|
Extreme Switches Newer |
|
Submitted By Kevin Farnes |
|
|
|
{enable | disable} mirroring on port Port No
configure mirroring { add | delete } { vlan VLAN | port Port No
}
The first line basically turns on or off the mirroring and what port
the mirrored output should be sent to. The second line specifies
what is
to be mirrored. The second line can be repeated any number of times.
There are some limitations on capability however, such as if
you are mirroring a port then it must be on the same blade as the
port being mirrored to. |
|
|
Information Updated: 16 Aug 2004 |
|
Extreme
Switches
Older eg 48 ExtremeWare Version 4.1 |
|
Submitted By Joel Snyder |
|
|
|
In the older Summit Extremes (like the 48, not
the 48i), you are blocked at v4 of their software
enable mirror to port <port-no> (both enables mirroring,
and says where to send it. Notice that you cannot provide a list of
ports, unfortunately)
disable mirror (disables mirroring)
config mirror add port <portno>
(adds port <portno>, all VLANs that this port participates in)
config mirror add port <portno> vlan <vlan name or #>
(adds port <portno>, but only VLAN <vlan> traffic will be mirrored)
config mirror add vlan <vlan name or #> (adds
all ports that have this VLAN)
You can add more than one port by repeating the above lines.
config mirror del port <portno>
config mirror del vlan <vlan> (does the
obvious thing)
show mirror (shows status of mirroring,
including whether the port is up or not (!))
One thing to be careful of in the Extreme is that with mirroring (at
least in this version of the O/S), you get both IN and OUT
mirroring,
which means that if you pick a VLAN as the mirror object, you may
see the same frame a couple of times if it goes in one port on
the VLAN and out a different one. |
|
|
Information Updated: 16 Aug 2004 |
|
Cisco Catalyst
SPAN Support |
|
Submitted By Mark McDonagh |
|
|
|
Switch
SPAN Sessions
TCP Countermeasures
2900/3500XL
No Limit
No
2950
1
Yes
3550
2
Yes
3750
2
Yes
4000 w CatOS
5
Yes
4500 w Native IOS 6 (both considered
2) No
6000 w CatOS
2 Rx or Both, 4 Tx Yes
6000 w Native IOS 2
No |
|
|
Information Updated: 16 Aug 2004 |
|
 |
|
Cisco Catalyst
2900/3500XL |
|
Submitted By Mark McDonagh |
|
|
|
int fa0/24
port monitor fa0/1
port monitor fa0/2
port monitor fa0/3
^Z
show port monitor
Monitor Port Port Being Monitored
--------------------- ---------------------
FastEthernet0/24 FastEthernet0/1
FastEthernet0/24 FastEthernet0/2
FastEthernet0/24 FastEthernet0/3
Monitored ports must be on same VLAN
Cannot modify monitored ports
“port monitor vlan” is only valid for VLAN 1, and will only
monitor management traffic destined to the IP address configured as
VLAN 1 on the switch
“port monitor”, by itself, will configure the port to monitor
all ports on the switch that belong to the vlan that port is
assigned to. |
|
|
Information Updated: 17 Aug 2004 |
|
Cisco
Catalyst 2950 3550 3750 |
|
Submitted By Mark McDonagh |
|
|
|
c3550(config)#monitor session 1 source ?
interface SPAN source interface
remote SPAN source Remote
vlan SPAN source VLAN
c3550(config)#monitor session 1 source interface fa0/1 - 3 rx
c3550(config)#monitor session 1 destination interface fa0/24
Only an Rx SPAN session can have multiple
source ports. Note the spaces in syntax when specifying multiple
interfaces. Can be “–” or “,”
With Source VLAN's
c3550(config)#monitor session 1 source
vlan 1 - 10 rx
c3550(config)#monitor session 1 destination interface fa0/24
TCP Resets
c3550(config)#monitor session 1 source
vlan 1 - 10 rx
c3550(config)#monitor session 1 destination interface fa0/24
ingress vlan 1
The Catalyst 2950/3550 will allow you to
configure a single VLAN to receive untagged TCP Reset packets. TCP
Reset support is configured through the “ingress vlan” keywords.
Only one VLAN is permitted. In this example, non-802.1q-tagged TCP
Resets to servers or attackers existing on or through VLAN 1 would
be allowed, but not if the attack or target was on VLAN 2-10. If the
RST is a response to an attack detected by IDS 4.x where the 802.1q
tag has been maintained, the RST will be sent on the appropriate
VLAN.
If you are monitoring a VLAN trunk port, you may wish to filter one
or more of the VLANs on that trunk. This example only monitors VLANs
5 and 100-200 on the trunk.
c3550(config)#monitor session 1 source
interface gigabit0/1
c3550(config)#monitor session 1 filter vlan 5 , 100 - 200
c3550(config)#monitor session 1 destination interface fa0/24
If the monitor session destination port is a
trunk, you should also use keyword ‘encapsulation dot1q’. If you do
not, packets will be sent on the interface in native format. |
|
|
Information Updated: 17 Aug 2004 |
|
|
|
Cisco Catalyst
4000 6000 with CatOS Switches |
|
Submitted By Mark McDonagh |
|
|
|
On Cat6k:
set span {src_ mod/src_ports | src_vlans |
sc0} {dest_mod/dest_port} [rx | tx |
both] [inpkts {enable | disable}] [learning {enable | disable}]
[multicast {enable | disable}] [filter vlans...] [create]
On Cat4k:
set span {src_mod/src_ports | src_vlan}
dest_mod/dest_port [rx | tx | both] [filter vlan]
[inpkts {enable | disable}] [learning {enable | disable}] [create]
Use the ‘create’
keyword with different destination ports to create multiple SPAN
sessions.
