Switch Port listening on Ethernet

In the switched Ethernet environment, the communication between the two workstations is not heard by the third party. In some cases, we may need to do such listening, such as protocol analysis, traffic analysis, intrusion detection. For this we can set the span (switchedportanalyzer Switch Port Analyzer) feature of the Cisco switch, or the early "port mirroring", "Monitoring port" feature.




The object that the
listens to can be one or more Ethernet switch ports, or the entire VLAN. If the port to be listened to (the "source port") or the VLAN and the port on which the monitoring workstation is connected (the "Destination port") is on the same switch, we only need to configure span;





4000/6000catos Switch:





Setspan6/176/19//span: The source port is 6/17 target port is 6/19





2950/3550/4000ios/6000ios Switch:





Monitorsession1local//span





monitorsession1sourceinterfacefastethernet0/17both//The source port, or it can be a VLAN





monitorsession1destinationinterfacefastethernet0/19//Target Port www.3lian.com





2900/3500XL Switch:





Setspan6/176/19//span: The source port is 6/17 target port is 6/19





2950/3550/4000ios/6000ios Switch:





Monitorsession1local//span





monitorsession1sourceinterfacefastethernet0/17both//Source port, or it can be a VLAN





monitorsession1destinationinterfacefastethernet0/19//Target Port





If you are not on the same switch, you need to configure Rspan (Remotespan). Different Ethernet switches have different limits on span, such as the source and destination ports in the 2900XL switch must be on the same VLAN, some switches do not support Rspan, and so on, as described in the device documentation. When configuring span, we need to provide the source port or VLAN number as well as the destination port.





When configuring Rspan, we first define a VLAN of type Rspan. On a common VLAN if both the source and destination hosts are on the same Ethernet switch, unicast communication between them does not need to be passed through trunk to the other Ethernet switch ports.





and Rspanvlan need to forward such communication on the trunk to ensure that the monitor can hear it. On the source switch, set the port or VLAN on which to listen to forward traffic to the Rspanvlan (in the case of a switch running iOS, you need to set up a different port as the reflection port); On the destination switch port, You need to set the forwarding of information in Rspanvlan to the target port of the connection monitoring host.





iOS switches, such as 3550:





3550 (config) #vlan900///Build Rspanvlan





3550 (Config-vlan) #remote-span





monitorsession1remote//Source Switch





monitorsession1sourceinterfacefastethernet0/17both//Source Port





monitorsession1destinationremotevlan900reflector-portfastethernet0/20//target Rspanvlan, reflective port





monitorsession2remote//Target Switch





Monitorsession2sourceremotevlan900//rspanvlan





monitorsession2destinationinterfacefastethernet0/19//Target Port





after the most recent configuration of Rspan, there are users to reflect: Some network segments of the phenomenon of serious packet loss. Careful examination, found that some of the Ethernet switch upper port load is heavy. Re-analysis, the original in the two central Ethernet switch enabled a Rspan process, Rspanvlan on the flow is very large, up to 300M.





because the pruning feature is not enabled in the VTP domain, this Rspanvlan traffic occurs on all trunk, causing blocking. After trimming the Rspanvlan from these trunk, the network is back to normal. The presence of span features makes it more important to protect the switch from being illegally controlled. Because if a hacker controls a host and some Ethernet switches, he will be able to use Span/rspan and sniffer to eavesdrop on any information transmitted over the network.