SPAN port or Capture?

Similar Messages

• Intrusion-detection-module 7 data-port 2: Capture not allowed on a SPAN destination port

  Hi all
  I have 2 switches Cat6509E. each with IDSM module
  I have on first switch this commands
  intrusion-detection module 7 data-port 1 capture
  intrusion-detection module 7 data-port 2 capture
  intrusion-detection module 7 data-port 1 capture allowed-vlan 4,6,16,17,66
  intrusion-detection module 7 data-port 2 capture allowed-vlan 68,70,74,134,145
  And when I trying to put the same on second switch I will get this error message
  Intrusion-detection-module 7 data-port 2:  Capture not allowed on a SPAN destination port
  What does it mean?
  Output "sh monitor" is the same on both switches
  Session 1
  Type                   : Service Module Session
  Modules allowed        : 1-9
  Modules active         : 1,7
  BPDUs allowed          : Yes
  Session 2
  Type                   : Local Session
  Source VLANs           :
      Both               : 4
  Destination Ports      : analysis-module 8 data-port 1
  Peter

  Hi Peter,
       The first switch that you mention is configured (judging from the "intrusion-detection" commands) to use the VACL capture method of sending traffic to the IDSM-2 for inspection.  You can read about this method here:
  http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_idsm2.html#wp1030828
  In short, you configure a VACL to define the traffic you want to capture and apply it to the appropriate VLANs.  When traffic matches the VACL, it's copied to the IDSM-2 ports that have been configured with the "intrusion-detection module 7 data-port 1  capture" commands.
  On the second switch it appears that there is a monitor session setup SPANing traffic to the IDSM-2 port.  This is an alternative method of sending trafic to the IDSM-2 for inspection and is mutually exclusive with the VACL method on a particular IDSM-2 interface.  You can read about the SPAN method here:
  http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_idsm2.html#wp1030816
  This method, in short, simply involves configuring a SPAN session with the IDSM-2 interface as the desination.
  You'll need to choose one method or the other for configuring the second switch.  If you want it to match the configuration on the first switch, simply remove the monitor (SPAN) session that's currently configured.
  Best Regards,
  Justin

• Applying span port for sniffer

  Hi,
  We want to sniff some traffic that is passing between two nodes in our network.
  The flow will look like this;
  Edge switch > Core switch > (Wireless controller A) > metro ethernet link > Core switch > (wireless controller B)
  Wireless controller is connected to the core switch. We want to sniff traffic that passes from controller A towards the other side of the network.
  Controller A side belongs to us, hence we can only put sniffing on our end.
  Please help to understand how to setup span port on a laptop in this setup.
  If we connect a notebook on the coreswitch to sniff traffic passing through, will it be right?
  Appreciate all inputs.

  That's correct, the only thing I might note is to decide if you want to collect both rx and tx data?  By leaving it default, as you did above, it will capture"both" directions.  Capturing both is fine, but it will increase your wireshark capture size.  I would also recommend applying a wireshark filter to only see the specific traffic you are interested in.  A simple Google search will give you more info on wireshark filters.  Lastly, remember to remove the monitor session once you are done.  We see leftover SPAN sessions often causing various switch problems, so they are only recomended to use as needed. 
  HTH
  Luke

• Is SPAN port not allowed in Nexus FEX Port ?

  Hi
      Customer want me to defined a SPAN port on N2K, it is a fex port. when I configure I got the following statement from the switch.
  Is there any way to solve the problem?
  n5k-N2K(config-monitor)# destination ?
    interface  Configure interfaces
  n5k-N2K(config-monitor)# destination interface eth102/1/18
  ERROR: Eth102/1/18: Configuration not allowed on fex interface
  N5K VERSION
  Cisco Nexus Operating System (NX-OS) Software
  TAC support: http://www.cisco.com/tac
  Copyright (c) 2002-2009, Cisco Systems, Inc. All rights reserved.
  The copyrights to certain works contained herein are owned by
  other third parties and are used and distributed under license.
  Some parts of this software are covered under the GNU Public
  License. A copy of the license is available at
  http://www.gnu.org/licenses/gpl.html.
  Software
    BIOS:      version 1.2.0
    loader:    version N/A
    kickstart: version 4.0(1a)N2(1)
    system:    version 4.0(1a)N2(1)
    BIOS compile time:       06/19/08
    kickstart image file is: bootflash:/n5000-uk9-kickstart.4.0.1a.N2.1.bin
    kickstart compile time:  2/25/2009 0:00:00 [02/25/2009 08:29:12]
    system image file is:    bootflash:/n5000-uk9.4.0.1a.N2.1.bin
    system compile time:     2/25/2009 0:00:00 [02/25/2009 08:56:57]

