Saturday, September 26, 2009

Monitoring Traffic with Span Ports

This is just a quick post to detail the configuration of setting up a Span Port on a Cisco 2950 switch to monitor traffic.

Previously I had used either a hub or ARP poisoning to capture traffic in a switch environment. On my Cisco switch I can capture traffic by telling the switch to send a copy of all traffic destined for one port (or multiple ports) to another port.

Span Port Configuration

In the configuration below I have told the switch to send a copy of all data sent or received from the port range 3 - 5 to port 23

S1(config)#monitor session 1 source interface fastEthernet 0/3 - 5 both
S1(config)#monitor session 1 destination interface fastEthernet 0/23

The configuration can be verified with the following command:

S1#sh monitor session 1

This works across VLANs too, as port 23 is configured into a separate VLAN from ports 3 to 5.

This should emphasise the need to secure your switch (passwords, SSH, lock down ports etc..) as it is obviously great for monitoring traffic but can also be used by an attacker to capture traffic.

Here is a great Cisco article on all things Span Port!

1 comment:

Anonymous said...

Searching for a week on how t configure this as the documentation just wasn't helping (Websense setup with 1 nic) Thank you so much