SPAN port or Capture?
We currently have Cat6513 switches installed and our looking into an IDSM-2 module, but for the time being until we can actually purchase them, I would like to install a few snort sensor into the switch to "monitor" a few VLANs.
I've read where there are only two SPAN ports and to gain some type of correlation to the events, I figure I would need to install a separate snort sensor for each vlan. The problem is the limit of two SPAN ports. I heard that there is a way to utilize a "capture" feature on the 65xx systems.
Is the appropriate way for this to use the "capture" commands and if so how would I do that?
Also, I read where the SPAN ports have no performance impact on the switch, but would the "capture" commands?
I apologize if this is the wrong forum for this but I wasn't sure if this would be more of a switching or IDS question...
Thanks for any assistance!
-Jeff
The solution to that issue of only two span ports is to use VACLS. There is documentation in the Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 5.1.
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df92.html#wp1030828
Refer to Catalyst 6500 Series Switch Command Reference for more information on trunk ports and ACLs.
Similar Messages
-
Intrusion-detection-module 7 data-port 2: Capture not allowed on a SPAN destination port
Hi all
I have 2 switches Cat6509E. each with IDSM module
I have on first switch this commands
intrusion-detection module 7 data-port 1 capture
intrusion-detection module 7 data-port 2 capture
intrusion-detection module 7 data-port 1 capture allowed-vlan 4,6,16,17,66
intrusion-detection module 7 data-port 2 capture allowed-vlan 68,70,74,134,145
And when I trying to put the same on second switch I will get this error message
Intrusion-detection-module 7 data-port 2: Capture not allowed on a SPAN destination port
What does it mean?
Output "sh monitor" is the same on both switches
Session 1
Type : Service Module Session
Modules allowed : 1-9
Modules active : 1,7
BPDUs allowed : Yes
Session 2
Type : Local Session
Source VLANs :
Both : 4
Destination Ports : analysis-module 8 data-port 1
PeterHi Peter,
The first switch that you mention is configured (judging from the "intrusion-detection" commands) to use the VACL capture method of sending traffic to the IDSM-2 for inspection. You can read about this method here:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_idsm2.html#wp1030828
In short, you configure a VACL to define the traffic you want to capture and apply it to the appropriate VLANs. When traffic matches the VACL, it's copied to the IDSM-2 ports that have been configured with the "intrusion-detection module 7 data-port 1 capture" commands.
On the second switch it appears that there is a monitor session setup SPANing traffic to the IDSM-2 port. This is an alternative method of sending trafic to the IDSM-2 for inspection and is mutually exclusive with the VACL method on a particular IDSM-2 interface. You can read about the SPAN method here:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_idsm2.html#wp1030816
This method, in short, simply involves configuring a SPAN session with the IDSM-2 interface as the desination.
You'll need to choose one method or the other for configuring the second switch. If you want it to match the configuration on the first switch, simply remove the monitor (SPAN) session that's currently configured.
Best Regards,
Justin -
Applying span port for sniffer
Hi,
We want to sniff some traffic that is passing between two nodes in our network.
The flow will look like this;
Edge switch > Core switch > (Wireless controller A) > metro ethernet link > Core switch > (wireless controller B)
Wireless controller is connected to the core switch. We want to sniff traffic that passes from controller A towards the other side of the network.
Controller A side belongs to us, hence we can only put sniffing on our end.
Please help to understand how to setup span port on a laptop in this setup.
If we connect a notebook on the coreswitch to sniff traffic passing through, will it be right?
Appreciate all inputs.That's correct, the only thing I might note is to decide if you want to collect both rx and tx data? By leaving it default, as you did above, it will capture"both" directions. Capturing both is fine, but it will increase your wireshark capture size. I would also recommend applying a wireshark filter to only see the specific traffic you are interested in. A simple Google search will give you more info on wireshark filters. Lastly, remember to remove the monitor session once you are done. We see leftover SPAN sessions often causing various switch problems, so they are only recomended to use as needed.
HTH
Luke -
Is SPAN port not allowed in Nexus FEX Port ?
Hi
Customer want me to defined a SPAN port on N2K, it is a fex port. when I configure I got the following statement from the switch.