If the ‘create’ keyword is
not used, and a span session exists with the same destination port,
the existing session will be replaced. If the destination port is
different, then a new session will be created.
With source 2/1 and destination 3/5
c6500 (enable) set span 2/1 3/5 |
|
|
Information Updated: 16 Aug 2004 |
|
Cisco Catalyst
4000 6000 with IOS Switches |
|
Submitted By Mark McDonagh |
|
|
|
Syntax for Cat4k:
Cat4k(config)# [no]
monitor session {session_number} {source {interface
type/num} | {vlan vlan_ID}} [,
| - | rx | tx | both]
Cat4k(config)# [no] monitor session {session_number}
{destination {interface type/num} }
Syntax for Cat6k:
Cat6k(config)#
monitor session session_number source {{single_interface
| interface_list | interface_range |
mixed_interface_list | single_vlan | vlan_list |
vlan_range | mixed_vlan_list} [rx | tx |
both]} | {remote vlan rspan_vlan_ID}}
Cat6k(config)# monitor session session_number
destination {single_interface | interface_list |
interface_range | mixed_interface_list} | {remote vlan
rspan_vlan_ID}} |
|
|
Information Updated: 16 Aug 2004 |
|
|
|
Cisco Catalyst
2950 Switches |
|
Submitted By Kevin Farnes |
|
|
|
( From Configuration Mode )
monitor session 1 source interface Interface
monitor session 1 destination interface Interface
The first line determines which ports are being monitored in the
session and can be repeated. The second line determines where the
monitor output is to be sent. On the 2950 only ports can be
monitored. With Cisco the monitoring capability and commands can
vary significantly with different models of switch. |
|
|
Information Updated: 16 Aug 2004 |
|
Cisco 3500XL
Switches |
|
Submitted By Chris McCulloh |
|
|
|
Connect via a command line, then enter enable
mode (type 'en').. then execute the following commands, assuming the
sniffer is plugged into port 14 on the switch, and all other ports
in a 24 port switch are desired except 23:
configure terminal
interface f14
port monitor f1-13, f15-22,f24
end
The box should then see all traffic. |
|
|
Information Updated: 16 Aug 2004 |
|
Cisco Catalyst
5000 Switches |
|
Submitted By Dave Rodriguez |
|
|
|
set span 2-3 5/7 create
where 2-3 are the VLANs I'm monitoring.
Switch ports can be specified as well
set span 2/3 5/7 create to monitor
port 2/3
~From Cisco's docs, in case that makes it clearer:
set span {src_mod/src_ports | src_vlan | sc0} dest_mod/dest_port
[rx | tx | both] [inpkts {enable | disable}] [learning {enable |
disable}] [multicast {enable | disable}] [create] |
|
|
Information Updated: 16 Aug 2004 |
|
Foundry Switches |
|
Submitted By Kevin Farnes |
|
|
|
( From Configuration Mode )
interface Interface
port monitor interface { rx | tx | both}
The first line takes you into the interface that the mirror output
should be presented on. The second line defines those interfaces you
wish to have mirrored and whether just the input, output or both are
copied. |
|
|
Information Updated: 16 Aug 2004 |
|
Juniper M or T Series |
|
Submitted By Donald Smith |
|
|
Port Mirroring
Define the destination where copies of sampled packets will be sent:
[edit]
user@router# show forwarding-options
port-mirroring { input {family inet; rate <sample-rate>; run-length
<run-length>;} output {interface <interface-name> {next-hop
<address>;}
no-filter-check;} }
2. Define a sampling filter to identify "interesting" traffic:
[edit]
user@router# show firewall filter mirror-sample
from {...} then {sample; accept;}
3. Apply the filter to the incoming interface
[edit]
user@router# show interface <interface-name> unit 0 family inet
filter {input mirror-sample;}
Notes:
1. Packets that pass the input filter are sampled based on the
<sample-rate> and <run-length>. In each batch of <sample-rate>
packets, the first <run-length> packets are mirrored.
2. The mirror interface should not participate in any routing. The
sampled packets are not in any way encapsulated, so the raw packets
are sent out the interface. Hopefully, the device on the far end is
a traffic analyzer and not another router!
3. The <address> needs to be specified when the mirror interface is
a multi-access media, and is used to fil in the MAC address.
4. Works only for IPv4 packets, and only for transit traffic.
5. You can only set up one mirror interface per router; all
"sampled" traffic is mirrored. |
|
|
Information Updated: 20 Aug 2004 |
|
|
|
