SPAN Port Question for a 2960 Catalyst Switch

Answered Question
Jul 20th, 2007

I have a 2960 Catalyst and I need to know if when I set the SPAN port if it operates by listening and sending traffic or does it just listen. to traffic. The reason I need to know this is because I am have trouble getting my Websense to work properly through the new Catalyst. We had it cconnected to an old Enterasys with a mirrored port and it worked fine.... Any advise....

Thanks

Shaun

I have this problem too.
0 votes
Correct Answer by sundar.palaniappan about 9 years 4 months ago

Shaun,

Both above posts are correct in their respective way.

It depends on whether you are talking about source port (mirrored port) or destination port (SPAN/port to which sniffer is connected to). It sounds like your concern is about destination SPAN port.

Anyway as stated before the mirrored port by default mirrors tx/rx traffic and destination SPAN port only receives traffic by default. You have the option of chaning the default behavior in both cases.

HTH

Sundar

Correct Answer by royalblues about 9 years 4 months ago

Shaun,

By default the span destination will only be in listening mode.

If you configure ingress traffic forwarding, the destination port forwards traffic at layer2

More info on 2960 spans at this link

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2960/12225see/scg/swspan.htm#wp1251490

HTH, rate if it does

Narayan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
sundar.palaniappan Fri, 07/20/2007 - 07:28

Shaun,

Both above posts are correct in their respective way.

It depends on whether you are talking about source port (mirrored port) or destination port (SPAN/port to which sniffer is connected to). It sounds like your concern is about destination SPAN port.

Anyway as stated before the mirrored port by default mirrors tx/rx traffic and destination SPAN port only receives traffic by default. You have the option of chaning the default behavior in both cases.

HTH

Sundar

ShaunieK226 Fri, 07/20/2007 - 10:42

Thanks!

Few more things. For my clarification, I thought that in Catalyst Switches the a SPAN port is a type of Mirror Port. I thought they were they were the same thing because I did not see anything about "Mirror" ports in the software while configuring the switch. How would you configurre a "Mirrored Port" as opposed to a "SPAN Port"

Secondly, what we are doing is running Websense and s SNORT Box on this switch.

This is how I have set it up:

monitor session 1 source interface Fa0/2

monitor session 1 destination interface Gi0/1 ingress untagged vlan 1

monitor session 2 source interface Fa0/3 - 22 , Fa0/24 - 48

monitor session 2 destination interface Fa0/1

Should this work?

Monitor Session 1 is for the our Websense and we will plug our Websense into G0/1. Websense only needs to see traffic coming and going on F0/2, the Snort Box does the rest. Though I see in the software that I can only use ingress forwarding on a VLAN. The Websense is a promiscuous port without an IP Address

Monitor Session 2 is for our SNORT Box. That works.

Hi,

I am looking at a similar WebSense issue but looking at the documentation I am not sure if the 2960 will do the thing that we want.

In our case the WebSense box has one NIC used for all admin communication of WebSense and control of our proxy server.

The 2960 switch has one port to the proxy, one to the WebSense and two to internet firewalls.

If we had a hub in place of a switch then WebSense could see the internet bound network traffic via the proxy server and control access.

Using a 2960 it appears possible to create a local port span where the internet bound traffic is replicated on the destination span port of the 2960, in this case the WebSense connected port.

However with a span in place the WebSense box is not longer manageable and it can not control the proxy and as a result any browsing traffic.

So do you know if is possible to configure a port span that is effectively a hub?

Thanks

Alan

Actions

This Discussion