Span Port (For Whole Vlan)

Similar Messages

• CS11800 - Can I have a SPAN port for my IDS box?

  I have a network design that calls for a few CS11800s and it's smaller brother. The security team has asked if this content switch has a SPAN port that is availble so we can hang our IDS box off.
  Thanks
  B

  I am not extremely familiar with the CS11xxx series and its configuration options, but I can tell you that from experience with Cisco Catalyst switches and non-Cisco IDS devices a SPAN port is not always the best solution. In some instances I have had to disable packet learning in the SPAN session, and in other cases I have had to forego using SPAN at all and settled for an uplink to a hub that connected the IDS device and my router(s). This is especially true if the IDS device needs to be a member of the same VLAN as the traffic it is monitoring in order to send RST packets back onto the segment.
  I have researched this issue on my own and even opened TAC cases for a solution, but have received solutions ranging from "There's no reason this shouldn't work" to "You can not set up a SPAN session for IDS purposes." My recommendation would be (even though it does decrease performance a bit) to implement the hub solution, regardless of the CS11800 capabilities. This will prove to remove any potential X factors in the SPAN functionality and make your life a lot easier.
  Just my 2 cents. :)

• Spanned port for IDS

  We're about to get an IDS system which will require a spanned port on the inside of our network. Inside our network we have a few 6500's so I'd span a port on one of our core switches...my question is, there is definetly more then 1GB of traffic going through the core at any time...how would I get all this traffic to the IDS system? Would I just create an etherchannel and use it as a destination, and plug all the ports into the IDS?

  Thanks for that link. According to that link you have to have seperate IDS's attached to the etherchannel (one per port):
  "The IPS appliances must be in on-a-stick mode, meaning that the IPS appliance can only use one sensing port on that Catalyst switch. That port is trunked so that the IPS appliance has an inbound and outbound path to and from the switch."
  Am I reading that wrong? Can I have one IPS with three or four ports attached to the same switch in an etherchannel?
  It's starting to sound like I'm going to have to limit what ports I source...which means the IDS could potentially miss a threat or report it later then it could....

• Applying span port for sniffer

  Hi,
  We want to sniff some traffic that is passing between two nodes in our network.
  The flow will look like this;
  Edge switch > Core switch > (Wireless controller A) > metro ethernet link > Core switch > (wireless controller B)
  Wireless controller is connected to the core switch. We want to sniff traffic that passes from controller A towards the other side of the network.
  Controller A side belongs to us, hence we can only put sniffing on our end.
  Please help to understand how to setup span port on a laptop in this setup.
  If we connect a notebook on the coreswitch to sniff traffic passing through, will it be right?
  Appreciate all inputs.

  That's correct, the only thing I might note is to decide if you want to collect both rx and tx data?  By leaving it default, as you did above, it will capture"both" directions.  Capturing both is fine, but it will increase your wireshark capture size.  I would also recommend applying a wireshark filter to only see the specific traffic you are interested in.  A simple Google search will give you more info on wireshark filters.  Lastly, remember to remove the monitor session once you are done.  We see leftover SPAN sessions often causing various switch problems, so they are only recomended to use as needed. 
  HTH
  Luke

• Span port destination vlan

  Hi All, I need to span a port for sniffer. Src port where server is located : gi 1/11(vlan 100) Dest port where sniffer pc is located: gi 1/25 My question is does the port gi1/25 needs to ve on a specific vlan? Can it be on the same vlan as source port I.r. vlan 100 ? Or should it be on any non-source vlan? thanks in advance

  Hi Thomas,
  Which model of switch are you enabling this span?
  Anyways you can have the destination port on any vlan depending on what interface you are monitoring. Only problem is that when you are monitoring a  VLAN rather than physical interface you need to be aware that "A destination port that belongs to a source VLAN of any SPAN session is excluded from the source list and is not monitored"
  Hope that helps.
  Regards
  Najaf

• Spanning tree for VLANS

  Hi,
  I need an answer to this puzzling scenerio i have been asked to work with.I have two vlans with about 10 switches on each end and there is a link switch that has a connection to both sides of the VLAN. I have been asked to create a singular spanning tree for the entire scenerio. how can i go about this.
  please i am awaiting the opinions of anyone knowledgable in this line. thanks.

