Professional Documents
Culture Documents
cx)
(/vpn.html) (/downloads.html)
VPN DOWNLOADS
THURSDAY, 13 APRIL 2017
search...
HOT DOWNLOADS
FREE NETWORK
SECURITY SCANNER
(/component/banners/click/3.html)
(http://www.acunetix.com/vulnerability
CONFIGURING SPAN ON CISCO CATALYST SWITCHES ‐ MONITOR scanner/download/?
Being able to monitor your network traffic is essential when it comes to troubleshooting problems, performing a security audit or even
casually checking your network for suspicious traffic.
Back in the old days whenever there was a need to monitor or capture network traffic, a hub would be introduced somewhere in the
network link and, thanks to the hub’s inefficient design, it would copy all packets incoming from one port out to all the rest of the ports,
making it very easy to monitor network traffic. Those interested in hub fundamentals can read our Hubs & Repeaters (/networking
(http://clixtrac.com/goto/?
topics/generalnetworking/235hubsrepeaters.html) article.
210273)
Of course switches work on an entirely different principle and do not replicate unicast packets out of every port on the switch, but keep
them isolated unless it’s a broadcast or multicast.
RECOMMENDED
Thankfully, monitoring network traffic on Cisco Catalyst switches is a straightforward process and does not require the presence of a hub. DOWNLOADS
The Cisco method is called Switched Port Analyser also known as SPAN.
Web Vulnerability Scanner
(http://www.acunetix.com/web
UNDERSTANDING SPAN TERMINOLOGY vulnerabilitymanager/?
Ingress Traffic: Traffic that enters the switch utm_source=firewall&utm_medium=banner_ch
Egress Traffic: Traffic that leaves the switch Network Management
Source (SPAN) port: A port that is monitored Monitor & Alert
Source (SPAN) VLAN: A VLAN whose traffic is monitored (http://clixtrac.com/goto/?
Destination (SPAN) port: A port that monitors source ports. This is usually the point to which a network analyser is connected. 225994)
Remote SPAN (RSPAN): When Source ports are not located on the same switch as the Destination port. RSPAN is an advanced
feature that requires a special VLAN to carry the monitored traffic and is not supported by all switches. RSPAN explanation and
configuration will be covered in another article. Free HyperV & VMware
Backup
(http://clixtrac.com/goto/?
210270)
Free Network Security Scan
(http://www.acunetix.com/free
networksecurityscanner/?
utm_source=firewall&utm_medium=banner&ut
Cisco VPN Client
(/downloads/ciscotoolsa
applications.html)
Unified Communications
(http://clixtrac.com/goto/?
236568)
Bandwidth Monitor
(http://clixtrac.com/goto/?
235210)
Figure 1. The network diagram above helps us understand the terminology and implementation of SPAN.
BANDWIDTH MONITOR
Source SPAN ports are monitored for received (RX Ingress), transmitted (TX Egress) or bidirectional (both) traffic. Traffic entering or
exiting the Source SPAN ports is mirrored to the Destination SPAN port. Typically, you would connect a PC with a network analyser on
the Destination SPAN port, and configure it to capture and analyse the traffic.
The amount of information you can obtain from a SPAN session really depends on how well the captured data can be interpreted and
understood. A reliable Network Analyser will not only show the captured packets but automatically diagnose problems such as TCP
retransmissions, DNS failures, slow TCP responses, ICMP redirect messages and much more. These capabilities help any engineer to
quickly locate network problems which otherwise could not be easily found.
(http://clixtrac.com/goto/?
235160)
A destination port must reside on the same switch as the source port (for a local SPAN session).
A destination port can be any Ethernet physical port.
A destination port can participate in only one SPAN session at a time.
A destination port in one SPAN session cannot be a destination port for a second SPAN session.
A destination port cannot be a source port.
A destination port cannot be an EtherChannel group. (http://clixtrac.com/goto/?
