Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4906
Views
0
Helpful
6
Replies

SPAN Port Question for a 2960 Catalyst Switch

Go to solution
ShaunieK226
Level 1
Level 1

‎07-20-2007 07:14 AM - edited ‎03-05-2019 05:24 PM

I have a 2960 Catalyst and I need to know if when I set the SPAN port if it operates by listening and sending traffic or does it just listen. to traffic. The reason I need to know this is because I am have trouble getting my Websense to work properly through the new Catalyst. We had it cconnected to an old Enterasys with a mirrored port and it worked fine.... Any advise....

Thanks

Shaun

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
royalblues
Level 10
Level 10

‎07-20-2007 07:20 AM

Shaun,

By default the span destination will only be in listening mode.

If you configure ingress traffic forwarding, the destination port forwards traffic at layer2

More info on 2960 spans at this link

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2960/12225see/scg/swspan.htm#wp1251490

HTH, rate if it does

Narayan

View solution in original post

0 Helpful

Go to solution
sundar.palaniappan
Level 10
Level 10
In response to royalblues

‎07-20-2007 07:28 AM

Shaun,

Both above posts are correct in their respective way.

It depends on whether you are talking about source port (mirrored port) or destination port (SPAN/port to which sniffer is connected to). It sounds like your concern is about destination SPAN port.

Anyway as stated before the mirrored port by default mirrors tx/rx traffic and destination SPAN port only receives traffic by default. You have the option of chaning the default behavior in both cases.

HTH

Sundar

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame

‎07-20-2007 07:16 AM

SPAN copies traffic sent and received on the port.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2960/12237se/scg/swspan.htm

0 Helpful

Go to solution
royalblues
Level 10
Level 10

‎07-20-2007 07:20 AM

Shaun,

By default the span destination will only be in listening mode.

If you configure ingress traffic forwarding, the destination port forwards traffic at layer2

More info on 2960 spans at this link

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2960/12225see/scg/swspan.htm#wp1251490

HTH, rate if it does

Narayan

0 Helpful

Go to solution
sundar.palaniappan
Level 10
Level 10
In response to royalblues

‎07-20-2007 07:28 AM

Shaun,

Both above posts are correct in their respective way.

It depends on whether you are talking about source port (mirrored port) or destination port (SPAN/port to which sniffer is connected to). It sounds like your concern is about destination SPAN port.

Anyway as stated before the mirrored port by default mirrors tx/rx traffic and destination SPAN port only receives traffic by default. You have the option of chaning the default behavior in both cases.

HTH

Sundar

0 Helpful

Go to solution
ShaunieK226
Level 1
Level 1
In response to sundar.palaniappan

‎07-20-2007 10:42 AM

Thanks!

Few more things. For my clarification, I thought that in Catalyst Switches the a SPAN port is a type of Mirror Port. I thought they were they were the same thing because I did not see anything about "Mirror" ports in the software while configuring the switch. How would you configurre a "Mirrored Port" as opposed to a "SPAN Port"

Secondly, what we are doing is running Websense and s SNORT Box on this switch.

This is how I have set it up:

monitor session 1 source interface Fa0/2

monitor session 1 destination interface Gi0/1 ingress untagged vlan 1

monitor session 2 source interface Fa0/3 - 22 , Fa0/24 - 48

monitor session 2 destination interface Fa0/1

Should this work?

Monitor Session 1 is for the our Websense and we will plug our Websense into G0/1. Websense only needs to see traffic coming and going on F0/2, the Snort Box does the rest. Though I see in the software that I can only use ingress forwarding on a VLAN. The Websense is a promiscuous port without an IP Address

Monitor Session 2 is for our SNORT Box. That works.

0 Helpful

Go to solution
sundar.palaniappan
Level 10
Level 10
In response to ShaunieK226

‎07-20-2007 11:03 AM

For SPAN to work there are some conditions to be met make sure that your setup meets those requirements.

Here's a good link with configuration examples of SPAN. Go through this document and let us know if you still have problems.

http://www.cisco.com/warp/public/473/41.html

HTH

Sundar

0 Helpful

Go to solution
a.sinclair
Level 1
Level 1
In response to sundar.palaniappan

‎08-21-2007 03:37 PM

Hi,

I am looking at a similar WebSense issue but looking at the documentation I am not sure if the 2960 will do the thing that we want.

In our case the WebSense box has one NIC used for all admin communication of WebSense and control of our proxy server.

The 2960 switch has one port to the proxy, one to the WebSense and two to internet firewalls.

If we had a hub in place of a switch then WebSense could see the internet bound network traffic via the proxy server and control access.

Using a 2960 it appears possible to create a local port span where the internet bound traffic is replicated on the destination span port of the 2960, in this case the WebSense connected port.

However with a span in place the WebSense box is not longer manageable and it can not control the proxy and as a result any browsing traffic.

So do you know if is possible to configure a port span that is effectively a hub?

Thanks

Alan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card