    Hi,
  A FEX port cannot be configured as a SPAN destination. Only a switch port can be configured and used as a SPAN destination.
  See link below for more info:
  http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/release/notes/Rel_5_1_3_N2_1/Nexus5000_Release_Notes_5_1_3_N2.html
  HTH

• How many span ports are supported on Sup2T and Catalyst 6880?

  Hi,
  I did not find any information concerning this.
  Would be great if anybody could send me a link to the information how many span ports are supported on the new Cat68 series.
  Regards
  Thorsten Steffen

  For sup2t
  ======== 
  Local SPAN, RSPAN, and ERSPAN Session Limits
  Total Sessions
  Local and Source Sessions
  Destination Sessions
  Local SPAN,
  RSPAN Source,
  ERSPAN Source 
  Ingress or Egress or Both
  Local SPAN Egress-Only
  RSPAN
  ERSPAN
  80
  2
  14
  64
  23
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/span_rspan_erspan.html
  Regards,
  Naveen
  ****Rate if it is helpful****

• NEXUS span session getting twice the data to the span port

  I'm setting up a montitor session on a NEXUS 7K as below.
  we are receiving in 150M of data and 0 data going out port 9/25.
  but port 4/24 shows 300M to the span port?
  Am I doing something wrong here or is that normal?
  monitor session 10
       no shutdown
       source int e 9/25  both
       destination int e 4/24

  i just confirmed that when I span  port on NEXUS 7K ios version 6.1(1) the RX data is duplicated to teh span port.
  does anyone know of bugs related to that ?

• CS11800 - Can I have a SPAN port for my IDS box?

  I have a network design that calls for a few CS11800s and it's smaller brother. The security team has asked if this content switch has a SPAN port that is availble so we can hang our IDS box off.
  Thanks
  B

  I am not extremely familiar with the CS11xxx series and its configuration options, but I can tell you that from experience with Cisco Catalyst switches and non-Cisco IDS devices a SPAN port is not always the best solution. In some instances I have had to disable packet learning in the SPAN session, and in other cases I have had to forego using SPAN at all and settled for an uplink to a hub that connected the IDS device and my router(s). This is especially true if the IDS device needs to be a member of the same VLAN as the traffic it is monitoring in order to send RST packets back onto the segment.
  I have researched this issue on my own and even opened TAC cases for a solution, but have received solutions ranging from "There's no reason this shouldn't work" to "You can not set up a SPAN session for IDS purposes." My recommendation would be (even though it does decrease performance a bit) to implement the hub solution, regardless of the CS11800 capabilities. This will prove to remove any potential X factors in the SPAN functionality and make your life a lot easier.
  Just my 2 cents. :)

• Cisco CE500 Switch and SPAN Port Monitoring

  Does the Cisco CE500 switch support SPAN/Port Monitoring? If so, how is this configured via the browser?
  Thanks

  Please check this document on Cisco.
  http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#Cat500

• Monitor or Span port Vulnerablility

  Is the CISCO IDS/IPS device connecting to Monitor or SPAN port Vulnerable? Is there a document which I can refer to ?

  It's very unlikely, but not impossible. Snort's had a few and the general concept is applicable to any IDS. If you suck in data off the network and process it, there's the potential for vulnerabilities. If you're worried about it, put the management interface in a management dmz.
  http://www.infoworld.com/article/03/03/04/HNsnort_1.html

• Nexus 9k span port

  Can someone provide instructions of how to configure a span port/monitor session on a 9k?

