SPAN port question

Similar Messages

• SPAN port or Capture?

  We currently have Cat6513 switches installed and our looking into an IDSM-2 module, but for the time being until we can actually purchase them, I would like to install a few snort sensor into the switch to "monitor" a few VLANs.
  I've read where there are only two SPAN ports and to gain some type of correlation to the events, I figure I would need to install a separate snort sensor for each vlan. The problem is the limit of two SPAN ports. I heard that there is a way to utilize a "capture" feature on the 65xx systems.
  Is the appropriate way for this to use the "capture" commands and if so how would I do that?
  Also, I read where the SPAN ports have no performance impact on the switch, but would the "capture" commands?
  I apologize if this is the wrong forum for this but I wasn't sure if this would be more of a switching or IDS question...
  Thanks for any assistance!
  -Jeff

  The solution to that issue of only two span ports is to use VACLS. There is documentation in the Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 5.1.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df92.html#wp1030828
  Refer to Catalyst 6500 Series Switch Command Reference for more information on trunk ports and ACLs.

• SPAN Port Monitoring Setup

  We have three Cicso Catalyst 3750 switches that are stacked.  The primary switch has a VLAN ( # 99 ) setup on it. The VLAN has our incoming internet connection. The LAN ports from the two redundant firewalls are routed back to the primary switch ( non VLAN ). The WAN ports on the firewalls are connected to the VLAN. There are three unused ports ( 46, 47 & 48 ) available on the VLAN. There are also a couple of available ports ( 36 & 38 ) on the primary switch that are not in the VLAN.
  We want to connect a hardware device to one of the ports on the switch that monitors network traffic. Need to connect two ports on the hardware device. One for LAN/WAN traffic, and one for the SPAN port.
  Question:
  Which port would you setup as the LAN port ? 
  Which port would you setup as the SPAN port ?
  What commands would we run to set this up ?
  Thanks

  I would suggest moving this post here: https://supportforums.cisco.com/community/6016/lan-switching-and-routing
  3750 isn't considered a small business switch.

• Span port recording

  Hi All, A real idiot question but we have to use span port recording as we are using citrix (unless anyone knows different) but I just can't get my head around the span part at the UCCX end. Span on all the access switches is fine but the server is only using 1 NIC for all the existing traffic, now, can I just enable span from the agents ip phone vlan to the SAME port as what the server is currently connected to OR do I need to connect the 2nd NIC to the switch and configure the span to that port? Will I need to configure a seperate IP address in the server for that 2nd NIC - I guess not.
  Many Thanks

  This is what I did recently for a customer: They have UCCX 8.5 running on ESXi on UCS C10 server. That server has two NICs but by default all the VMs were on one NIC. So I used the second NIC and I put the UCCX VM on that second NIC. Callmanager and Unity Connection VMs remained on the 1st NIC.
  Then I used a Catalyst 2960 to span the ingress of the voice vlan to the destination port that was connected to that second NIC. You have to enable ingress forwarding for that to work so that regular traffic can pass still pass through.
  Now, I did all this because 8.5 doesn't support using a second NIC. 7.x does, I believe. So you may be able to put the voice monitoring service on that NIC. I don't think it would need its own IP address if it's just in promiscuous mode trying to listen for voice traffic.
  Thanks,
  Mark

• Spanned port for IDS

  We're about to get an IDS system which will require a spanned port on the inside of our network. Inside our network we have a few 6500's so I'd span a port on one of our core switches...my question is, there is definetly more then 1GB of traffic going through the core at any time...how would I get all this traffic to the IDS system? Would I just create an etherchannel and use it as a destination, and plug all the ports into the IDS?

  Thanks for that link. According to that link you have to have seperate IDS's attached to the etherchannel (one per port):
  "The IPS appliances must be in on-a-stick mode, meaning that the IPS appliance can only use one sensing port on that Catalyst switch. That port is trunked so that the IPS appliance has an inbound and outbound path to and from the switch."
  Am I reading that wrong? Can I have one IPS with three or four ports attached to the same switch in an etherchannel?
  It's starting to sound like I'm going to have to limit what ports I source...which means the IDS could potentially miss a threat or report it later then it could....

