This will display a graphic representing the port array of the switch. A guide to port mirroring on cisco span switches comparitech. The main thing to watch out for is the use of spaces. Cisco me 3800x and me 3600x switches software configuration. Cisco span portmirror configuration september 05, 20 0 comments cisco. The following sections describe how to configure span on cisco me3800x and cisco me 3600x switches. Try to test your switch port security configuration with ping command and testing with the rogue laptop on the lab. Traffic monitoring port mirroring on cisco catalyst 4500 series earlier today i was tasked with discovering who in our network was causing traffic spikes on our internet connection. Cisco catalyst 2960 series switches configure span or.
Connect all your devices like shown on following network diagram. Mar 29, 2020 this article describes how to configure switch port security on cisco switches. Span cisco or mirror everyone else ports are an excellent data source for network security monitoring and traffic analysis. Cisco configuring the catalyst switched port analyzer span. A question came up on twitter the other day about spanning a physical port to a virtual machine. This however works well with the excellent packet analysis software wireshark. Since my core network is made up of cisco devices i configured my core lan switch to. Dec 30, 2011 span is an acronym for switched port analyzer. The following extract is from the cisco configuration guide which gives a bit more detail on this feature. Verify port security is enabled and the mac addresses of pc1 and pc2 were added to the running configuration with show run command.
Other vendors have different names for it, such as roving analysis port rap on 3com switches. Except for traffic that is required for the span or rspan session, reflector ports and destination ports do not receive or forward traffic. You can use any network analysis software to process the packets that are sent to your device. Cisco span port is a switchport analyzer on the cisco catalyst that allows to select and span or copy traffic from one or more source switchports or source vlans onto one or more destination ports. Catalyst 2960 and 2960s software configuration guide. Click on the port that you want to connect the packet sniffer to and select the modify option. The number of span sessions that can be configured is. The span port is a feature that mirror traffic on physical or virtual port to a specific port. Cisco catalyst switches have a feature called span switch port analyzer that lets you copy all traffic from a source port or source vlan to a destination interface. Enabling ingress traffic on a destination span port in. Apr, 2020 software configuration guide, cisco ios release 15.
A mirror or span switch port analyzer port can be a very useful resource if used in the correct way. Dec 03, 2018 the port mirroring setup will not store or analyze the traffic. How to configure monitoring on multiple etherchannel or lacp links. Catalyst switched port analyzer span configuration. A port or interface on any line card of the switch should be on the same vlan as the sc0 interface of the switch, which is the management interface. How to configure span or port mirroring on a cisco router. If you want to use wireshark to capture traffic from an interface that is connected to a workstation, server, phone or anything else. Cisco ie 2000 switch software configuration guide, cisco. The websense appliances have two nics so it is probably a more common configuration to connect one nic to the destination span port to monitor interesting traffic and use the other nic to send rst packets out to blockrst. Catalyst 4500 series switch cisco ios software configuration guide, 12. Is there any option to span port channel of cisco 6500 switch. How to configure span and rspan in cisco catalyst switches.
Standard port spanning allows you to mirror one or more physical source ports or. Since we have switches which run in separate collision domains per port we have to do some configuration on the switch first before we can analyze traffic. Configure your cisco switch to capture data or voip traffic by mirroring incoming outgoing packets with span on catalyst 2940, 2950, 2955, 2960, 2970, 3550,3560, 3560. This guide contains instructions for configuration of span session port mirroring on cisco catalyst 2960 series switches. Oct 17, 2016 this example shows how to remove any existing configuration on span session 2, configure span session 2 to monitor received traffic on all ports belonging to vlans 1 through 3, and send it to destination gigabit ethernet port 2. The configuration is then modified to also monitor all traffic on all ports belonging to vlan 10. Span ports are typically found on network switch gear and the feature is used to send a copy of network packets seen on one switch port or an entire vlan to another switch port.
Span allows a copy of traffic destined for another port to be sent out the span port, and in this way allowing an attached ids sensor to receive a copy of the traffic. Cisco ie 2000 switch software configuration guide, cisco ios release 15. The port mirroring setup will not store or analyze the traffic. Monitor session 1 source interface fastethernet 01, 02, 03 monitor. When you configure port mirroring, depending upon your hardware, you can mirror. You may not be allocated an ip address to the network analyzer. How to configure local span port on cisco catalyst switch. Im able to test if span is working by checking the traffic on the network cards and by trying our monitoring software websense. The cisco switch port analyzer, or span, enables advanced network troubleshooting and the implementation of robust monitoring solutions.
