Username

THURSDAY, 06 NOVEMBER 2014

HOME

THE RADAR PAGE

Advertising With Us

THE PRODUCT DIRECTORY

HOME

TOOLS

CONTACT US

THE RADAR

CONTACT US

CND Ltd

SWITCH PORT MIRRORING

The advent of switched networks resulted in Network IDS having great difficulty in promiscuously monitoring
their networks. This was overcome by configuring a switch to replicate the data from all ports or VLAN's onto
a single port. This function has a multitude of names including; Port Mirroring, Monitoring Port, Spanning
Port, SPAN port and Link Mode port.
Port Mirroring generally indicates the ability to copy the traffic from a single port to a mirror port but
disallows any type of bidirectional traffic on the port.
Spanning Port usually indicates the ability to copy traffic from all the ports to a single port but also typically
disallows bidirectional traffic on the port.
In the case of Cisco, SPAN stands for Switch Port ANalyzer. Some switches do not allow SPAN ports to transmit
packets, this is an issue if you wish to use IDS TCP countermeasures such as resets.
It may also be worth looking at Network Taps which allow you to tap into a network, taking a parallel feed for
the Network IDS.

SEARCH PRODUCTS
Search
Search

Advanced Search

LINKS TO PRODUCTS
Extreme Newer
Extreme Older v4.1
Cisco SPAN Info
Cisco 2900 3500XL

Cisco
Cisco
Cisco
Cisco

2950 3550 3750

2950
3500 XL
5000

Cisco 4000 6000 Cat

Cisco 4000 6000 IOS
Foundry
Juniper M or T

PRODUCT DIRECTORY
Directory
Cloud Security Services
Boundary Guard Products
Network Anomaly Detection
Scanning Products

EXTREME SWITCHES NEWER

Submitted By Kevin Farnes
Information Updated: 16 Aug 2004
{enable | disable} mirroring on port Port No
configure mirroring { add | delete } { vlan VLAN | port Port No }
The first line basically turns on or off the mirroring and what port the mirrored output should be sent to. The
second line specifies what is
to be mirrored. The second line can be repeated any number of times. There are some limitations on
capability however, such as if
you are mirroring a port then it must be on the same blade as the port being mirrored to.

Network Access Control

Server Security Products
Endpoint Security
Forensic Solutions
Malware Protection
Reputational Intelligence
Virtualisation Security

Security Information Event Manager

Vulnerability Alert Services
Security Training
Security Conferences
Password Managers
TSCM Bug Sweeping
Geeky Gadgets

EXTREME SWITCHES OLDER EG 48 EXTREMEWARE VERSION 4.1

Submitted By Joel Snyder
Information Updated: 16 Aug 2004
In the older Summit Extremes (like the 48, not the 48i), you are blocked at v4 of their software
enable mirror to port <port-no> (both enables mirroring, and says where to send it. Notice that you cannot
provide a list of ports, unfortunately)
disable mirror (disables mirroring)
config mirror add port <portno>
(adds port <portno>, all VLANs that this port participates in)
config mirror add port <portno> vlan <vlan name or #>
(adds port <portno>, but only VLAN <vlan>
traffic will be mirrored)
config mirror add vlan <vlan name or #>
(adds all ports that have this VLAN)
You can add more than one port by repeating the above lines.
config mirror del port <portno>
config mirror del vlan <vlan>
(does the obvious thing)

Visio Stencils
Uncategorised

show mirror
(shows status of mirroring, including whether the port is up or not (!))
One thing to be careful of in the Extreme is that with mirroring (at least in this version of the O/S), you get
both IN and OUT mirroring,
which means that if you pick a VLAN as the mirror object, you may see the same frame a couple of times if it
goes in one port on the VLAN and out a different one.