• Is SPAN port not allowed in Nexus FEX Port ?

  Hi
      Customer want me to defined a SPAN port on N2K, it is a fex port. when I configure I got the following statement from the switch.
  Is there any way to solve the problem?
  n5k-N2K(config-monitor)# destination ?
    interface  Configure interfaces
  n5k-N2K(config-monitor)# destination interface eth102/1/18
  ERROR: Eth102/1/18: Configuration not allowed on fex interface
  N5K VERSION
  Cisco Nexus Operating System (NX-OS) Software
  TAC support: http://www.cisco.com/tac
  Copyright (c) 2002-2009, Cisco Systems, Inc. All rights reserved.
  The copyrights to certain works contained herein are owned by
  other third parties and are used and distributed under license.
  Some parts of this software are covered under the GNU Public
  License. A copy of the license is available at
  http://www.gnu.org/licenses/gpl.html.
  Software
    BIOS:      version 1.2.0
    loader:    version N/A
    kickstart: version 4.0(1a)N2(1)
    system:    version 4.0(1a)N2(1)
    BIOS compile time:       06/19/08
    kickstart image file is: bootflash:/n5000-uk9-kickstart.4.0.1a.N2.1.bin
    kickstart compile time:  2/25/2009 0:00:00 [02/25/2009 08:29:12]
    system image file is:    bootflash:/n5000-uk9.4.0.1a.N2.1.bin
    system compile time:     2/25/2009 0:00:00 [02/25/2009 08:56:57]

    Hi,
  A FEX port cannot be configured as a SPAN destination. Only a switch port can be configured and used as a SPAN destination.
  See link below for more info:
  http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/release/notes/Rel_5_1_3_N2_1/Nexus5000_Release_Notes_5_1_3_N2.html
  HTH

• How many span ports are supported on Sup2T and Catalyst 6880?

  Hi,
  I did not find any information concerning this.
  Would be great if anybody could send me a link to the information how many span ports are supported on the new Cat68 series.
  Regards
  Thorsten Steffen

  For sup2t
  ======== 
  Local SPAN, RSPAN, and ERSPAN Session Limits
  Total Sessions
  Local and Source Sessions
  Destination Sessions
  Local SPAN,
  RSPAN Source,
  ERSPAN Source 
  Ingress or Egress or Both
  Local SPAN Egress-Only
  RSPAN
  ERSPAN
  80
  2
  14
  64
  23
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/span_rspan_erspan.html
  Regards,
  Naveen
  ****Rate if it is helpful****

• NEXUS span session getting twice the data to the span port

  I'm setting up a montitor session on a NEXUS 7K as below.
  we are receiving in 150M of data and 0 data going out port 9/25.
  but port 4/24 shows 300M to the span port?
  Am I doing something wrong here or is that normal?
  monitor session 10
       no shutdown
       source int e 9/25  both
       destination int e 4/24

  i just confirmed that when I span  port on NEXUS 7K ios version 6.1(1) the RX data is duplicated to teh span port.
  does anyone know of bugs related to that ?

• CS11800 - Can I have a SPAN port for my IDS box?

  I have a network design that calls for a few CS11800s and it's smaller brother. The security team has asked if this content switch has a SPAN port that is availble so we can hang our IDS box off.
  Thanks
  B

  I am not extremely familiar with the CS11xxx series and its configuration options, but I can tell you that from experience with Cisco Catalyst switches and non-Cisco IDS devices a SPAN port is not always the best solution. In some instances I have had to disable packet learning in the SPAN session, and in other cases I have had to forego using SPAN at all and settled for an uplink to a hub that connected the IDS device and my router(s). This is especially true if the IDS device needs to be a member of the same VLAN as the traffic it is monitoring in order to send RST packets back onto the segment.
  I have researched this issue on my own and even opened TAC cases for a solution, but have received solutions ranging from "There's no reason this shouldn't work" to "You can not set up a SPAN session for IDS purposes." My recommendation would be (even though it does decrease performance a bit) to implement the hub solution, regardless of the CS11800 capabilities. This will prove to remove any potential X factors in the SPAN functionality and make your life a lot easier.
  Just my 2 cents. :)

• Cisco CE500 Switch and SPAN Port Monitoring

  Does the Cisco CE500 switch support SPAN/Port Monitoring? If so, how is this configured via the browser?
  Thanks

  Please check this document on Cisco.
  http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#Cat500

• Monitor or Span port Vulnerablility

  Is the CISCO IDS/IPS device connecting to Monitor or SPAN port Vulnerable? Is there a document which I can refer to ?