Span and rspan which is sometimes called port mirroring or. Network engineers or administrators use port mirroring to analyze and debug data or diagnose errors on a. Jan 22, 2019 refer to the enabling switch port analyzer section of managing switches in order to configure span on a catalyst 2950 with software that is earlier than cisco ios software release 12. Port mirroring is used on a network switch to send a copy of network packets seen on one switch port or an entire vlan to a network monitoring connection on another switch port. When the span destination configuration is removed, the port reverts to its previous configuration. Attach rogue laptop to any unused switch port and notice that the link lights are. The phone call still goes through but someone else is listening in.
Port mirroring, also known as span switched port analyzer, is a method of monitoring network traffic. You can also get more information about setting up span sessions on other switches on our core switch documentation page. Traffic monitoring port mirroring on cisco catalyst 4500. Catalyst 2950 switches that use cisco ios software release 12. The destination port will often be connected to a host running packet analyzing software, such as wireshark. Hello, im trying to configure span on my cisco catalyst 3560 in order to be able to mirror traffic from one port to another. Jan 28, 2018 the switched port analyzer span feature, which is sometimes called port mirroring or port monitoring, selects network traffic for analysis by a network analyzer. The switched port analyzer span feature, which is sometimes called port mirroring or port monitoring, selects network traffic for analysis by a network analyzer. This example shows how to remove any existing configuration on span session 1, configure span session 1 to monitor received traffic on all ports belonging to vlans 1 through 3, and send it to destination gigabit ethernet port 2. How to configure span or port mirroring on a cisco router or. First, any existing span configuration for session 1 is cleared and then bidirectional traffic is mirrored from source port 1 to destination port 10. With wireshark installed on a laptop with a span port configured on the switch, it gives you access to all the packets which are traversing the link you are monitoring. Software configuration guide, cisco ios release 15.
How to setup switched port analyzer on cisco switches. That is the normal output when configured as a span port, it is fine. Understand how the switched port analyser can be used to first identify, and then mirror local switch port traffic over to a capture device for advanced analysis. Sep 11, 2018 catalyst 3750x and 3560x switch software configuration guide, release 12. In cisco environments you can use a feature called span switch port analyzer for this purpose. When a port is configured as a span destination port, the configuration overwrites the original port configuration. Also the 5 minute input and output shows it passing traffic. How to configure span and rspan on cisco catalyst 4500. Im able to test if span is working by checking the traffic on the network cards and by trying our monitoring software. Catalyst 3750x and 3560x switch software configuration guide, release 12. The catalyst 3550, 3560, and 3750 switches can support up to two span sessions at a time and can monitor source ports as well as vlans. A way to be able to do all this is to configure a port on a cisco catalyst switch for the switched port analyzer span feature. The span feature is a good tool but it has two limitations. A span port can be configured many ways, and its tricky to get right.
How to configure switch port security on cisco switches. The catalyst 2950 and 3550 switches can forward traffic on a destination span port in cisco ios software release 12. When you configure a switch port as a span destination port, it is no longer a normal switch port. When ports are spanned for monitoring, the port state shows as updown. Maybe that is a generic term for this feature but i believe cisco may call it ingress traffic on a destination span port. Top 5 alternatives for span or mirror ports netfort. How to configure cisco span rspan erspan with examples. How to configure span and rspan in cisco catalyst switches october 17, 2014 november 25, 2014 fuad nahdi switched port analyzer span allows you to send a copy of traffic passing through ports to another port on the switch. There is no destination port on a switch or switch stack running only an rspan source session. Recording voip traffic via port mirroring orecx will. The vlan and interface ids in the configuration provided below are only examples to assist in visualising whats required. Network monitoring via packet capturingsniffing software, network analyser, ids or ips is possible using ciscos span or rspan method covered extensively in this article. How to configure span or port mirroring on a cisco router or switch.
In this guide we are going to look at how to setup span ports on cisco switches. Learn how to configure span and rspan on sg350 and sg550 switches. In my case i had a lan base image on a cisco 3850 so my only option is a span port. Network management configuration guide, cisco ios xe release 3se catalyst 3850 switches chapter title. Observe how rspans are configured in a standard switched network. Creating a mirroring port also called a span port switched port analyzer might be required for some network appliances to analyze network traffic. Read the appropriate documentation and release notes for the hardware and software of your switch or router. Span ports work by sending a copy of the traffic destined to one or more ports or vlans to another port on the switch that has been connected to a network traffic analysis or security device. Cisco ie 2000 switch software configuration guide, cisco ios. Other companies have their own names for it but the purpose is the same. For these switch models, you need to get to the devices operating system and issue a command in order to specify the span port and the port to monitor.