  Hi, I agree you can config MST on your router to reduce the number of spanning tree instances runing on the switch from one per vlan. You will have to map your vlan range to the MST, useful CLI commands are
  spanning-tree mode mst
  spanning-tree mst configuration
  name (name)
  revision( revision number)
  instance (number) vlan (vlan range)
  check your config using
  show spanning-tree mst configuration.
  Hope thsi will hlep you get started.
  DW

• ACE: Can the ft-vlan port be used for other vlans or not?

  Hi People,
  I am a bit confused reading cisco's documentation. I am now using the ft-vlan in a dedicated port (no other vlans), but I would like to use it as a normal port in order to use it in a context.
  From cisco website:
  "You cannot use this dedicated FT VLAN Ethernet port for normal network traffic; it must be dedicated for redundancy only.
  When you specify an Ethernet port or a port-channel interface as a dedicated FT VLAN, you have the option to either configure the dedicated VLAN as the only VLAN associated with the Ethernet port or port-channel interface, or to allocate it as part of a VLAN trunk link (see "(config-if) switchport trunk allowed vlan"). Note that the ACE automatically includes the FT VLAN in the VLAN trunk link. If you choose to configure VLAN trunking, it is not necessary for you to assign the FT VLAN in the trunk link along with the other VLANs."
  First it says, you cannot use this port for other traffic, and then it says this port can be a trunk port. If the port is trunk, then obviously you pass other vlans too. Right? or not? So can the port that has the ft-vlan be used in a context with other vlans?
  thanks,
  george

  Then simply do not use the 'ft-port' command.
  This command "auto" configure the interface to be switchtrunk with one vlan  allowed.
  If you reconfigure the interface with your own switchport command, all you risk is some kind of collision or a future software version which will deny this kind of configuration.
  Here is what I use to have vlan 500 part of a normal trunk interface.
  But be aware, that if your interface is overloaded, FT traffic could get dropped and therefore you will end up with 2 active units causing major traffic disuption.
  This is why we recommend to run FT on its own interface with no other traffic.
  Generating configuration....
  interface gigabitEthernet 1/1
    switchport access vlan 1000
    shutdown
  interface gigabitEthernet 1/2
    shutdown
  interface gigabitEthernet 1/3
    switchport trunk native vlan 20
    switchport trunk allowed vlan 10-500
    no shutdown
  interface gigabitEthernet 1/4
    shutdown
  ft interface vlan 500
    ip address 192.168.77.2 255.255.255.0
    peer ip address 192.168.77.1 255.255.255.0
    no shutdown
  Gilles.

• Port with multi-vlan for voice and data??

  Hi guys,
  I've a situation where my VOIP and DATA on a different segments. Voice is 10.x.x.x riding on VLAN 701. And my data is 192.x.x.x riding on VLAN 100.
  The problem occur when our receptionist PC have a software installed for call forwarding for our general line. This software need to be on the same vlan with the IP Phone vlan which is 701. If I put her PC on those vlan, she can't access
  to our LAN which is vlan 100. So she can't check her email etc.
  Can I know what is the options I have? Can I configured multi-vlan for her PC on the switch? We are using Cisco PoE 3560 switch. Thanks.

  Hi,
  on the L3 switch, you should have an IP address for both VLAN 701 and 100. So, the L3 switch is doing inter-VLAN routing.
  This means, unless you have ACL blocking traffic, any device will be able to reach any other device, even on a different VLAN.
  And, no matter where you put voice and applications, everything will work anyway.

• How to configure a port channel with VLAN trunking (and make it work..)

