Passive network tap or span port on all trafic

Similar Messages

• CS11800 - Can I have a SPAN port for my IDS box?

  I have a network design that calls for a few CS11800s and it's smaller brother. The security team has asked if this content switch has a SPAN port that is availble so we can hang our IDS box off.
  Thanks
  B

  I am not extremely familiar with the CS11xxx series and its configuration options, but I can tell you that from experience with Cisco Catalyst switches and non-Cisco IDS devices a SPAN port is not always the best solution. In some instances I have had to disable packet learning in the SPAN session, and in other cases I have had to forego using SPAN at all and settled for an uplink to a hub that connected the IDS device and my router(s). This is especially true if the IDS device needs to be a member of the same VLAN as the traffic it is monitoring in order to send RST packets back onto the segment.
  I have researched this issue on my own and even opened TAC cases for a solution, but have received solutions ranging from "There's no reason this shouldn't work" to "You can not set up a SPAN session for IDS purposes." My recommendation would be (even though it does decrease performance a bit) to implement the hub solution, regardless of the CS11800 capabilities. This will prove to remove any potential X factors in the SPAN functionality and make your life a lot easier.
  Just my 2 cents. :)

• Applying span port for sniffer

  Hi,
  We want to sniff some traffic that is passing between two nodes in our network.
  The flow will look like this;
  Edge switch > Core switch > (Wireless controller A) > metro ethernet link > Core switch > (wireless controller B)
  Wireless controller is connected to the core switch. We want to sniff traffic that passes from controller A towards the other side of the network.
  Controller A side belongs to us, hence we can only put sniffing on our end.
  Please help to understand how to setup span port on a laptop in this setup.
  If we connect a notebook on the coreswitch to sniff traffic passing through, will it be right?
  Appreciate all inputs.

  That's correct, the only thing I might note is to decide if you want to collect both rx and tx data?  By leaving it default, as you did above, it will capture"both" directions.  Capturing both is fine, but it will increase your wireshark capture size.  I would also recommend applying a wireshark filter to only see the specific traffic you are interested in.  A simple Google search will give you more info on wireshark filters.  Lastly, remember to remove the monitor session once you are done.  We see leftover SPAN sessions often causing various switch problems, so they are only recomended to use as needed. 
  HTH
  Luke

• Spanned port for IDS

  We're about to get an IDS system which will require a spanned port on the inside of our network. Inside our network we have a few 6500's so I'd span a port on one of our core switches...my question is, there is definetly more then 1GB of traffic going through the core at any time...how would I get all this traffic to the IDS system? Would I just create an etherchannel and use it as a destination, and plug all the ports into the IDS?

  Thanks for that link. According to that link you have to have seperate IDS's attached to the etherchannel (one per port):
  "The IPS appliances must be in on-a-stick mode, meaning that the IPS appliance can only use one sensing port on that Catalyst switch. That port is trunked so that the IPS appliance has an inbound and outbound path to and from the switch."
  Am I reading that wrong? Can I have one IPS with three or four ports attached to the same switch in an etherchannel?
  It's starting to sound like I'm going to have to limit what ports I source...which means the IDS could potentially miss a threat or report it later then it could....

• Is SPAN port not allowed in Nexus FEX Port ?

  Hi
      Customer want me to defined a SPAN port on N2K, it is a fex port. when I configure I got the following statement from the switch.
  Is there any way to solve the problem?
  n5k-N2K(config-monitor)# destination ?
    interface  Configure interfaces
  n5k-N2K(config-monitor)# destination interface eth102/1/18
  ERROR: Eth102/1/18: Configuration not allowed on fex interface
  N5K VERSION
  Cisco Nexus Operating System (NX-OS) Software
  TAC support: http://www.cisco.com/tac
  Copyright (c) 2002-2009, Cisco Systems, Inc. All rights reserved.
  The copyrights to certain works contained herein are owned by
  other third parties and are used and distributed under license.
  Some parts of this software are covered under the GNU Public
  License. A copy of the license is available at
  http://www.gnu.org/licenses/gpl.html.
  Software
    BIOS:      version 1.2.0
    loader:    version N/A
    kickstart: version 4.0(1a)N2(1)
    system:    version 4.0(1a)N2(1)
    BIOS compile time:       06/19/08
    kickstart image file is: bootflash:/n5000-uk9-kickstart.4.0.1a.N2.1.bin
    kickstart compile time:  2/25/2009 0:00:00 [02/25/2009 08:29:12]
    system image file is:    bootflash:/n5000-uk9.4.0.1a.N2.1.bin
    system compile time:     2/25/2009 0:00:00 [02/25/2009 08:56:57]

    Hi,
  A FEX port cannot be configured as a SPAN destination. Only a switch port can be configured and used as a SPAN destination.
  See link below for more info:
  http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/release/notes/Rel_5_1_3_N2_1/Nexus5000_Release_Notes_5_1_3_N2.html
  HTH

• Definitive Network Extender destination IP/port list?