Is there any way to solve the problem?
n5k-N2K(config-monitor)# destination ?
interface Configure interfaces
n5k-N2K(config-monitor)# destination interface eth102/1/18
ERROR: Eth102/1/18: Configuration not allowed on fex interface
N5K VERSION
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2009, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
Software
BIOS: version 1.2.0
loader: version N/A
kickstart: version 4.0(1a)N2(1)
system: version 4.0(1a)N2(1)
BIOS compile time: 06/19/08
kickstart image file is: bootflash:/n5000-uk9-kickstart.4.0.1a.N2.1.bin
kickstart compile time: 2/25/2009 0:00:00 [02/25/2009 08:29:12]
system image file is: bootflash:/n5000-uk9.4.0.1a.N2.1.bin
system compile time: 2/25/2009 0:00:00 [02/25/2009 08:56:57]Hi,
A FEX port cannot be configured as a SPAN destination. Only a switch port can be configured and used as a SPAN destination.
See link below for more info:
http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/release/notes/Rel_5_1_3_N2_1/Nexus5000_Release_Notes_5_1_3_N2.html
HTH -
How many span ports are supported on Sup2T and Catalyst 6880?
Hi,
I did not find any information concerning this.
Would be great if anybody could send me a link to the information how many span ports are supported on the new Cat68 series.
Regards
Thorsten SteffenFor sup2t
========
Local SPAN, RSPAN, and ERSPAN Session Limits
Total Sessions
Local and Source Sessions
Destination Sessions
Local SPAN,
RSPAN Source,
ERSPAN Source
Ingress or Egress or Both
Local SPAN Egress-Only
RSPAN
ERSPAN
80
2
14
64
23
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/span_rspan_erspan.html
Regards,
Naveen
****Rate if it is helpful**** -
NEXUS span session getting twice the data to the span port
I'm setting up a montitor session on a NEXUS 7K as below.
we are receiving in 150M of data and 0 data going out port 9/25.
but port 4/24 shows 300M to the span port?
Am I doing something wrong here or is that normal?
monitor session 10
no shutdown
source int e 9/25 both
destination int e 4/24i just confirmed that when I span port on NEXUS 7K ios version 6.1(1) the RX data is duplicated to teh span port.
does anyone know of bugs related to that ? -
CS11800 - Can I have a SPAN port for my IDS box?
I have a network design that calls for a few CS11800s and it's smaller brother. The security team has asked if this content switch has a SPAN port that is availble so we can hang our IDS box off.
Thanks
BI am not extremely familiar with the CS11xxx series and its configuration options, but I can tell you that from experience with Cisco Catalyst switches and non-Cisco IDS devices a SPAN port is not always the best solution. In some instances I have had to disable packet learning in the SPAN session, and in other cases I have had to forego using SPAN at all and settled for an uplink to a hub that connected the IDS device and my router(s). This is especially true if the IDS device needs to be a member of the same VLAN as the traffic it is monitoring in order to send RST packets back onto the segment.
I have researched this issue on my own and even opened TAC cases for a solution, but have received solutions ranging from "There's no reason this shouldn't work" to "You can not set up a SPAN session for IDS purposes." My recommendation would be (even though it does decrease performance a bit) to implement the hub solution, regardless of the CS11800 capabilities. This will prove to remove any potential X factors in the SPAN functionality and make your life a lot easier.
Just my 2 cents. :) -
Cisco CE500 Switch and SPAN Port Monitoring
Does the Cisco CE500 switch support SPAN/Port Monitoring? If so, how is this configured via the browser?
ThanksPlease check this document on Cisco.
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#Cat500 -
Monitor or Span port Vulnerablility
Is the CISCO IDS/IPS device connecting to Monitor or SPAN port Vulnerable? Is there a document which I can refer to ?
It's very unlikely, but not impossible. Snort's had a few and the general concept is applicable to any IDS. If you suck in data off the network and process it, there's the potential for vulnerabilities. If you're worried about it, put the management interface in a management dmz.
http://www.infoworld.com/article/03/03/04/HNsnort_1.html -
Can someone provide instructions of how to configure a span port/monitor session on a 9k?
Hi Joris,
SPAN source functionality on satellite ports and host interface port channels is not supported when the FEX is connected to F2 Series modules. Beginning with Cisco NX-OS Release 6.2(2), FEX ports are supported as an egress SPAN source on F2e Series modules.
http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/system_management/configuration/guide/sm_14span.html#wp1239670
Nexus7k# show module
Mod Ports Module-Type Model Status
1 0 Supervisor module N7K-SUP2 active *
3 48 1/10 Gbps Ethernet Module N7K-F248XP-25 ok
Mod Sw Hw
1 6.x(x) 1.0
3 6.x(x) 1.1
Mod MAC-Address(es) Serial-Num
1 84-xx-xxx to 84-xx-xxxx JAxxxxxxxx
3 00-xxx to 00-xxxxx JAxxxxxxx
Mod Online Diag Status
1 Pass
3 Pass
* this terminal session
Regards
Jens -
Hi,
I have two core switches 6500 and Access switches 4500. Both chassis. I need to span ports, but this ports are not in a vlan. I know that there is a limit to span ports that are not in a vlan. Does anyone know which is the limit? Is there a way to make all of them to span?
