07-20-2007 07:14 AM - edited 03-05-2019 05:24 PM
I have a 2960 Catalyst and I need to know if when I set the SPAN port if it operates by listening and sending traffic or does it just listen. to traffic. The reason I need to know this is because I am have trouble getting my Websense to work properly through the new Catalyst. We had it cconnected to an old Enterasys with a mirrored port and it worked fine.... Any advise....
Thanks
Shaun
Solved! Go to Solution.
07-20-2007 07:20 AM
Shaun,
By default the span destination will only be in listening mode.
If you configure ingress traffic forwarding, the destination port forwards traffic at layer2
More info on 2960 spans at this link
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2960/12225see/scg/swspan.htm#wp1251490
HTH, rate if it does
Narayan
07-20-2007 07:28 AM
Shaun,
Both above posts are correct in their respective way.
It depends on whether you are talking about source port (mirrored port) or destination port (SPAN/port to which sniffer is connected to). It sounds like your concern is about destination SPAN port.
Anyway as stated before the mirrored port by default mirrors tx/rx traffic and destination SPAN port only receives traffic by default. You have the option of chaning the default behavior in both cases.
HTH
Sundar
07-20-2007 07:16 AM
SPAN copies traffic sent and received on the port.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2960/12237se/scg/swspan.htm
07-20-2007 07:20 AM
Shaun,
By default the span destination will only be in listening mode.
If you configure ingress traffic forwarding, the destination port forwards traffic at layer2
More info on 2960 spans at this link
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2960/12225see/scg/swspan.htm#wp1251490
HTH, rate if it does
Narayan
07-20-2007 07:28 AM
Shaun,
Both above posts are correct in their respective way.
It depends on whether you are talking about source port (mirrored port) or destination port (SPAN/port to which sniffer is connected to). It sounds like your concern is about destination SPAN port.
Anyway as stated before the mirrored port by default mirrors tx/rx traffic and destination SPAN port only receives traffic by default. You have the option of chaning the default behavior in both cases.
HTH
Sundar
07-20-2007 10:42 AM
Thanks!
Few more things. For my clarification, I thought that in Catalyst Switches the a SPAN port is a type of Mirror Port. I thought they were they were the same thing because I did not see anything about "Mirror" ports in the software while configuring the switch. How would you configurre a "Mirrored Port" as opposed to a "SPAN Port"
Secondly, what we are doing is running Websense and s SNORT Box on this switch.
This is how I have set it up:
monitor session 1 source interface Fa0/2
monitor session 1 destination interface Gi0/1 ingress untagged vlan 1
monitor session 2 source interface Fa0/3 - 22 , Fa0/24 - 48
monitor session 2 destination interface Fa0/1
Should this work?
Monitor Session 1 is for the our Websense and we will plug our Websense into G0/1. Websense only needs to see traffic coming and going on F0/2, the Snort Box does the rest. Though I see in the software that I can only use ingress forwarding on a VLAN. The Websense is a promiscuous port without an IP Address
Monitor Session 2 is for our SNORT Box. That works.
07-20-2007 11:03 AM
For SPAN to work there are some conditions to be met make sure that your setup meets those requirements.
Here's a good link with configuration examples of SPAN. Go through this document and let us know if you still have problems.
http://www.cisco.com/warp/public/473/41.html
HTH
Sundar
08-21-2007 03:37 PM
Hi,
I am looking at a similar WebSense issue but looking at the documentation I am not sure if the 2960 will do the thing that we want.
In our case the WebSense box has one NIC used for all admin communication of WebSense and control of our proxy server.
The 2960 switch has one port to the proxy, one to the WebSense and two to internet firewalls.
If we had a hub in place of a switch then WebSense could see the internet bound network traffic via the proxy server and control access.
Using a 2960 it appears possible to create a local port span where the internet bound traffic is replicated on the destination span port of the 2960, in this case the WebSense connected port.
However with a span in place the WebSense box is not longer manageable and it can not control the proxy and as a result any browsing traffic.
So do you know if is possible to configure a port span that is effectively a hub?
Thanks
Alan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: