Cisco switch Port Mirroring configuration

Mirror Port configuration
Most switches support mirroring technology, which allows for easy troubleshooting of the switch. We call it "mirroring" or "Spanning". Mirroring is the copying of traffic from one port on the switch to the other (mirror port) for monitoring.

CISCO3550 can be configured with 2 mirror ports

Case: Mirroring Port 2~5 to Port 6

1. Mirror Port configuration

Switch>enable
Switch#conf T

STEP3: Configure the image source, either a port or a VLAN
Switch (config) #monitor session 1 Source Interface gigabitethernet 0/2-5 rx
The last parameter of the above command:
Both monitor bidirectional data, default to both
Rx Receive
TX Send

STEP4: Configuring the Mirroring Destination port
Switch (config) #monitor session 1 Destination Interface Gigabitethernet 0/6

Switch (config) #exit

Switch#wr

STEP7: View Configuration Results
Switch#show Monitor
Session 1
---------
Type:local Session
Source Ports:
RX only:gi0/2-5
Destination PORTS:GI0/6
Encapsulation:native
Ingress:disabled

Both Monitoring bidirectional data
RX only listener Receive
Tx only Monitor Send


2. Remove the Mirror Port
Switch#conf T
Switch (config) #no monitor session 1
Switch (config) #end

Switch#wr

Switch#show Monitor
No SPAN configuration is present in the system.

3. Other
(1) Port image filtering, port mirroring can do filter.
Monitor session session_number Filter VLAN Vlan-id [, |-]
* * Specifies which VLANs belong to the traffic that the source port is entering, and can be emitted from the destination port.
(2) Delete image
No monitor session {Session_number | all | local | remote}
**SESSION_NUMBER Specifies the session number, all is all mirrors, local mirrors, remote mirrors.
(3) The destination port of the mirror does not send and receive data properly, so it can no longer be used as a normal port, and may be connected to some network analysis and security devices, such as a computer with Sniifer or a Cisco IDs device.


In the exchange of Ethernet environment, the general communication between the two workstations will not be heard by the third party. In some cases, we may need to do such interception, such as: protocol analysis, traffic analysis, intrusion detection. For this we can set the span of the Cisco switch (Switched Port Analyzer switch Port parser) feature, or the early "port mirroring", "Monitoring port" feature. The listening object can be one or more switch ports, or the entire VLAN. If the port to listen on ("Source port") or VLAN and the port of the Connection monitoring station ("target Port") is on the same switch, we only need to configure span; If you are not on the same switch, you need to configure Rspan (Remote SPAN). Different switches have different restrictions on span, such as the source and destination ports in the 2900XL switch must be in the same VLAN, some switches do not support Rspan, and so on, see the device documentation.

The parameters we need to provide when configuring span are the source port or VLAN number and the destination port.

4000/6000 CatOS Switch:
Set span 6/17 6/19//span: Source port is 6/17 destination port is 6/19

2950/3550/4000ios/6000ios Switch:
Monitor Session 1 Local//span
Monitor Session 1 Source interface fastethernet 0/17 both//source port, can also be a VLAN
Monitor Session 1 Destination interface fastethernet 0/19//target Port

2900/3500XL Switch:
Switch (config) #interface fastethernet 0/19//target Port
Switch (config-if) #port monitor fastethernet 0/17//Source port

1900 Switch: (or use menu [M] monitoring)
Monitor-port monitored 0/17//source port (0/17 and 0/18 ports)
Monitor-port Monitored 0/18
Monitor-port Port 0/19//Destination ports
Monitor-port//Start monitoring


When configuring Rspan, we first define a VLAN of type Rspan. On a normal VLAN, if the source and destination hosts are on the same switch, the unicast traffic between them does not need to pass through the trunk to another switch, and the Rspan VLAN needs to forward such traffic on the trunk to ensure that the monitor can hear. On the source switch, you need to set the port or VLAN that is being listened to forward traffic to the Rspan VLAN (if it is a switch running iOS, another port is required as the reflection port); On the target switch, you need to set the destination port that forwards the information in the Rspan VLAN to the connection monitoring host.

iOS switches, such as 3550:
3550 (config) #vlan 900//build Rspan VLAN
3550 (Config-vlan) #remote-span

Monitor Session 1 remote//Source switch
Monitor Session 1 Source interface fastethernet 0/17 both//Origin Port
Monitor session 1 destination remote VLAN reflector-port fastethernet 0/20//destination Rspan VLAN, reflective port

Monitor Session 2 remote//target switch
Monitor session 2 source remote VLAN 900//rspan VLAN
Monitor session 2 Destination interface fastethernet 0/19//Target port

CatOS switches, such as 6500:

Set VLAN rspan//build Rspan VLAN

Set Rspan source 4/1-2 900//source switch

Set Rspan destination 4/19 900//target switch


After the last configuration of Rspan, there are users to reflect: Some network segments have a serious packet loss phenomenon. Careful inspection, found that some switches on the uplink port load is heavy. Re-analysis, the original on two central switches enabled a RSPAN process, RSPAN VLAN traffic is very large, up to 300M. Because the pruning feature is not enabled in the VTP domain, traffic on this Rspan VLAN appears on all trunks, causing blocking. After trimming the Rspan vlan from these trunks, the network is back to normal.

The advent of the span feature makes it more important to protect the switch from unauthorized control. Because if a hacker controls a host and a subset of switches, he will be able to use Span/rspan and sniffer to eavesdrop on any information transmitted over the network.


First explain port mirroring: Port Mirroring simply put, the switch one (a number of) ports (source port) of the traffic completely copy one copy, from another port (destination port) out, so that network managers from the destination port through the analysis of the source port traffic to find the cause of the network problems.

The port image of Cisco is called switched Port ANALYZER, which is referred to as span (only in iOS systems, the same as the same), so port mirroring is only available for Ethernet switched ports. Cisco's span is divided into three types, span, Rspan, and Vspan, in short, span means that both the source and destination ports are on the same machine, rspan means the destination and source are not on the same switch, and Vspan can mirror the entire or several VLANs to a destination port.

Configuration method:
1. SPAN
(1) Create a span source port
Monitor session Session_number Source Interface Interface-id [, |-] [both | rx | tx]
**session_number,span session number, I remember that 3550 supported maximum local span is 2, which is 1 or 2.
**interface-id [, |-] Source Port connection number, that is mirrored port, the switch will be the port of the traffic copy one copy, you can enter multiple ports, multiple with "," separated, continuous use "-" connection.

[Both | rx | tx], optional, refers to the copy of the source port bidirectional (both), only incoming (RX) or only (TX) traffic, the default is both.

(2) Create a span destination port
Monitor session Session_number Destination Interface Interface-id [encapsulation {dot1q [ingress VLAN VLAN ID] | Isl

[Ingress]} | Ingress VLAN VLAN ID]
* * I will not say the same thing.
**session_number to be consistent with the above.
**interface-id destination Port, the traffic that is copied on the source port is emitted from this port, and the port number cannot be contained within the range of the source port.
**[encapsulation {dot1q | isl}], optional, refers to whether the 802.1q and ISL packages are used when emitted from the destination port, when 802.1q is used, the native VLAN is not encapsulated, other VLAN encapsulation, and ISL are all encapsulated.

2.VSPAN
(1) Create Vspan source VLAN
Monitor session Session_number Source VLAN Vlan-id [, |-] Rx
* * Same does not say, basic and span the same, but the number of calls into the VLAN number, and can only mirror the received traffic.
(2) Create Vspan destination port
Monitor session Session_number Destination Interface Interface-id [Encapsulation {dot1q | isl}]
* * Same as span.


3.RSPAN
The configuration of the Rspan is more complex, and its process can be seen in this way, the switch copies the port traffic to be mirrored, and then sends it to a reflection port on the machine (Reflector-port), which forwards it over the network to the VLAN on the destination switch by the reflection port
(in general, this VLAN is designed for mirroring, not as a client access), and then configure Vspan in the destination switch to mirror the traffic of that VLAN to the destination port, note that once this rspan is used, The information for this mirrored VLAN is forwarded to all VLAN trunks, resulting in a waste of network bandwidth, so VLAN pruning (pruning) is configured, and Rspan can mirror VLANs.
(1) Create a Rspan source port on the source switch
* * Same span or Vspan
(2) Create Vspan reflection port and destination VLAN on the source switch
Monitor session session_number destination remote VLAN Vlan-id Reflector-port interface
**vlan-id VLAN to mirror on the destination switch
**reflector-port the mirrored port on the interface source switch
(3) Create Vspan source VLAN on the destination switch
Monitor session session_number source Remote VLAN Vlan-id
**vlan-id is the mirror dedicated VLAN above
(4) Create a Vspan destination port on the destination switch
Monitor session Session_number Destination Interface Interface-id [Encapsulation {dot1q | isl}]
* * Same span



To turn on the configuration command for the Cisco switch Telnet service:
Enable secret Cisco #配置进入特权模式的密码 (ciphertext password, can also set plaintext password)
Line vty 0 4
Password Cisco
int Vlan1
IP Add 172.16.5.1 255.255.0.0 #在vlan1上配置ip地址并进行网管
No shut


Cisco switch configuration, which has been written for a long time,

2950 The basic configuration of the switch, currently we are commonly used to configure the VLAN, the other is easy to manage, configure the IP address and allow Telnet login. Like spanning tree and VTP, the general small enterprises or systems are not configured, do not explain.

1 Basic Concepts

1.1 Classification of switches

Cisco switches are divided into two main types in terms of switch operating systems:

Based on the catalyst OS, common such as the 4000, 5000, 6000 series, relatively high-end, generally not used, the central switch may be used by the local side.

iOS-based, such as 2950,3560, configuration commands are similar to routers, we use Cisco Access switches, which are relatively low-end.


