Re: SPAN configuration question

axeleratorcisco · ‎11-01-2017

I want to monitor multiple client VLANs traffic on my network via a network inspection device.

To do this I'd like to setup a SPAN session.

I have a core switch with SVIs terminated on them, and then a transit VLAN which sends everything by default to the firewall which is connected to the internet.

If I want to monitor ANY client traffic, ANYwhere in my network, regardless of which switch some client is connected.

Is my logic sound that by monitoring the client VLANs on my core switch (which is the active one), will monitor all client traffic which is going to the internet? Since all traffic has to pass the Core switch and then the Transit VLAN which is also on my core.

Or will setting up a local span on my core switch, only capture traffic on ports on my coreswitch itself which are in the client VLANs?

How would I achieve the requested scenario?

Bob Loblaw · ‎11-01-2017

If I am understanding correctly, all the traffic from these other switches travel through the core SW to the FW out to the internet. If this is case, and you're able to plug into that core switch, setting up a SPAN would be able to accomplish this. Source interface should be the one facing the FW, and you can filter the users' VLAN like you suggested.

If this post was any helpful please rate it so, thanks !

axeleratorcisco · ‎11-02-2017

Correct.

I was just wondering if I should monitor the switch interface to which the internet router is attached.

Or that just copying the Transit VLAN as a source on the Core would accomplish the same.

Julio E. Moisa · ‎11-01-2017

Hi,

You could configure the monitor session on the Core switch and the VLANs as source. I have made it before for an IPS, just check if the CPU utilization is not increased. Also don't mix interfaces and vlans as sources.

Your configuration could be:

monitor session 1 source vlan 10

monitor session 1 source vlan 20

monitor session 1 source vlan 25

monitor session 1 destination interface <interface>; this interface is where the monitoring device is connected. Usually it has default switchport configuration.

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

axeleratorcisco · ‎11-02-2017

Thanks. So if I monitor the Transit VLAN on the Core switch I should theoretically see all traffic passing through from all clients on the network?

I have both a Cisco and HP device which both have a limitation that on the span session, only the RX direction can be monitored, when giving the VLAN as source.

Do you know if an IDS is able to make sense of only incoming traffic streams?

If I wanted to see if traffic from client vlan A to client vlan B, would I be able to see this as well just by monitoring the VLAN on the core switch?

Georg Pauwen · ‎11-02-2017

Hello,

on a side note, if you also want to monitor intra-VLan (e.g. Vlan 2 to Vlan 2) traffic, you need to configure a local SPAN session on each switch and define the entire range of interfaces on that switch as source, e.g.:

session 1 source interface Fa0/1 - 48

If you set up SPAN only on the core switch, you will only capture inter-Vlan (Vlan X to other Vlans) traffic.

JardCrocker · ‎11-03-2017

Hi...i am a new user here. I will say if you are able to plug into that core switch, setting up a SPAN would be able to accomplish this. Source interface should be the one facing the FW, and you can filter the users' VLAN like you suggested.

axeleratorcisco · ‎11-07-2017

I am getting a lot of duplicate packets seen on IPS when coming from client vlan and going to transit vlan.

Any ideas how to eliminate this?