Configuring a SET-Based Switch for SPAN
CatOS-based switches like 4000, 5000, and 6000 series use a different command syntax. They are also sometimes called Set-based switches, because a lot of configuration work is done using the set command. A command for configuring SPAN on these switches is set span.
Sw6000 (enable) set span
Usage: set span disable [dest_mod/dest_port|all]
set span
[rx|tx|both]
[inpkts]
[learning]
[multicast]
[filter]
[create]
We will use the following port configuration, as shown in Figure 9.5.
The simplest case is when you need to copy traffic from specific ports to a port where an IDS is attached (a destination port). For example, to monitor ports 3/1, 3/2, 3/3, and 3/5 using an IDS module attached to port 3/6, you need to enter the following command:
Sw6000 (enable) set span 3/1-3, 3/5 3/6
This command produces output describing a new span session similar to this:
Destination : Port 3/6
Admin Source : Port 3/1-3, 3/5
Oper Source : Port 3/1-3, 3/5
Direction : transmit/receive
Incoming Packets: disabled
Learning : enabled
Multicast : enabled
Filter : -
Status : active
switch (enable) 2003 Jun 19 08:34:36 %SYS-5-SPAN_CFGSTATECHG:local span
session active for destination port 3/6
The session becomes active immediately. The first parameter for a set span command in this case is a list of source ports (3/1–3 means 3/1 through 3/3), while the destination port 3/6 is the second parameter. This command also takes several optional switches, which specify more detailed features. As with the earlier IOS-based configurations, it is possible to select the direction of the captured traffic: only ingress traffic, only egress traffic, or traffic in both directions. The preceding example does not have any keyword describing the direction, so the both keyword is assumed. To monitor only ingress traffic, the command line could be
Sw6000 (enable) set span 3/1-3, 3/5 3/6 rx
2003 Jun 19 08:35:37 %SYS-5-SPAN_CFGSTATECHG:local span session inactive
for destination port 3/6
Destination : Port 3/6
Admin Source : Port 3/1-3, 3/5
Oper Source : Port 3/1-3, 3/5
Direction : receive
Incoming Packets: disabled
Learning : enabled
Multicast : enabled
Filter : -
Status : active
switch (enable) 2003 Jun 19 08:35:37 %SYS-5-SPAN_CFGSTATECHG:local span
session active for destination port 3/6
The output produced by this command (assuming it was entered after the command from the previous example) shows that the previously configured span session was disabled and a new one created. By default, there is only one session active on a switch. In order to create a new session without disabling another one, use the keyword create:
Sw6000 (enable) set span 3/1 3/4 create
This command creates a second session on the switch, which you can check using the show span command:
Sw6000 (enable) show span
Destination : Port 3/6
Admin Source : Port 3/1-3, 3/5
Oper Source : Port 3/1-3, 3/5
Direction : receive
Incoming Packets: disabled
Learning : enabled
Multicast : enabled
Filter : -
Status : active
-------------------------------------------------------------------
Destination : Port 3/6
Admin Source : Port 3/1
Oper Source : Port 3/1
Direction : transmit/receive
Incoming Packets: disabled
Learning : enabled
Multicast : enabled
Filter : -
Status : active
Total local span sessions: 2
SPAN sessions can be disabled with the command
Sw6000 (enable) set span disable [ all | destination_port ]
The keyword all disables all configured sessions, and specifying a destination port disables the session monitored by this port only.
Note | For Catalyst switches with the IDSM module, the SPAN destination should be the first port on the corresponding slot. For example, if IDSM is module 6, then the corresponding destination will be 6/1. |
By default, no packets are received by the switch on a SPAN destination port (this is what is generally needed when an IDS is connected to this port). If you want to allow switches to receive packets on a destination interface too, use the inpkts enable option, although this is not advisable, because it can cause bridging loops. Also, by default a destination port learns MAC addresses from incoming packets it receives. From the IDS point of view it is better to switch this feature off using the learning disable option, for example:
Sw6000 (enable) set span 3/1 3/4 inpkts disable learning disable create
As with other models, it is possible to monitor not only specific ports, but whole VLANs. The command line remains the same except that sources are denoted by VLAN numbers instead of port names. For example:
Sw6000 (enable) set span 2,3 3/4
This creates a session monitoring traffic from VLANs 2 and 3 and then copying it to the port 3/4.
Consider a more complex situation: let's assume we have a switch with one trunk port and we want to monitor this switch traffic from the whole VLAN 1 (which is distributed), excluding one port, 3/1, as shown in Figure 9.6.
This means we need to monitor all traffic from VLAN 1 coming from the trunk, and also from port 3/2, but not 3/1. The command
Sw6000 (enable) set span 1 3/6
will result in forwarding all VLAN 1 traffic to monitor port 3/6. Another possible solution
Sw6000 (enable) set span 3/2, 3/5 3/6
will get too much traffic—in other words, the whole trunk 3/5 instead of only VLAN 1 packets.
The required result is achieved by using the VLAN filtering feature.
Sw6000 (enable) set span 3/2, 3/5 3/6 filter 1
This gives us exactly what we need—only traffic from ports 3/2 and 3/5, which belongs to VLAN 1. The output from show span command indicates this:
Destination : Port 3/6
Admin Source : Port 3/2, 3/5
Oper Source : Port 3/2, 3/5
Direction : transmit/receive
Incoming Packets: disabled
Learning : enabled
Multicast : enabled
Filter : 1
Status : active
It is possible, of course, to filter on more than one VLAN ID, for example:
Sw6000 (enable) set span 3/5 3/6 filter 1,2
will copy from trunk port 3/5 to port 3/6 only traffic belonging to VLANS 1 and 2.
Note | VLAN filtering is possible on Catalyst 4000 and 6000 series switches. The Catalyst 5000 series switch does not support the filter option in the set span command |