Thanks!Hi Pablo
As a forum focused on technical documentation, we checked to see if there was a doc that might answer your question.
There is not enough information in your question to for us to pinpoint exactly what you need, but have you looked at, for example, “Configuring SPAN, RSPAN, and ERSPAN” for the Catalyst 6500 (IOS 12.2SX)”?
If this doesn’t help, we’ll refer your question to the appropriate tech support community. They will probably find it helpful to know what operating system (CatOS or IOS) and which release you have, since this determines what SPAN features and restrictions are in effect.
Thanks for posting,
Hilde -
We have three Cicso Catalyst 3750 switches that are stacked. The primary switch has a VLAN ( # 99 ) setup on it. The VLAN has our incoming internet connection. The LAN ports from the two redundant firewalls are routed back to the primary switch ( non VLAN ). The WAN ports on the firewalls are connected to the VLAN. There are three unused ports ( 46, 47 & 48 ) available on the VLAN. There are also a couple of available ports ( 36 & 38 ) on the primary switch that are not in the VLAN.
We want to connect a hardware device to one of the ports on the switch that monitors network traffic. Need to connect two ports on the hardware device. One for LAN/WAN traffic, and one for the SPAN port.
Question:
Which port would you setup as the LAN port ?
Which port would you setup as the SPAN port ?
What commands would we run to set this up ?
ThanksI would suggest moving this post here: https://supportforums.cisco.com/community/6016/lan-switching-and-routing
3750 isn't considered a small business switch. -
In one of my location using catalyst2900 eriesXl switch with IOS ver 11.2.I want to make one port as span for the other port where i connect my firewall for the process of monitering the triffic.Can I do the span port on this switch if so what is the command.
Hi, this link should cover it. Not sure which release it was introduced so you may have to upgrade from 11.2.
http://www.cisco.com/en/US/products/hw/switches/ps637/products_configuration_guide_chapter09186a008007e838.html#xtocid22
hth -
There is a problem with a PIX sending syslogs to a device that is plugged into the same switch as the PIX. From any other switch, in the span port the packets are seen going from the pix's ip port (514) to the device's ip port (514). Why do I see unicast packets propagating through all the switches when both devices are in the same switch? Do I need to hard code the MAC's into the switch? The problem doesn't occur all the time.
When a switch receives a unicast packet with a destination address that it has not learned, the default is to flood it to all ports. You can disable flooding in this case on a per-port basis.So, I think in your switches, the default setting of flooding is enabled, VLANs are configured, and also VTP(trunking) is enabled so that even though the source and destination are on same switch, because of same VLANs, trunking and flooding enabled,the packet propagates through all switches.
-
Span port 6500 12.1-(20)E MSFC2 inpkts
From my research, it looks as if the CatOS had an inpkts keyword with spanning ports that allowed the SPAN port to receive normal incoming traffic. Is there an option like that in the IOS/MSFC2 configuration? Thanks.
That feature is not supported in Native IOS code for Cat6000:
Features Not Supported
Ability to accept ingress traffic on SPAN destination ports (CatOS equivalent - set span ... inpkts enable)
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/12_1e/ol_2310.htm
Maybe you are looking for
-
How do i open and control other programs using labview?
I'm presently trying to use labview to try to open and operate another program,but having much difficulty.The external program i'm using is called the Foundation program. This Foundation program will use VHDL programming to create a virtual chip and
-
File Access from DB Server/Unix Mounting
We have an Oracle Database that runs on Unix Box and a cold fusion application/web server runs on a Windows box. We have a data intensive stored procedure that gets data from DB, does lot of massaging and then create bunch of html files with sorting
-
With this challenging economy...will customers use BI to track customers?
QUESTION: Are faculty (e.g., professors, lecturers) teaching BI to students centered around customers data? Hi! With this challenging global and regional economy... It's always good to look at what customers and the marketplace will invest in as a to
-
Z77-GD55 not posting after Win8 Update
Hi folks, i´m in need of help as i am done with my knowledge here. After i updated my PC to Win8 it sometimes didn´t boot up. After 4x-8x restarting unplugging etc it went back to working normal. Today it got stuck in a boot loop. Before the update
-
Hi, I'm trying to capture an image of computer that was already imaged using MDT 2013. I tried to install the new Windows Updates and add some files to the original image but each time I try to recapture the image I get this error: "ZTI Error Unhande