  Does anyone have the definitive Network Extender destination IP/port list?  
  I have heard that it's the following IPs:
  * 209.210.15.73 
  * 69.78.69.206 
  * 69.78.69.210 
  * 69.78.95.193 
  With the following UDP ports
  * 53
  * 500
  * 3500
  * 52428
  Yesterday, I found that my Network Extender was also requiring access to:
  * 66.174.71.40
  1. Can anyone confirm the exact list of all IP addresses a Network Extender will contact?
  2. For each IP, can anyone confirm which exact destination ports are required?
   (I am skeptical that each destination IP needs all four ports)
  With this information, Network Extender users can make sure our firewalls are open properly, as well as put in quality of service (QOS) rules to make sure the device gets higher priority transmission than other Web traffic.

  I got a network extender in July 2011 and it worked beautifully for about a year and a half.  I set it up myself and had not problems.  Sometime in December 2012 there was a "national outage" and my extender has never worked right since.   It would allow me to hear my callers but callers could not hear me.   After about 8 hours with CS over a few days, a fruitless service call with my ISP, Time Warner Cable and finally a desperate call to executive offices, Verizon sent me a new extender.  I set it up the same way as the first and after about 3 hours all  blue lights came one.  The identical problem with my phone occurred.  My next move was to go to the local store and beg for help.  They were very pleasant but their solution, if you can call it that, was to send me a THIRD extender which I took to the store for "checking" and was told it was fine.  When I set it up, it did exactly what yours is doing . . . I have blue, flashing red, purple, blue LED.  I tried both the build in antenna and the external antenna for GPS.  I poured over the manual (sorry, Elector, but don't you think we looked at the manual?????) and it said if this condition occurs, the unit is defective. So, back to the store to return my third unit.  If anyone has any helpful suggestions, I would most appreciate it.

• Monitor or Span port Vulnerablility

  Is the CISCO IDS/IPS device connecting to Monitor or SPAN port Vulnerable? Is there a document which I can refer to ?

  It's very unlikely, but not impossible. Snort's had a few and the general concept is applicable to any IDS. If you suck in data off the network and process it, there's the potential for vulnerabilities. If you're worried about it, put the management interface in a management dmz.
  http://www.infoworld.com/article/03/03/04/HNsnort_1.html

• SPAN port question

  Hi,
  I have two core switches 6500 and Access switches 4500. Both chassis. I need to span ports, but this ports are not in a vlan. I know that there is a limit to span ports that are not in a vlan. Does anyone know which is the limit? Is there a way to make all of them to span?
  Thanks!

  Hi Pablo
  As a forum focused on technical documentation, we checked to see if there was a doc that might answer your question.
  There is not enough information in your question to for us to pinpoint exactly what you need, but have you looked at, for example, “Configuring SPAN, RSPAN, and ERSPAN” for the Catalyst 6500 (IOS 12.2SX)”?
  If this doesn’t help, we’ll refer your question to the appropriate tech support community. They will probably find it helpful to know what operating system (CatOS or IOS) and which release you have, since this determines what SPAN features and restrictions are in effect.
  Thanks for posting,
  Hilde

• SPAN Port Monitoring Setup

  We have three Cicso Catalyst 3750 switches that are stacked.  The primary switch has a VLAN ( # 99 ) setup on it. The VLAN has our incoming internet connection. The LAN ports from the two redundant firewalls are routed back to the primary switch ( non VLAN ). The WAN ports on the firewalls are connected to the VLAN. There are three unused ports ( 46, 47 & 48 ) available on the VLAN. There are also a couple of available ports ( 36 & 38 ) on the primary switch that are not in the VLAN.
  We want to connect a hardware device to one of the ports on the switch that monitors network traffic. Need to connect two ports on the hardware device. One for LAN/WAN traffic, and one for the SPAN port.
  Question:
  Which port would you setup as the LAN port ? 
  Which port would you setup as the SPAN port ?
  What commands would we run to set this up ?
  Thanks

  I would suggest moving this post here: https://supportforums.cisco.com/community/6016/lan-switching-and-routing
  3750 isn't considered a small business switch.