1.2 Configuration mode

There are several modes of switch configuration to be clear, different configuration modes are available for different commands.

According to the prompt can be judged, the common pattern is as follows.

Switch: ROM status, router is rommon>

Switch >, user mode user mode can execute a limited number of commands, login from the console can be directly into the user mode

Switch #; Privileged mode performs various show commands in privileged mode

Switch (config) #; global configuration mode for the configuration of switches

Switch (config-if) #; interface mode for the relevant configuration of the interface


2 Common configurations

2.1-Mode switching

switch>enable; Enter privileged mode if a password is set, you must enter a password to log in, without a password you can enter it directly

Switch#config terminal; Go to global configuration mode

Switch (config) interface * * *; Enter interface mode

Enter the exit command in each mode to return to the previous level mode.


2.2 Password Settings

For security reasons, you need to set the relevant password, mainly console login password, telnet password, etc., with the show Run command to see if the configuration is successful, the relevant command is as follows:

Switch (config) #hostname, set the hostname of the switch

Switch (config) #enable secret xxx; set privileged encryption password, show run can only see ciphertext

Switch (config) #enable password xxa; Set the privileged non-secret password, show run can see the password

switch#exit; return command

Telnet password settings are shown in "2.5 Management address and Telnet configuration."


2.3 Configuration View

Switch#write (or copy run start), save configuration information, if not saved, the configuration is lost after reboot

Switch#reload Restart switch

Switch#show run; View current configuration information

Switch#show start to view the saved configuration

Switch#show VLAN; View VLAN configuration information

Switch#show interface; View all port information

switch#show int f0/0; View specified port information


2.4 VLAN Configuration

The Cisco switch has only one VLAN by default, that is, vlan1,vlan1 also acts as a management feature. In the larger network to configure the VLAN needs to do a good job in the planning of the VTP domain, but also to consider the route between the VLAN, the corresponding more complex, we have to do is only in a single switch on the partition VLAN, the corresponding relatively simple. At present, the general enterprise all servers are placed in the inside port of the firewall, do not even partition VLAN.

VLAN configuration has two steps, the first step is to create a VLAN, the second step is to divide the port into the appropriate VLAN (by default, VLAN1).

The basic commands are as follows

Switch#vlan database; Enter VLAN settings

Switch (VLAN) #vlan 2; Building VLAN 2

Switch (VLAN) #no VLAN 2; Delete VLAN 2

Switch (config) #int f0/1; Enter Port 1

Switch (config-if) #switchport access VLAN 2; When the front port joins VLAN 2



Another example is as follows:

To create a VLAN:

Switch#config T

Switch (config) #hostname GD2950 the switch to GD2950, the prompt will change

GD2950 (config) #exit

Gd2950#vlan Database

GD2950 (VLAN) #vlan 2 Name DMZ/* Create a VLAN2 named DMZ

VLAN 2 added:

Name:dmz

GD2950 (VLAN) #vlan 3 Name Temp/* Create VLAN3 named Temp

VLAN 3 added:

Name:temp

GD2950 (VLAN) #end

gd2950#

Port configuration VLAN:

Switch port has trunk mode not used, default is access mode

Gd2950#config T

GD2950 (config) #int F0/2

GD2950 (config-if) #switchport access VLAN 2/* Settings port belongs to VLAN2

GD2950 (config-if) #int F0/3

GD2950 (config-if) #switchport access VLAN 3/* Settings port belongs to VLAN3

GD2950 (config-if) #int F0/4

GD2950 (config-if) #switchport access VLAN 4/* Settings port belongs to VLAN4

GD2950 (config-if) #exit

GD2950 (config) #exit

gd2950#

2.5 managing addresses and Telnet configuration

Cisco switches and routers are not telnet by default and need to be configured as required. For the switch to Telnet, must first match an IP address (that is, the usual management address), it is important to note that the IP address is not for a port, but for VLAN1 (a network segment), this is different from the router.

Configuration Management Address:

Switch (config) #interface vlan 1; go to VLAN 1

Switch (config-if) #ip address 192.168.1.20 255.255.255.0; Set the IP address to 192.168.1.20 with a mask of 2 4 guests

Switch (config) #ip Default-gateway 192.168.1.1; Set the default gateway to 192.168.1.1, the gateway can generally not be set

After Setup is complete, you can use a different machine to ping the configured IP to see if it can be ping.

Telnet settings:

Switch (config) #line vty 0 4; Enter virtual terminal

Switch (config-line) #login; Allow Login

Switch (config-line) #password xx, set the login password xx, you need to note that you must set the password, you cannot set the password to empty, or you cannot log on. Because you must enter a non-empty password when you telnet.

After all the configuration is complete, remember to save with write or copy run start.

You can then use Telnet to see if you can log in. To encrypt the display of a password in clear text, execute the following command:

switch# Service Password-encryption

This article is from the "Blossom as ever" blog, please be sure to keep this source http://sunrisenan.blog.51cto.com/10217407/1876574

Cisco switch Port Mirroring configuration