  We're trying to configure a port channel group with trunked ports to connect a NetApp HA pair. We want to create two data LIFs and connect them to the switch stack.  We are trying to create 2 data lifs, one for cifs and one for nfs that are on different vlans.
  We want the same ports to be able to allow multiple vlans to communicate. (trunked)
  These data lifs should be able to fail over to different nodes in the HA pair and still be able to communicate on the network.
  What this means is that we have to connect 4 ports each for each node in the NetApp HA Pair to the switches and create a port channel of some type that allows for trunked vlans. When we configure the ports, the configuration is as follows (below):
  We are only able to configure an IP on one of the vlans.
  When we configure an IP from another vlan for the data lif, it does not respond to a ping.
  Does anyone have any idea what I'm doing wrong on the Cisco switch?
  interface GigabitEthernet4/0/12
  description Netapp2-e0a
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20,511,519
  channel-protocol lacp
  channel-group 20 mode active
  end
  interface GigabitEthernet4/0/13
  description Netapp2-e0c
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20,511,519
  channel-protocol lacp
  channel-group 20 mode active
  end
  interface GigabitEthernet6/0/12
  description Netapp2-e0b
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20,511,519
  channel-protocol lacp
  channel-group 20 mode active
  end
  interface GigabitEthernet6/0/13
  description Netapp2-e0d
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20,511,519
  channel-protocol lacp
  channel-group 20 mode active
  end
  interface Port-channel20
  description Netapp2-NFS
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20,511,519
  spanning-tree portfast
  spanning-tree bpduguard enable
  end

  Our problem was fixed by the storage people.  They changed the server end to trunk, and the encapsulation / etherchannel.
  I like all the suggestions, and they probably helped out with the configuration getting this to work.
  Thanks!
  interface Port-channel20
  description Netapp2-NFS
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20,511,519
  switchport mode trunk
  interface GigabitEthernet4/0/12
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20,511,519
  switchport mode trunk
  channel-protocol lacp
  channel-group 20 mode active
  interface GigabitEthernet4/0/13
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20,511,519
  switchport mode trunk
  channel-protocol lacp
  channel-group 20 mode active
  interface GigabitEthernet6/0/12
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20,511,519
  switchport mode trunk
  channel-protocol lacp
  channel-group 20 mode active
  interface GigabitEthernet6/0/13
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20,511,519
  switchport mode trunk
  channel-protocol lacp
  channel-group 20 mode active

• SPAN Configuration for IDSM

  Dears,
  We have IDSM / FWSM running in our 6500 Switch, the FWSM is in transparent mode and for IDSM we configured one SPAN Port.
  Right now we have one requirement for SPAN configuration. currently the 6500 with the current SUP has limitation for only 2 SPAN Sessions,
  And we are using both, one is for FWSM and the second one for IDSM.
  Any one can help and suggest for another option?
  Thanks.

  When running a FWSM in a 6500, you don't need to use a SPAN session to send traffic to the FWSM.  To send traffic through the FWSM, use the "firewall" set of commands in the 6500 switch configuration.
  I recommend reading the section "Assigning VLANs to the Firewall Services Module" from the FWSM 4.1 Configuration Guide:
  http://www.cisco.com/en/US/customer/docs/security/fwsm/fwsm41/configuration/guide/switch_f.html#wp1175820
  There's also an example of these commands in the "FWSM Basic Configuration Example" here:
  http://www.cisco.com/en/US/customer/products/hw/modules/ps2706/products_configuration_example09186a00808b4d9f.shtml#sw
  A similar command exists for the IDSM ("intrusion-detection module"), for use in certain configurations.  You can read more here, in the "Configuring IDSM-2" section of the IPS 6.1 Configuration Guide for CLI:
  http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_idsm2.html#wp1030828
  If nothing else, using these commands could free up the 2 available SPAN sessions for other use (such as a NAM module).

• SPAN port or Capture?