CISCO CATALYST SPAN SUPPORT

Submitted By Mark McDonagh
Information Updated: 16 Aug 2004
Switch
2900/3500XL
2950
3550
3750
4000 w CatOS
4500 w Native IOS
6000 w CatOS
6000 w Native IOS

SPAN Sessions
TCP Countermeasures
No Limit
No
1
Yes
2
Yes
2
Yes
5
Yes
6 (both considered 2) No
2 Rx or Both, 4 Tx
Yes
2
No

CISCO CATALYST 2900/3500XL

Submitted By Mark McDonagh
Information Updated: 17 Aug 2004
c3550(config)#monitor session 1 source ?
interface SPAN source interface
remote SPAN source Remote
vlan SPAN source VLAN
c3550(config)#monitor session 1 source interface fa0/1 - 3 rx
c3550(config)#monitor session 1 destination interface fa0/24
Only an Rx SPAN session can have multiple source ports. Note the spaces in syntax when specifying multiple
interfaces. Can be or ,
With Source VLAN's
c3550(config)#monitor session 1 source vlan 1 - 10 rx
c3550(config)#monitor session 1 destination interface fa0/24
TCP Resets
c3550(config)#monitor session 1 source vlan 1 - 10 rx
c3550(config)#monitor session 1 destination interface fa0/24 ingress vlan 1
The Catalyst 2950/3550 will allow you to configure a single VLAN to receive untagged TCP Reset packets. TCP
Reset support is configured through the ingress vlan keywords. Only one VLAN is permitted. In this example,
non-802.1q-tagged TCP Resets to servers or attackers existing on or through VLAN 1 would be allowed, but
not if the attack or target was on VLAN 2-10. If the RST is a response to an attack detected by IDS 4.x where
the 802.1q tag has been maintained, the RST will be sent on the appropriate VLAN.
If you are monitoring a VLAN trunk port, you may wish to filter one or more of the VLANs on that trunk. This
example only monitors VLANs 5 and 100-200 on the trunk.
c3550(config)#monitor session 1 source interface gigabit0/1
c3550(config)#monitor session 1 filter vlan 5 , 100 - 200
c3550(config)#monitor session 1 destination interface fa0/24
If the monitor session destination port is a trunk, you should also use keyword encapsulation dot1q. If you
do not, packets will be sent on the interface in native format.

CISCO CATALYST 2950 3550 3750

Submitted By Mark McDonagh
Information Updated: 17 Aug 2004
int fa0/24
port monitor fa0/1
port monitor fa0/2
port monitor fa0/3
^Z
show port monitor
Monitor Port Port Being Monitored
--------------------- --------------------FastEthernet0/24 FastEthernet0/1
FastEthernet0/24 FastEthernet0/2
FastEthernet0/24 FastEthernet0/3
Monitored ports must be on same VLAN
Cannot modify monitored ports

port monitor vlan is only valid for VLAN 1, and will only monitor management traffic destined to the IP
address configured as VLAN 1 on the switch port monitor, by itself, will configure the port to monitor all
ports on the switch that belong to the vlan that port is assigned to.

CISCO CATALYST 4000 6000 WITH CATOS SWITCHES

Submitted By Mark McDonagh
Information Updated: 16 Aug 2004
On Cat6k:
set span {src_mod/src_ports| src_vlans | sc0} {dest_mod/dest_port} [rx | tx | both] [inpkts {enable |
disable}] [learning {enable | disable}] [multicast {enable | disable}] [filter vlans...] [create]
On Cat4k:
set span {src_mod/src_ports | src_vlan} dest_mod/dest_port [rx | tx | both] [filter vlan] [inpkts {enable |
disable}] [learning {enable | disable}] [create]
Use the create keyword with different destination ports to create multiple SPAN sessions.
If the create keyword is not used, and a span session exists with the same destination port, the existing
session will be replaced. If the destination port is different, then a new session will be created.
With source 2/1 and destination 3/5
c6500 (enable) set span 2/1 3/5