225541)
(/sitenews/316firewall
CONFIGURING SPAN ON CISCO CATALYST SWITCHES ciscopress.html)
Our testbed was a Cisco Catalyst 3550 Layer 3 switch, however, the commands used are fully supported on all Cisco Catalyst 2940,
2950, 2955, 2960, 2970, 3550, 3560, 3560−E, 3750, 3750−E and 4507R Series Switches.
Notify me of new articles
The diagram below represents a typical network setup where there is a need to monitor traffic entering (Ingress) and exiting (Egress) the Name
port to which the router connects (FE0/1). This strategically selected port essentially monitors all traffic entering and exiting our network.
Email
Subscribe
CISCO MENU
CISCO ROUTERS
(/ciscotechnical
knowledgebase/cisco
routers.html)
CISCO SWITCHES
(/ciscotechnical
knowledgebase/cisco
switches.html)
CISCO VOIP/CCME
CALLMANAGER
(/ciscotechnical
knowledgebase/cisco
voice.html)
Since router R1 connects to the 3550 Catalyst switch on port FE0/1, this port is configured as the Source SPAN port. Traffic copied from CISCO FIREWALLS
FE0/1 is to be mirrored out FE0/24 where our monitoring workstation is waiting to capture the traffic. (/ciscotechnical
knowledgebase/cisco
Once we have our network analyser setup and running, the first step is to configure FastEthernet 0/1 as a source SPAN port: firewalls.html)
CISCO WIRELESS
Catalyst3550(config)# monitor session 1 source interface fastethernet 0/1
(/ciscotechnical
knowledgebase/cisco
wireless.html)
Next, configure FastEthernet 0/24 as the destination SPAN port: CISCO SERVICES &
TECHNOLOGIES
Catalyst3550(config)# monitor session 1 destination interface fastethernet 0/24 (/ciscotechnical
knowledgebase/cisco
After entering both commands, we noticed our destination’s SPAN port LED (FE0/24) began flashing in synchronisation with that of servicestech.html)
FE0/1’s LED – an expected behaviour considering all FE0/1 packets were being copied to FE0/24.
CISCO AUTHORS & CCIE
INTERVIEWS
Confirming the monitoring session and operation requires one simple command, show monitor session 1:
(/ciscotechnical
Catalyst3550# show monitor session 1 knowledgebase/ccie
Session 1 experts.html)
CISCO DATA CENTER USER
Type : Local Session GROUP
Source Ports : (/ciscotechnical
Both : Fa0/1 knowledgebase/cisco
Destination Ports: Fa0/24 datacenterusergroup.html)
Encapsulation : Native
Ingress: Disabled
POPULAR CISCO
ARTICLES
To display the detailed information from a saved version of the monitor configuration for a specific session, issue the show monitor
DMVPN Configuration (/cisco
session 1 detail command:
technical
knowledgebase/cisco
Catalyst3550# show monitor session 1 detail routers/901ciscorouter
Session 1 dmvpnconfiguration.html)
Cisco IP SLA (/cisco
Type : Local Session technical
Source Ports : knowledgebase/cisco
RX Only : None routers/813ciscorouteripsla
TX Only : None basic.html)
Both : Fa0/1 VLAN Security (/cisco
Source VLANs : technical
RX Only : None knowledgebase/cisco
TX Only : None switches/818ciscoswitches
Both : None vlansecurity.html)
Source RSPAN VLAN : None 4507RE Installation (/cisco
Destination Ports : Fa0/24 technical
Encapsulation : Native knowledgebase/cisco
Ingress: Disabled switches/948ciscoswitches
Reflector Port : None 4507rewsx45sup7le
Filter VLANs : None installation.html)
Dest RSPAN VLAN : None CallManager Express Intro
(/ciscotechnical
Notice how the Source Ports section shows Fa0/1 for the row named Both. This means that we are monitoring both RX & TX packets for knowledgebase/cisco
Fa0/1, while the Destination Port is set to Fa0/24. voice/371ciscoccmepart
1.html)
Turning to our network analyser, thanks to its predefined filters we were able to catch packets to and from the worksation monitored: Secure CME SRTP & TLS
(/ciscotechnical
knowledgebase/cisco
voice/956ciscovoicecme
securevoip.html)
Cisco Password Crack (/cisco
technical
knowledgebase/cisco
routers/358ciscotype7
passwordcrack.html)
SitetoSite VPN (/cisco
technical
knowledgebase/cisco
routers/867ciscoroutersite
tositeipsecvpn.html)
POPULAR LINUX
ARTICLES
Linux Init & RunLevels (/linux
knowledgebasetutorials/linux
administration/845linux
administrationrunlevels.html)
Linux Groups & Users (/linux
knowledgebasetutorials/linux
This completes our discussion on SPAN configuration and how to monitor/capture packets on a Cisco Catalyst switch. Upcoming articles
administration/842linux
will cover RSPAN and more advanced packet capturing techniques using dedicated VLANs for captured traffic and other complex
groupsuseraccounts.html)
scenarios.