  We currently have Cat6513 switches installed and our looking into an IDSM-2 module, but for the time being until we can actually purchase them, I would like to install a few snort sensor into the switch to "monitor" a few VLANs.
  I've read where there are only two SPAN ports and to gain some type of correlation to the events, I figure I would need to install a separate snort sensor for each vlan. The problem is the limit of two SPAN ports. I heard that there is a way to utilize a "capture" feature on the 65xx systems.
  Is the appropriate way for this to use the "capture" commands and if so how would I do that?
  Also, I read where the SPAN ports have no performance impact on the switch, but would the "capture" commands?
  I apologize if this is the wrong forum for this but I wasn't sure if this would be more of a switching or IDS question...
  Thanks for any assistance!
  -Jeff

  The solution to that issue of only two span ports is to use VACLS. There is documentation in the Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 5.1.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df92.html#wp1030828
  Refer to Catalyst 6500 Series Switch Command Reference for more information on trunk ports and ACLs.

• SPAN port question

  Hi,
  I have two core switches 6500 and Access switches 4500. Both chassis. I need to span ports, but this ports are not in a vlan. I know that there is a limit to span ports that are not in a vlan. Does anyone know which is the limit? Is there a way to make all of them to span?
  Thanks!

  Hi Pablo
  As a forum focused on technical documentation, we checked to see if there was a doc that might answer your question.
  There is not enough information in your question to for us to pinpoint exactly what you need, but have you looked at, for example, “Configuring SPAN, RSPAN, and ERSPAN” for the Catalyst 6500 (IOS 12.2SX)”?
  If this doesn’t help, we’ll refer your question to the appropriate tech support community. They will probably find it helpful to know what operating system (CatOS or IOS) and which release you have, since this determines what SPAN features and restrictions are in effect.
  Thanks for posting,
  Hilde

• SPAN Port Monitoring Setup

  We have three Cicso Catalyst 3750 switches that are stacked.  The primary switch has a VLAN ( # 99 ) setup on it. The VLAN has our incoming internet connection. The LAN ports from the two redundant firewalls are routed back to the primary switch ( non VLAN ). The WAN ports on the firewalls are connected to the VLAN. There are three unused ports ( 46, 47 & 48 ) available on the VLAN. There are also a couple of available ports ( 36 & 38 ) on the primary switch that are not in the VLAN.
  We want to connect a hardware device to one of the ports on the switch that monitors network traffic. Need to connect two ports on the hardware device. One for LAN/WAN traffic, and one for the SPAN port.
  Question:
  Which port would you setup as the LAN port ? 
  Which port would you setup as the SPAN port ?
  What commands would we run to set this up ?
  Thanks

  I would suggest moving this post here: https://supportforums.cisco.com/community/6016/lan-switching-and-routing
  3750 isn't considered a small business switch.

• Span port recording

  Hi All, A real idiot question but we have to use span port recording as we are using citrix (unless anyone knows different) but I just can't get my head around the span part at the UCCX end. Span on all the access switches is fine but the server is only using 1 NIC for all the existing traffic, now, can I just enable span from the agents ip phone vlan to the SAME port as what the server is currently connected to OR do I need to connect the 2nd NIC to the switch and configure the span to that port? Will I need to configure a seperate IP address in the server for that 2nd NIC - I guess not.
  Many Thanks

  This is what I did recently for a customer: They have UCCX 8.5 running on ESXi on UCS C10 server. That server has two NICs but by default all the VMs were on one NIC. So I used the second NIC and I put the UCCX VM on that second NIC. Callmanager and Unity Connection VMs remained on the 1st NIC.
  Then I used a Catalyst 2960 to span the ingress of the voice vlan to the destination port that was connected to that second NIC. You have to enable ingress forwarding for that to work so that regular traffic can pass still pass through.
  Now, I did all this because 8.5 doesn't support using a second NIC. 7.x does, I believe. So you may be able to put the voice monitoring service on that NIC. I don't think it would need its own IP address if it's just in promiscuous mode trying to listen for voice traffic.
  Thanks,
  Mark

