SPAN on the Catalyst 2940, 2950, 2955, 2960, 2970, 3550, 3560, 3560-E, 3750 and 3750-E Series Switches
These are guidelines for the configuration of the SPAN feature on the Catalyst 2940, 2950, 2955, 2960, 2970, 3550, 3560, 3560-E, 3750, and 3750-E Series Switches:
The Catalyst 2950 Switches can have only one SPAN session active at a time and can monitor only source ports. These switches cannot monitor VLANs.
- The Catalyst 2950 and 3550 Switches can forward traffic on a destination SPAN port in Cisco IOS Software Release 12.1(13)EA1 and later.
- The Catalyst 3550, 3560, and 3750 Switches can support up to two SPAN sessions at a time and can monitor source ports as well as VLANs.
The Catalyst 2970, 3560, and 3750 Switches do not require the configuration of a reflector port when you configure an RSPAN session.
The Catalyst 3750 Switches support session configuration with the use of source and destination ports that reside on any of the switch stack members.
Only one destination port is allowed per SPAN session, and the same port cannot be a destination port for multiple SPAN sessions. Therefore, you cannot have two SPAN sessions that use the same destination port.
The SPAN feature configuration commands are similar on the Catalyst 2950 and Catalyst 3550. However, the Catalyst 2950 cannot monitor the VLANs. You can configure the SPAN, as in this example:
C2950#configure terminal C2950(config)# C2950(config)#monitor session 1 source interface fastethernet 0/2 !--- This configures interface Fast Ethernet 0/2 as source port. C2950(config)#monitor session 1 destination interface fastethernet 0/3 !--- This configures interface Fast Ethernet 0/3 as destination port. C2950(config)# C2950#show monitor session 1 Session 1 --------- Source Ports: RX Only: None TX Only: None Both: Fa0/2 Destination Ports: Fa0/3 C2950#
You can also configure a port as a destination for local SPAN and RSPAN for the same VLAN traffic. In order to monitor traffic for a particular vlan that resides in two switches directly connected, configure these commands on the switch that has the destination port. In this example, we monitor traffic from VLAN 5 that is spread across two switches:
c3750(config)#monitor session 1 source vlan < Remote RSPAN VLAN ID > c3750(config)#monitor session 1 source vlan 5 c3750(config)#monitor session 1 destination interface fastethernet 0/3 !--- This configures interface FastEthernet 0/3 as a destination port.
The advent of switched networks resulted in Network IDS having great difficulty in promiscuously monitoring their networks. This was overcome by configuring a switch to replicate the data from all ports or VLAN's onto a single port. This function has a multitude of names including; Port Mirroring, Monitoring Port, Spanning Port, SPAN port and Link Mode port.
Port Mirroring generally indicates the ability to copy the traffic from a single port to a mirror port but disallows any type of bidirectional traffic on the port.
Spanning Port usually indicates the ability to copy traffic from all the ports to a single port but also typically disallows bidirectional traffic on the port.
In the case of Cisco, SPAN stands for Switch Port ANalyzer. Some switches do not allow SPAN ports to transmit packets, this is an issue if you wish to use IDS TCP countermeasures such as resets.
It may also be worth looking at Network Taps which allow you to tap into a network, taking a parallel feed for the Network IDS.
Cisco Catalyst 2950 3550 3750
port monitor fa0/1
port monitor fa0/2
port monitor fa0/3
show port monitor
Monitor Port Port Being Monitored
Monitored ports must be on same VLAN
Cannot modify monitored ports
“port monitor vlan” is only valid for VLAN 1, and will only monitor management traffic destined to the IP address configured as VLAN 1 on the switch “port monitor”, by itself, will configure the port to monitor all ports on the switch that belong to the vlan that port is assigned to.