• Span port and Unicast packets

  There is a problem with a PIX sending syslogs to a device that is plugged into the same switch as the PIX. From any other switch, in the span port the packets are seen going from the pix's ip port (514) to the device's ip port (514). Why do I see unicast packets propagating through all the switches when both devices are in the same switch? Do I need to hard code the MAC's into the switch? The problem doesn't occur all the time.

  When a switch receives a unicast packet with a destination address that it has not learned, the default is to flood it to all ports. You can disable flooding in this case on a per-port basis.So, I think in your switches, the default setting of flooding is enabled, VLANs are configured, and also VTP(trunking) is enabled so that even though the source and destination are on same switch, because of same VLANs, trunking and flooding enabled,the packet propagates through all switches.

• Span port recording

  Hi All, A real idiot question but we have to use span port recording as we are using citrix (unless anyone knows different) but I just can't get my head around the span part at the UCCX end. Span on all the access switches is fine but the server is only using 1 NIC for all the existing traffic, now, can I just enable span from the agents ip phone vlan to the SAME port as what the server is currently connected to OR do I need to connect the 2nd NIC to the switch and configure the span to that port? Will I need to configure a seperate IP address in the server for that 2nd NIC - I guess not.
  Many Thanks

  This is what I did recently for a customer: They have UCCX 8.5 running on ESXi on UCS C10 server. That server has two NICs but by default all the VMs were on one NIC. So I used the second NIC and I put the UCCX VM on that second NIC. Callmanager and Unity Connection VMs remained on the 1st NIC.
  Then I used a Catalyst 2960 to span the ingress of the voice vlan to the destination port that was connected to that second NIC. You have to enable ingress forwarding for that to work so that regular traffic can pass still pass through.
  Now, I did all this because 8.5 doesn't support using a second NIC. 7.x does, I believe. So you may be able to put the voice monitoring service on that NIC. I don't think it would need its own IP address if it's just in promiscuous mode trying to listen for voice traffic.
  Thanks,
  Mark

• Span port channel

  Hi All,
     Is there any option to span port channel of Cisco 6500 Switch.If possible What is the configuration for the same..
  Pls help..
  Regards,
  Ajith

  Hi,
  You can, but the Portchannel has to be in on mode.  You cannot use it wilt LACP or PAGP.
  Note:
  From Cisco IOS Software Release  12.2(33)SXH and later, PortChannel interface can be a destination port.  Destination EtherChannels do not support the Port Aggregation Control  Protocol (PAgP) or Link Aggregation Control Protocol (LACP) EtherChannel  protocols; only the on mode is supported, with all EtherChannel  protocol support disabled.
  http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml
  HTH
  Reza

• Any way to open port for all computers?!

  Hey folks,
  I'm using an Airport Extreme as the router for a small network. It's been performing fantastically.
  But, something I can't figure out is:
  Is there any way to open a port for all the computers I have hooked into the Airport?
  I can of course open ports per internal IP address, but what I'd really like to do is just open up a slew of ports for all of the machines. This way I can leave them grabbing DHCP-provided, non-static IPs, but they can also get access to the services they need to.
  Tried the old asterisk in the host IP field (like "192.168.1.*") but no dice. Actually I can't even find a yes or no answer on if this is even possible...
  Thanks in advance!

  Sorry, but the AirPorts do not support a feature to forward a port to multiple IP addresses; only multiple ports to a single IP address.

• TS1398 have been connected to my wireless network using a netgear sky broadband router succesfully for a few weeks, suddenly can't connect, network is showing but no signal - all other wireless gadgets are connected just fine - including iphone - any idea

  my ipad 4 has been connected to my wireless network using a netgear sky broadband router succesfully for a few weeks, suddenly can't connect, network is showing but no signal - all other wireless gadgets are connected just fine - including iphone - any ideas?

