Re: Simple SPAN configuration

exigent · ‎08-12-2003

I have a very simple need. I have a 3550 with IOS 12.1(8)EA1c. I have 48 ports. I want to monitor ports 1-47 and shoot the data over to port 48. I used the following commands. In the end port 48 is unreachable and a sho int fast0/48 shows "(monitored)" with line protocol being down. What am I doing wrong?

monitor session 1 source interface Fa0/1 - 47 both

monitor session 1 destination interface Fa0/48

This is the result of the sho int fast0/48

FastEthernet0/48 is up, line protocol is down (monitoring)

Hardware is Fast Ethernet, address is 0008.e3a3.fa2c (bia 0008.e3a3.fa2c)

MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full-duplex, 100Mb/s

input flow-control is off, output flow-control is off

ARP type: ARPA, ARP Timeout 04:00:00

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue :0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 8000 bits/sec, 8 packets/sec

408376 packets input, 147818581 bytes, 0 no buffer

Received 447 broadcasts, 5445 runts, 0 giants, 0 throttles

5481 input errors, 36 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog, 0 multicast, 0 pause input

0 input packets with dribble condition detected

490092 packets output, 473839140 bytes, 0 underruns

0 output errors, 4055 collisions, 5 interface resets

0 babbles, 0 late collision, 33847 deferred

0 lost carrier, 0 no carrier, 0 PAUSE output

0 output buffer failures, 0 output buffers swapped out

Bobby Thekkekandam · ‎08-12-2003

This is normal.Once you configure SPAN on the destination, the status of the port will change to what you are seeing.

GigabitEthernet3/1 is up, line protocol is down (monitoring) <----- it is telling us that this is

the destination port and that the packets are being copied to this port.

We don't support inpkts on the 3550 as on some other platforms, so you are unable to use the port as a SPAN port and a network port concurrently.

exigent · ‎08-12-2003

Thanks. But then what use is this "feature" if I can't get to the host that is doing the monitoring? The reason I want to do this is so that I can use a sniffer type utility. Short of a cross connect to a hub do I have any other option via IOS? Someone at Cisco needs to know that the functionality I am looking for is probably wanted by others and just makes sense.

Bobby Thekkekandam · ‎08-13-2003

I take that back-- We do support ingress traffic on a span port as of 12.1(12c)EA1.

http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12112cea/ol325201.htm#89520

W2S-4.8-c3550smi(config)#mon sess 1 dest int fa0/2 ?

encapsulation Set encapsulation for destination interface

ingress Enable ingress traffic forwarding

exigent · ‎08-13-2003

Thanks but can you be more specific? Can you give me the exact commands? I want to port monitor are fa01-47 and I want the monitor port to be fa48. Thanks. I appreciate it.

t.baranski · ‎08-13-2003

As far as I've been able to tell from the documentation, the "ingress forwarding" feature in IOS only allows traffic *from* the IDS device. This allows the IDS to send TCP resets, SNMP traps, and so forth when it sees suspicious traffic, but doesn't allow the IDS to be accessed remotely (that would be egress forwarding from the switch's point of view).

CatOS has supported "normal" traffic on SPAN ports for quite some time but for whatever reason this feature hasn't yet made it into IOS despite what appears to be common yearning for it. Hence, it is necessary to attach a second interface on the sniffer to the switch to be used as the so-called management interface. This port gets an IP address and is used to access the sniffer remotely -- the sniffing port doesn't get an IP address and therefore operates in stealth mode. This is oftentimes a good idea anyway for security reasons on permanent IDS systems -- if the sniffing interface is located on a public part of the network, the management interface can plug into another switch in a private part of the network to protect it from external compromise.