Configuring a SET-Based Switch for SPAN

Configuring a SET-Based Switch for SPAN

CatOS-based switches like 4000, 5000, and 6000 series use a different command syntax. They are also sometimes called Set-based switches, because a lot of configuration work is done using the set command. A command for configuring SPAN on these switches is set span. 

Sw6000 (enable) set span
Usage: set span disable [dest_mod/dest_port|all]
      set span 
              [rx|tx|both]
              [inpkts ]
              [learning ]
              [multicast ]
              [filter ]
              [create]

We will use the following port configuration, as shown in Figure 9.5.

Click To expand
Figure 9.5: Example Switch Ports and VLANs

The simplest case is when you need to copy traffic from specific ports to a port where an IDS is attached (a destination port). For example, to monitor ports 3/1, 3/2, 3/3, and 3/5 using an IDS module attached to port 3/6, you need to enter the following command:

Sw6000 (enable) set span 3/1-3, 3/5 3/6

This command produces output describing a new span session similar to this:

Destination : Port 3/6
Admin Source : Port 3/1-3, 3/5
Oper Source : Port 3/1-3, 3/5
Direction : transmit/receive
Incoming Packets: disabled
Learning : enabled
Multicast : enabled
Filter : -
Status : active
switch (enable) 2003 Jun 19 08:34:36 %SYS-5-SPAN_CFGSTATECHG:local span
session active for destination port 3/6

The session becomes active immediately. The first parameter for a set span command in this case is a list of source ports (3/1–3 means 3/1 through 3/3), while the destination port 3/6 is the second parameter. This command also takes several optional switches, which specify more detailed features. As with the earlier IOS-based configurations, it is possible to select the direction of the captured traffic: only ingress traffic, only egress traffic, or traffic in both directions. The preceding example does not have any keyword describing the direction, so the both keyword is assumed. To monitor only ingress traffic, the command line could be

Sw6000 (enable) set span 3/1-3, 3/5 3/6 rx
2003 Jun 19 08:35:37 %SYS-5-SPAN_CFGSTATECHG:local span session inactive
   for destination port 3/6
Destination : Port 3/6
Admin Source : Port 3/1-3, 3/5
Oper Source : Port 3/1-3, 3/5
Direction : receive
Incoming Packets: disabled
Learning : enabled
Multicast : enabled
Filter : -
Status : active
switch (enable) 2003 Jun 19 08:35:37 %SYS-5-SPAN_CFGSTATECHG:local span
session active for destination port 3/6

The output produced by this command (assuming it was entered after the command from the previous example) shows that the previously configured span session was disabled and a new one created. By default, there is only one session active on a switch. In order to create a new session without disabling another one, use the keyword create:

Sw6000 (enable) set span 3/1 3/4 create

This command creates a second session on the switch, which you can check using the show span command: 

Sw6000 (enable) show span
Destination : Port 3/6
Admin Source : Port 3/1-3, 3/5
Oper Source : Port 3/1-3, 3/5
Direction : receive
Incoming Packets: disabled
Learning : enabled
Multicast : enabled
Filter : -
Status : active
-------------------------------------------------------------------
Destination : Port 3/6
Admin Source : Port 3/1
Oper Source : Port 3/1
Direction : transmit/receive
Incoming Packets: disabled
Learning : enabled
Multicast : enabled
Filter : -
Status : active
Total local span sessions: 2

SPAN sessions can be disabled with the command

Sw6000 (enable) set span disable [ all | destination_port ]

The keyword all disables all configured sessions, and specifying a destination port disables the session monitored by this port only.


 Note

For Catalyst switches with the IDSM module, the SPAN destination should be the first port on the corresponding slot. For example, if IDSM is module 6, then the corresponding destination will be 6/1.

By default, no packets are received by the switch on a SPAN destination port (this is what is generally needed when an IDS is connected to this port). If you want to allow switches to receive packets on a destination interface too, use the inpkts enable option, although this is not advisable, because it can cause bridging loops. Also, by default a destination port learns MAC addresses from incoming packets it receives. From the IDS point of view it is better to switch this feature off using the learning disable option, for example: 

Sw6000 (enable) set span 3/1 3/4 inpkts disable learning disable create
Start Sidebar
Configuring & Implementing: SPAN Ports and Bridging Loops

Let's consider a scenario where we have a VLAN distributed between several switches and we want to monitor its traffic from a remote location. In this case, the switches are connected to each other by trunks. One obvious approach would be to create a SPAN session monitoring traffic from the desired VLAN (VLAN 1, for example) on each switch and have their destination ports connected to the same switch or hub, where IDS is also connected. IDS will be able to see traffic from the whole VLAN 1. Unfortunately, if destination ports are working in both directions—not only transmitting but also receiving packets, they will be interchanging their traffic on the IDS switch and will thus create a bridging loop. Remember, SPAN destination ports do not run STP, which could have prevented this.

There is no way to fix this when using 2900/3500 series switches, so it is recommended not to use such configurations with them. In the case of 4000/6000, both running Integrated IOS and CatOS, destination ports are unidirectional by default, which prevents most of the problems that could arise.

The best solution is to use RSPAN (Remote SPAN), which does exactly the job we are trying to do here: collect traffic from several switches and deliver it over trunk connections to one destination. Configuring RSPAN is described later in this chapter.

End Sidebar

As with other models, it is possible to monitor not only specific ports, but whole VLANs. The command line remains the same except that sources are denoted by VLAN numbers instead of port names. For example:

Sw6000 (enable) set span 2,3 3/4

This creates a session monitoring traffic from VLANs 2 and 3 and then copying it to the port 3/4.

Consider a more complex situation: let's assume we have a switch with one trunk port and we want to monitor this switch traffic from the whole VLAN 1 (which is distributed), excluding one port, 3/1, as shown in Figure 9.6.

Click To expand
Figure 9.6: Filtering on a Trunk

This means we need to monitor all traffic from VLAN 1 coming from the trunk, and also from port 3/2, but not 3/1. The command

Sw6000 (enable) set span 1 3/6

will result in forwarding all VLAN 1 traffic to monitor port 3/6. Another possible solution

Sw6000 (enable) set span 3/2, 3/5 3/6

will get too much traffic—in other words, the whole trunk 3/5 instead of only VLAN 1 packets.

The required result is achieved by using the VLAN filtering feature.

Sw6000 (enable) set span 3/2, 3/5 3/6 filter 1

This gives us exactly what we need—only traffic from ports 3/2 and 3/5, which belongs to VLAN 1. The output from show span command indicates this: 

Destination : Port 3/6
Admin Source : Port 3/2, 3/5
Oper Source : Port 3/2, 3/5
Direction : transmit/receive
Incoming Packets: disabled
Learning : enabled
Multicast : enabled
Filter : 1
Status : active

It is possible, of course, to filter on more than one VLAN ID, for example:

Sw6000 (enable) set span 3/5 3/6 filter 1,2

will copy from trunk port 3/5 to port 3/6 only traffic belonging to VLANS 1 and 2.


 Note

VLAN filtering is possible on Catalyst 4000 and 6000 series switches. The Catalyst 5000 series switch does not support the filter option in the set span command