  Some things to try first:
  1. Turn Off your iPad. Then turn Off (disconnect power cord for 30 seconds or longer) the wireless router & then back On. Now boot your iPad. Hopefully it will see the WiFi.
  2. Go to Settings>Wi-Fi and turn Off. Then while at Settings>Wi-Fi, turn back On and chose a Network.
  3. Change the channel on your wireless router (Auto or Channel 6 is best). Instructions at http://macintoshhowto.com/advanced/how-to-get-a-good-range-on-your-wireless-netw ork.html
  4. Go into your router security settings and change from WEP to WPA with AES.
  5.  Renew IP Address: (especially if you are droping internet connection)
      •    Launch Settings app
      •    Tap on Wi-Fi
      •    Tap on the blue arrow of the Wi-Fi network that you connect to from the list
      •    In the window that opens, tap on the Renew Lease button
  ~~~~~~~~~~~~~~~~~~~~~~~~~
  iOS 6 Wifi Problems/Fixes
  How To: Workaround iPad Wi-Fi Issues
  http://www.theipadfan.com/workaround-ipad-wifi-issues/
  Another Fix For iOS 6 WiFi Problems
  http://tabletcrunch.com/2012/10/27/fix-ios-6-wifi-problems-ssid/
  Wifi Doesn't Connect After Waking From Sleep - Sometimes increasing screen brightness prevents the failure to reconnect after waking from sleep. According to Apple, “If brightness is at lowest level, increase it by moving the slider to the right and set auto brightness to off.”
  Fix For iOS 6 WiFi Problems?
  http://tabletcrunch.com/2012/09/27/fix-ios-6-wifi-problems/
  Did iOS 6 Screw Your Wi-Fi? Here’s How to Fix It
  http://gizmodo.com/5944761/does-ios-6-have-a-wi+fi-bug
  How To Fix Wi-Fi Connectivity Issue After Upgrading To iOS 6
  http://www.iphonehacks.com/2012/09/fix-wi-fi-connectivity-issue-after-upgrading- to-ios-6.html
  iOS 6 iPad 3 wi-fi "connection fix" for netgear router
  http://www.youtube.com/watch?v=XsWS4ha-dn0
  Apple's iOS 6 Wi-Fi problems
  http://www.zdnet.com/apples-ios-6-wi-fi-problems-linger-on-7000004799/
  ~~~~~~~~~~~~~~~~~~~~~~~
  How to Fix a Poor Wi-Fi Signal on Your iPad
  http://ipad.about.com/od/iPad_Troubleshooting/a/How-To-Fix-A-Poor-Wi-Fi-Signal-O n-Your-iPad.htm
  iOS Troubleshooting Wi-Fi networks and connections  http://support.apple.com/kb/TS1398
  iPad: Issues connecting to Wi-Fi networks  http://support.apple.com/kb/ts3304
  WiFi Connecting/Troubleshooting http://www.apple.com/support/ipad/wifi/
  How to Fix: My iPad Won't Connect to WiFi
  http://ipad.about.com/od/iPad_Troubleshooting/ss/How-To-Fix-My-Ipad-Wont-Connect -To-Wi-Fi.htm
  iOS: Connecting to the Internet http://support.apple.com/kb/HT1695
  iOS: Recommended settings for Wi-Fi routers and access points  http://support.apple.com/kb/HT4199
  How to Quickly Fix iPad 3 Wi-Fi Reception Problems
  http://osxdaily.com/2012/03/21/fix-new-ipad-3-wi-fi-reception-problems/
  iPad Wi-Fi Problems: Comprehensive List of Fixes
  http://appletoolbox.com/2010/04/ipad-wi-fi-problems-comprehensive-list-of-fixes/
  Connect iPad to Wi-Fi (with troubleshooting info)
  http://thehowto.wikidot.com/wifi-connect-ipad
  Fix iPad Wifi Connection and Signal Issues  http://www.youtube.com/watch?v=uwWtIG5jUxE
  Fix Slow WiFi Issue https://discussions.apple.com/thread/2398063?start=60&tstart=0
  How To Fix iPhone, iPad, iPod Touch Wi-Fi Connectivity Issue http://tinyurl.com/7nvxbmz
  Unable to Connect After iOS Update - saw this solution on another post.
  https://discussions.apple.com/thread/4010130
  Note - When troubleshooting wifi connection problems, don't hold your iPad by hand. There have been a few reports that holding the iPad by hand, seems to attenuate the wifi signal.
  ~~~~~~~~~~~~~~~
  If any of the above solutions work, please post back what solved your problem. It will help others with the same problem.
   Cheers, Tom

• Open ports for all in LAN

  Hi, a few days ago I bought a wireless router WRT160n. I want to ask how to open some port for all in LAN(3 clients). For example all in LAN have PeerToPeer application for torrents. I want to open port for example 20202 for all. Now I open port from menu Applications & Gaming->Single Port Forwarding, but I must set port for each user IP address.
  Can somebody tell me how to open port for all in LAN without to config for each computer?
  Thanks in advance.

  Hi gv. I read more about UPnP and the WRT160n User Guide. In section Administration>managment int wrote that UPnP is Enabled by default in my router it is corect. I Setup mu PeerToPeer(eMule) TCP/UDP ports to 20202 and check option "Use UPnP to setup ports". I test and close this port on my router configuration for my computer on "Single Port Forwarding", but in eMule the port is still block. Can you explain why it did not work. For UPnP it says that if Enable it allow users with Windows ME and XP automatically to gonfigure Router ports
  Thanks in advance!
  Best Regards.