux Administration

www.firewall.cx/index.php?option=com_content&view=article&id=940:cisco-switches-span-monitoring&catid=145:cisco-switches&Itemid=192

5/5