CISCO CATALYST 4000 6000 WITH IOS SWITCHES

Submitted By Mark McDonagh
Information Updated: 16 Aug 2004
Syntax for Cat4k:
Cat4k(config)# [no] monitor session {session_number} {source {interface type/num} | {vlan vlan_ID}} [, | - | rx
| tx | both]
Cat4k(config)# [no] monitor session {session_number} {destination {interface type/num} }
Syntax for Cat6k:
Cat6k(config)# monitor session session_number source {{single_interface | interface_list | interface_range |
mixed_interface_list | single_vlan | vlan_list | vlan_range | mixed_vlan_list} [rx | tx | both]} | {remote vlan
rspan_vlan_ID}}
Cat6k(config)# monitor session session_number destination {single_interface | interface_list | interface_range
| mixed_interface_list} | {remote vlan rspan_vlan_ID}}

CISCO CATALYST 2950 SWITCHES

Submitted By Kevin Farnes
Information Updated: 16 Aug 2004
( From Configuration Mode )
monitor session 1 source interface Interface
monitor session 1 destination interface Interface
The first line determines which ports are being monitored in the session and can be repeated. The second line
determines where the
monitor output is to be sent. On the 2950 only ports can be monitored. With Cisco the monitoring capability
and commands can vary significantly with different models of switch.

CISCO 3500XL SWITCHES

Submitted By Chris McCulloh
Information Updated: 16 Aug 2004
Connect via a command line, then enter enable mode (type 'en').. then execute the following commands,
assuming the sniffer is plugged into port 14 on the switch, and all other ports in a 24 port switch are desired
except 23:
configure terminal
interface f14
port monitor f1-13, f15-22,f24
end
The box should then see all traffic.

CISCO CATALYST 5000 SWITCHES

Submitted By Dave Rodrigue
Information Updated: 16 Aug 2004

set span 2-3 5/7 create

set span 2-3 5/7 create

where 2-3 are the VLANs I'm monitoring.
Switch ports can be specified as well
set span 2/3 5/7 create
to monitor port 2/3
~From Cisco's docs, in case that makes it clearer:
set span {src_mod/src_ports | src_vlan | sc0} dest_mod/dest_port [rx | tx | both] [inpkts {enable | disable}]
[learning {enable | disable}] [multicast {enable | disable}] [create]

FOUNDRY SWITCHES
Submitted By Kevin Farnes
Information Updated: 16 Aug 2004
( From Configuration Mode )
interface Interface
port monitor interface { rx | tx | both}
The first line takes you into the interface that the mirror output should be presented on. The second line
defines those interfaces you wish to have mirrored and whether just the input, output or both are copied.

JUNIPER M OR T SERIES
Submitted By Donald Smith
Information Updated: 20 Aug 2004
Port Mirroring
Define the destination where copies of sampled packets will be sent:
[edit]
user@router# show forwarding-options
port-mirroring { input {family inet; rate <sample-rate>; run-length
<run-length>;} output {interface <interface-name> {next-hop<address>;}
no-filter-check;} }
2. Define a sampling filter to identify "interesting" traffic:
[edit]
user@router# show firewall filter mirror-sample
from {...} then {sample; accept;}
3. Apply the filter to the incoming interface
[edit]
user@router# show interface <interface-name> unit 0 family inet
filter {input mirror-sample;}
Notes:
1. Packets that pass the input filter are sampled based on the <sample-rate> and <run-length>. In each
batch of <sample-rate> packets, the first <run-length> packets are mirrored.
2. The mirror interface should not participate in any routing. The sampled packets are not in any way
encapsulated, so the raw packets are sent out the interface. Hopefully, the device on the far end is a traffic
analyzer and not another router!
3. The <address> needs to be specified when the mirror interface is a multi-access media, and is used to fil
in the MAC address.
4. Works only for IPv4 packets, and only for transit traffic.
5. You can only set up one mirror interface per router; all "sampled" traffic is mirrored.

Copyright 2004 through 2014 Computer Network Defence, Ltd.

All rights reserved