• DHCP for Voice VLAN

  Hi,
  I am configuring DHCP pool for voice vlan on cisco 2921 router.
  Here is the setup.
  2921 router -> 3750 -> 2960 PoE -> 7942 IP Phone
  Router Config
  ip dhcp excluded-address 10.146.54.1 10.146.89.50
  ip dhcp pool VoiceVlan
  network 10.146.54.0 255.255.255.0
  subnet prefix-length 24
  dns-server 10.144.68.32 10.144.68.33
  option 150 ip 10.146.68.36
  default-router 10.146.54.1
  netbios-name-server 10.144.68.32 10.144.68.33
  netbios-node-type h-node
  domain-name wft.root.loc
  lease 0 8
  interface GigabitEthernet0/0
  ip address 10.144.54.16 255.255.255.0
  duplex full
  speed 1000
  interface GigabitEthernet0/0.50
  encapsulation dot1Q 50
  ip address 10.146.54.15 255.255.255.0
  3750 Config
  interface GigabitEthernet1/0/3
  description To Router
  switchport access vlan 54
  switchport mode access
  switchport voice vlan 50
  speed 1000
  duplex full
  spanning-tree portfast
  interface Vlan50
  description VoiceVLAN
  ip address 10.146.54.1 255.255.255.0
  interface Vlan54
  ip address 10.144.54.1 255.255.255.0
  2960 Config
  interface FastEthernet0/1
  switchport access vlan 50
  switchport mode access
  spanning-tree portfast
  Troubleshooting
  Trunk is formed
  2960#sh int tru
  Port        Mode             Encapsulation  Status        Native vlan
  Gi0/3       on               802.1q         trunking      1
  Port        Vlans allowed on trunk
  Gi0/3       1-4094
  Port        Vlans allowed and active in management domain
  Gi0/3       1,50,54
  Port        Vlans in spanning tree forwarding state and not pruned
  Gi0/3       1,50,54
  Router received the dhcp discover from IP Phone, but it doesn't issue any IP. Here is the debug log
  875525: Feb 13 15:11:26.167 GMT+8: IP: s=0.0.0.0 (GigabitEthernet0/0.50), d=255.255.255.255, len 576, input feature
  875526: Feb 13 15:11:26.167 GMT+8:     UDP src=68, dst=67, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
  875527: Feb 13 15:11:26.167 GMT+8: FIBipv4-packet-proc: route packet from GigabitEthernet0/0.50 src 0.0.0.0 dst 255.255.255.255
  875528: Feb 13 15:11:26.167 GMT+8: FIBfwd-proc: Default:255.255.255.255/32 receive entry
  875529: Feb 13 15:11:26.167 GMT+8: FIBipv4-packet-proc: packet routing failed
  875530: Feb 13 15:11:26.167 GMT+8: IP: s=0.0.0.0 (GigabitEthernet0/0.50), d=255.255.255.255, len 576, rcvd 2
  875531: Feb 13 15:11:26.167 GMT+8:     UDP src=68, dst=67
  875532: Feb 13 15:11:26.167 GMT+8: IP: s=0.0.0.0 (GigabitEthernet0/0.50), d=255.255.255.255, len 576, stop process pak for forus packet
  875533: Feb 13 15:11:26.167 GMT+8:     UDP src=68, dst=67
  875534: Feb 13 15:11:26.167 GMT+8: DHCPD: client's VPN is .
  875535: Feb 13 15:11:26.167 GMT+8: DHCPD: No option 125
  875536: Feb 13 15:11:26.167 GMT+8: DHCPD: DHCPDISCOVER received from client 0110.bd18.0149.5b on interface GigabitEthernet0/0.50.
  Any help is appreciated.
  Cheers!

  Dude, look at your DHCP exclude on your router.
  It is supposed to be low/high IP.
  So basicly you told the router to exclude IP address from 10.146.54.1 to 10.146.89.5.
  This means that DHCP will not hand out 10.146.54.1 through 10.146.89.5
  try 
  ip dhcp excluded-address 10.146.54.1 10.146.54.15
  Hope this helps.  
  Also, I know this is years ago but thought I would throw that out there.