Linux Performance Monitoring
Back to Cisco Switches Section (/ciscotechnicalknowledgebase/ciscoswitches) (/linuxknowledgebase
tutorials/linux
administration/837linux
8 Comments Sort by Oldest
systemresource
monitoring.html)
Linux Vim Editor (/linux
Add a comment... knowledgebasetutorials/linux
administration/836linux
vi.html)
Linux Samba (/linux
Darragh Delaney · Claremorris
knowledgebase
You can download a free Windows based tool for setting up SPAN ports on Cisco switches at this link
tutorials/systemandnetwork
http://www.netfort.com/downloads/freesoftware.
services/848linuxservices
Like · Reply · 2 · 29 January 2013 03:37 samba.html)
Linux DHCP Server (/linux
Canaan Kalengo · Maintenance Technician at Zamtel
knowledgebase
this is cool.
tutorials/systemandnetwork
Like · Reply · 1 · 30 January 2013 02:02 services/849linuxservices
Reza Setiawan · Engineer, Voice and Data Network at PT Freeport Indonesia dhcpserver.html)
Linux Bind DNS (/general
Perfect..
topicsreviews/linuxunix
Like · Reply · 7 February 2013 01:44
related/829linuxbind
Mohamed Abozaid · Mansoura University introduction.html)
good Linux File & Folder
Permissions (/generaltopics
Like · Reply · 1 · 28 March 2013 02:32
reviews/linuxunix
Dedi Subandi · Works at G4S Cash Services related/introductionto
i already try on catalyst 3560, but does't work and i get new problem connecting to the backbone disconnected after linux/299linuxfilefolder
i running the configuration, so i rollback the configuration. permissions.html)
Like · Reply · 23 January 2014 01:49 Linux OpenMosix (/general
topicsreviews/linuxunix
related/openmosixlinux
Load 3 more comments supercomputer.html)
Linux Network Config (/linux
knowledgebasetutorials/linux
Facebook Comments Plugin
administration/851linux
servicestcpip.html)
CCENT/CCNA CISCO ROUTERS VPN SECURITY CISCO HELP WINDOWS 2012 LINUX
ROUTER BASICS (/CISCO SSL WEBVPN UNDERSTAND DMVPN VPN CLIENT WINDOWS 8 NEW FEATURES FILE PERMISSIONS
TECHNICAL SECURING ROUTERS GRE/IPSEC VPN CLIENT WINDOWS 7 LICENSING WEBMIN
KNOWLEDGEBASE/CISCO POLICY BASED ROUTING CONFIGURATION CCP DISPLAY PROBLEM HYPERV / VDI GROUPS USERS
ROUTERS/250CISCO ROUTER ONASTICK SITETOSITE IPSEC VPN CISCO SUPPORT APP. INSTALL HYPERV SAMBA SETUP
ROUTERBASICS.HTML) IPSEC MODES
SUBNETTING
OSI MODEL
IP PROTOCOL
Firewall.cx Cisco Networking, VPN IPSec, Security, Best VPN Service, Cisco Switching, Cisco Routers, Cisco VoIP CallManager Express, Windows Server, Virtualization, HyperV, Web Security, Linux
Administration