  It's very unlikely, but not impossible. Snort's had a few and the general concept is applicable to any IDS. If you suck in data off the network and process it, there's the potential for vulnerabilities. If you're worried about it, put the management interface in a management dmz.
  http://www.infoworld.com/article/03/03/04/HNsnort_1.html

• Nexus 9k span port

  Can someone provide instructions of how to configure a span port/monitor session on a 9k?

  Hi Joris,
  SPAN source functionality on satellite ports and host interface port channels is not supported when the FEX is connected to F2 Series modules. Beginning with Cisco NX-OS Release 6.2(2), FEX ports are supported as an egress SPAN source on F2e Series modules.
  http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/system_management/configuration/guide/sm_14span.html#wp1239670
  Nexus7k# show module
  Mod  Ports  Module-Type                         Model              Status
  1    0      Supervisor module                 N7K-SUP2           active *
  3    48     1/10 Gbps Ethernet Module           N7K-F248XP-25      ok
  Mod  Sw              Hw
  1    6.x(x)          1.0
  3    6.x(x)          1.1
  Mod  MAC-Address(es)                         Serial-Num
  1    84-xx-xxx to 84-xx-xxxx  JAxxxxxxxx
  3    00-xxx to 00-xxxxx JAxxxxxxx
  Mod  Online Diag Status
  1    Pass
  3    Pass
  * this terminal session
  Regards
  Jens

• Applying span port for sniffer

  Hi,
  We want to sniff some traffic that is passing between two nodes in our network.
  The flow will look like this;
  Edge switch > Core switch > (Wireless controller A) > metro ethernet link > Core switch > (wireless controller B)
  Wireless controller is connected to the core switch. We want to sniff traffic that passes from controller A towards the other side of the network.
  Controller A side belongs to us, hence we can only put sniffing on our end.
  Please help to understand how to setup span port on a laptop in this setup.
  If we connect a notebook on the coreswitch to sniff traffic passing through, will it be right?
  Appreciate all inputs.

  That's correct, the only thing I might note is to decide if you want to collect both rx and tx data?  By leaving it default, as you did above, it will capture"both" directions.  Capturing both is fine, but it will increase your wireshark capture size.  I would also recommend applying a wireshark filter to only see the specific traffic you are interested in.  A simple Google search will give you more info on wireshark filters.  Lastly, remember to remove the monitor session once you are done.  We see leftover SPAN sessions often causing various switch problems, so they are only recomended to use as needed. 
  HTH
  Luke

• Span Port

  In one of my location using catalyst2900 eriesXl switch with IOS ver 11.2.I want to make one port as span for the other port where i connect my firewall for the process of monitering the triffic.Can I do the span port on this switch if so what is the command.

  Hi, this link should cover it. Not sure which release it was introduced so you may have to upgrade from 11.2.
  http://www.cisco.com/en/US/products/hw/switches/ps637/products_configuration_guide_chapter09186a008007e838.html#xtocid22
  hth

• Span port and Unicast packets

  There is a problem with a PIX sending syslogs to a device that is plugged into the same switch as the PIX. From any other switch, in the span port the packets are seen going from the pix's ip port (514) to the device's ip port (514). Why do I see unicast packets propagating through all the switches when both devices are in the same switch? Do I need to hard code the MAC's into the switch? The problem doesn't occur all the time.

  When a switch receives a unicast packet with a destination address that it has not learned, the default is to flood it to all ports. You can disable flooding in this case on a per-port basis.So, I think in your switches, the default setting of flooding is enabled, VLANs are configured, and also VTP(trunking) is enabled so that even though the source and destination are on same switch, because of same VLANs, trunking and flooding enabled,the packet propagates through all switches.