It provides guidelines, procedures, and configuration examples. Other than the added traffic passed to the span port, the port is a standard port, which means you can manage the ids by any machine that can route ip packets to the ids. Span is not supported on logical interfaces such as vlans or efps. Span switched port analyzer technology and configuration. Span works by copying the traffic from one or more source ports. With them you can monitor single or multiple ports or vlans and they give you access to packet payloads rather than just header information that you get with flow data. The obvious answer is to use rspan, but in this particular case the switch did not support rspan so that wasnt an option. Configure cisco nexus port mirroring so that usm anywhere can recieve events. If possible what is the configuration for the same pls help regards, ajith.
There are three kinds of span modes that are available for different scenarios. With port mirroring enabled, the switch sends a copy of all network packets seen on one port or an entire vlan to another port, where the packet can be analyzed. This example shows how to set up a span session session 1 for monitoring source port traffic to a destination port. You can use any network analysis software to process the packets that are sent to. Span ports are commonly used for network traffic analysis applications. Nov 27, 2012 the span port is a feature that mirror traffic on physical or virtual port to a specific port. This is commonly used for network appliances that require monitoring of network traffic such as an intrusion detection system, passive probe or real user monitoring rum technology that is. Span sessions local or remote allow you to monitor traffic on one or more ports, or one or more vlans, and send the monitored traffic to one or. Configuring the cisco nexus 5000 series for port mirroring. Discover how a span can traverse a switched network using the remote span feature.
To practice and learn to configure port security on cisco switch, just download the port security packet tracer lab or create your own lab and follow the switch port security configuration guideline. We have two loadbalanced firewalls attached to our cisco catalyst 4507 core switch. Span configuration on a nexus 7000 series switch this document provides a sample configuration and verification for the switched port analyzer span on the cisco nexus 7000 series devices to monitor the. Aug 11, 2016 setting up span ports on cisco nexus switches. Configuring span on cisco catalyst switches monitor.
To see how to setup sinefa to receive span mirror traffic see how to setup span and mirror port monitoring. Sep 09, 2015 span cisco or mirror everyone else ports are an excellent data source for network security monitoring and traffic analysis. If possible what is the configuration for the same pls help. The destination port s runs a sniffing or a packet capture program like ethereal, wireshark or tcpdump. Catalyst 2960 and 2960s software configuration guide, 12. Require a source port or vlan and a destination port where the traffic will be collected. The following limitations and configuration guidelines apply when configuring span on cisco me3800x and cisco me 3600x switches. Cisco span portmirror configuration the network stack. Port mirroring on a cisco systems switch is generally referred to as switched port analyzer span or remote switched port analyzer rspan. The catalyst 3550, 3560, and 3750 switches can support up to two span sessions at a time. The terms mirror and span in regards to a port are the same thing. I want to mirror the traffic in ports 3 and 5 of switch1 and port 3 in switch 2 to the destination port fas06 of sw2 as. Port mirroring, as its also called, is required to deploy indepth network monitoring. Jan 01, 2014 creating a mirroring port also called a span port switched port analyzer might be required for some network appliances to analyze network traffic.
This example shows how to remove any existing configuration on span session 2, configure span session 2 to monitor received traffic on gigabit ethernet source port 1, and send it to destination gigabit ethernet port 2 with the same egress encapsulation type as the source port, and to enable ingress forwarding with ieee 802. The following extract is from the cisco configuration guide. Because span only makes a copy of traffic, the source traffic is never. Hi all, is there any option to span port channel of cisco 6500 switch. Follow these steps to get span active on the switch. In the following example we have our firewall connected to port 10 on the core switch and we want to send a copy of the traffic going to and from this port to ports 1 and 2. Entering span configuration commands does not remove previously configured span parameters. Cisco catalyst 2960 series switches configure span or port. Span section of the cisco nexus 5000 series nxos software configuration. The switched port analyzer span feature, sometimes called port mirroring or port monitoring, allows you to take a copy of network traffic as it passes through a network switch. In general, behind this destination port can be a traffic analyzer wireshark, ntop and so on, an ids or other appliances. Explore how to configure and implement a standard local span.
1583 1402 770 264 594 1254 1364 1136 109 1088 578 127 1049 1516 992 1008 718 1380 651 1245 67 1144 812 1088 483 638 1098 1361 1457 1385 928 178 44 1475 666 1116 562 1270 273 252 221 854 607 55 1058 297 560