Sometimes, we need to know what communication is coming to/leaving from a network device. For network traffic analysis, we have (for example) the well-known and good program Wireshark (formerly Ethereal). Although it exists in versions for many operating systems, we do not always have the option to install it on the monitored device. Therefore, it is useful to mirror (copy) all traffic on a given switch port to another port where we connect an analyzer (e.g., a PC with Wireshark installed).
Just a few notes on traffic analysis. A network card typically discards all unicast traffic that is not intended for it (based on the destination MAC address). Wireshark switches the network card to so-called promiscuous mode, where it does not filter traffic but sends everything to the higher layer/processor for processing. However, since we use switches, the station mainly receives traffic intended for it.
The second standard feature of a network card is that it removes the information about VLAN tagging when passing the frame to the higher layer. So when we monitor a trunk port, we do not see the Ethernet frame extended by the 802.1q tag. However, there are methods to capture packets including VLAN tags, more described in the article VLAN capture setup.
Another option is that we want to analyze traffic in the entire network or its part (e.g., in a specific VLAN) for the purpose of detecting and preventing attacks. We can then copy the traffic of one/more VLANs from several switches to one port where an IDS/IPS probe is connected.
For the above-described situations, we use a method called Port Mirroring or, in Cisco terminology, Switched Port Analyzer (SPAN) or Remote Switched Port Analyzer (RSPAN). SPAN works within a single switch, where one source (monitored) port, multiple ports, or an entire VLAN is mirrored to a target (monitoring) port. RSPAN allows forwarding traffic from multiple switches.
Note: The monitoring port for SPAN no longer allows the connected device to communicate, it only copies all communication to it.
Configuration in Cisco IOS
When configuring, we create a monitoring session. For SPAN, it is a single session that associates the target port with the source port or VLAN. For RSPAN, it is a single RSPAN source session that connects source ports or VLANs with the RSPAN VLAN, and a single RSPAN destination session on another switch that connects the RSPAN VLAN with the target port.
New configurations do not overwrite the original ones, so sometimes it is necessary to delete the old configuration.
SWITCH(config)#no monitor session all
SPAN Configuration
For local SPAN, we configure a single session, so we must specify the same number for both source and destination. The session number can be from 1 to 66, but we can configure a maximum of 2 sessions per switch. As the source, we can specify an interface or vlan, or several ports or VLANs (which we must not combine) using , and -. As the destination, we can specify a port or a group of ports.
SWITCH(config)#monitor session 1 source interface g1/0/10 SWITCH(config)#monitor session 1 destination interface g2/0/1
In the source session, we can also specify the direction of traffic we want to monitor. It can be rx - received traffic, tx - transmitted traffic, or both - both, which is the default value.
SWITCH(config)#monitor session 2 source vlan 100, 150 rx
By default, L2 protocols such as CDP, VTP, DTP, STP, PAgP are not monitored. Packets are also sent untagged (the VLAN tagging information is removed). We can change this using encapsulation replicate in the destination session.
SWITCH(config)#monitor session 2 destination interface g1/0/5 encapsulation replicate
If we monitor traffic on certain ports, we can further limit it to specific VLANs by adding a line.
SWITCH(config)#monitor session 1 filter vlan 100, 150
RSPAN Configuration
For RSPAN, we use an RSPAN VLAN through which all monitored traffic is transmitted between switches. The properties described for SPAN are the same for RSPAN, so I will only describe what is added here.
First, we need to create an RSPAN VLAN on all switches that will participate in RSPAN. We can use VTP for configuration.
SWITCH(config)#vlan 999 SWITCH(config-vlan)#name monitoring-rspan SWITCH(config-vlan)#remote span
Then we create a source session on the source switches and a destination session on the target switch.
SWITCH1(config)#monitor session 1 source interface g1/0/10,g1/0/20 SWITCH1(config)#monitor session 1 destination remote vlan 999 SWITCH2(config)#monitor session 2 source remote vlan 999 SWITCH2(config)#monitor session 2 destination interface g1/0/1
For RSPAN, we cannot use encapsulation replicate because the VLAN number is overwritten by the RSPAN VLAN number.
Displaying Information
Information about all or a specific monitoring session.
SWITCH#show monitor SWITCH#show monitor session 1
Zdravím. Dá se ještě koupit obyčejný malý 4 portový LAN HUB (ne switch)?? K notebooku třeba? Nikde jsem nic nenašel. Nebo nejaký malý levný switch, který umí přepnutí do HUB nebo port mirroring?