  Hi Joris,
  SPAN source functionality on satellite ports and host interface port channels is not supported when the FEX is connected to F2 Series modules. Beginning with Cisco NX-OS Release 6.2(2), FEX ports are supported as an egress SPAN source on F2e Series modules.
  http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/system_management/configuration/guide/sm_14span.html#wp1239670
  Nexus7k# show module
  Mod  Ports  Module-Type                         Model              Status
  1    0      Supervisor module                 N7K-SUP2           active *
  3    48     1/10 Gbps Ethernet Module           N7K-F248XP-25      ok
  Mod  Sw              Hw
  1    6.x(x)          1.0
  3    6.x(x)          1.1
  Mod  MAC-Address(es)                         Serial-Num
  1    84-xx-xxx to 84-xx-xxxx  JAxxxxxxxx
  3    00-xxx to 00-xxxxx JAxxxxxxx
  Mod  Online Diag Status
  1    Pass
  3    Pass
  * this terminal session
  Regards
  Jens

• SPAN port question

  Hi,
  I have two core switches 6500 and Access switches 4500. Both chassis. I need to span ports, but this ports are not in a vlan. I know that there is a limit to span ports that are not in a vlan. Does anyone know which is the limit? Is there a way to make all of them to span?
  Thanks!

  Hi Pablo
  As a forum focused on technical documentation, we checked to see if there was a doc that might answer your question.
  There is not enough information in your question to for us to pinpoint exactly what you need, but have you looked at, for example, “Configuring SPAN, RSPAN, and ERSPAN” for the Catalyst 6500 (IOS 12.2SX)”?
  If this doesn’t help, we’ll refer your question to the appropriate tech support community. They will probably find it helpful to know what operating system (CatOS or IOS) and which release you have, since this determines what SPAN features and restrictions are in effect.
  Thanks for posting,
  Hilde

• SPAN Port Monitoring Setup

  We have three Cicso Catalyst 3750 switches that are stacked.  The primary switch has a VLAN ( # 99 ) setup on it. The VLAN has our incoming internet connection. The LAN ports from the two redundant firewalls are routed back to the primary switch ( non VLAN ). The WAN ports on the firewalls are connected to the VLAN. There are three unused ports ( 46, 47 & 48 ) available on the VLAN. There are also a couple of available ports ( 36 & 38 ) on the primary switch that are not in the VLAN.
  We want to connect a hardware device to one of the ports on the switch that monitors network traffic. Need to connect two ports on the hardware device. One for LAN/WAN traffic, and one for the SPAN port.
  Question:
  Which port would you setup as the LAN port ? 
  Which port would you setup as the SPAN port ?
  What commands would we run to set this up ?
  Thanks

  I would suggest moving this post here: https://supportforums.cisco.com/community/6016/lan-switching-and-routing
  3750 isn't considered a small business switch.

• Span Port

  In one of my location using catalyst2900 eriesXl switch with IOS ver 11.2.I want to make one port as span for the other port where i connect my firewall for the process of monitering the triffic.Can I do the span port on this switch if so what is the command.

  Hi, this link should cover it. Not sure which release it was introduced so you may have to upgrade from 11.2.
  http://www.cisco.com/en/US/products/hw/switches/ps637/products_configuration_guide_chapter09186a008007e838.html#xtocid22
  hth

• Span port and Unicast packets

  There is a problem with a PIX sending syslogs to a device that is plugged into the same switch as the PIX. From any other switch, in the span port the packets are seen going from the pix's ip port (514) to the device's ip port (514). Why do I see unicast packets propagating through all the switches when both devices are in the same switch? Do I need to hard code the MAC's into the switch? The problem doesn't occur all the time.

  When a switch receives a unicast packet with a destination address that it has not learned, the default is to flood it to all ports. You can disable flooding in this case on a per-port basis.So, I think in your switches, the default setting of flooding is enabled, VLANs are configured, and also VTP(trunking) is enabled so that even though the source and destination are on same switch, because of same VLANs, trunking and flooding enabled,the packet propagates through all switches.

• Span port 6500 12.1-(20)E MSFC2 inpkts

  From my research, it looks as if the CatOS had an inpkts keyword with spanning ports that allowed the SPAN port to receive normal incoming traffic. Is there an option like that in the IOS/MSFC2 configuration? Thanks.

  That feature is not supported in Native IOS code for Cat6000:
  Features Not Supported
  •Ability to accept ingress traffic on SPAN destination ports (CatOS equivalent - set span ... inpkts enable)
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/12_1e/ol_2310.htm