Lab 4-21 – Configuring a Switched Port Analyzer Session
In this lab you’ll learn how to configure a Switched Port Analyzer Session (SPAN) to mirror all traffic on a single port to another port for traffic analysis.
Real World Application & Core Knowledge
Have you ever wanted to replicate traffic switch port to another switchport so you can view the traffic with Wireshark? Well there is a way to achieve that; its called Switch Port Analyzer Session, commonly referred to as a SPAN.
SPAN’s prove to be VERY beneficial in a production environment when troubleshooting issues with ethernet links between a switch and another device such as a router, firewall, server or host.
They may sound complex at first but they are very easy to configure, typically involve two lines of configuration and your all set.
Cisco Catalyst Series switches typically have a limit on the number of SPAN sessions they support. The NM-16ESW which is used in GNS3 only supports two SPAN sessions.
Note that you’ll be able to configure a SPAN session in GNS3 using a Cisco Router with the NM-16ESW installed however you will not be able to verify the SPAN session is actually working using wireshark as you cannot link an NIO connection to a NM-16ESW switchport within GNS3.
In this lab you’ll familiarize yourself with the following commands;
monitor session 1 source interface interfacename#/# – This command is executed in global configuration and creates a new SPAN session # and specifies the source interface(s) which are the interfaces which traffic is to be replicated to the specified destination.
monitor session 1 destination interface interfacename#/# – This command is executed in global configuration and creates a SPAN session # and specifies the destination interface that all traffic is replicated to.
show monitor session # – This command is executed in privileged mode which displays the current configuration for the specified span number.
Lab Prerequisites
- If you are using GNS3 than load the Stub Area Networking GNS3 topology than start devices; R1, R2 and SW1.
- Establish a console session with devices R1, R2 and SW1 than configure the devices respected hostname(s).
- Configure the IP Address 10.1.1.1/24 on R1′s Fa0/0 interface than configure SW1′s Vlan1 interface with the IP Address 10.1.1.10/24 than verify IP connectivity between R1 and SW1′s VLAN 1 interface before continuing.
Lab Objectives
- Configure a new SPAN session on SW1 using the first available SPAN session number. Configure the source interface of the SPAN as SW1′s Fa1/1 interface and the SPAN’s destination interface of Fa1/2.
- OPTIONAL: Verify that the span is functioning properly by using WireShark to sniff traffic that on the span’s destination interface. If you choose to verify this configuration you’ll need real hardware and set the span destination to a port that you’re PC is plugged into.
Lab Instruction
Step 1. – Configure a new SPAN session on SW1 using the first available SPAN session number. Configure the source interface of the SPAN as SW1’s Fa1/1 interface and the SPAN’s destination interface of Fa1/2.
To create a new span session you’ll use the monitor command in global configuration as shown below;
SW1 con0 is now available Press RETURN to get started. SW1>enable SW1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. SW1(config)#monitor session 1 source interface fa1/1 SW1(config)#monitor session 1 destination interface fa1/2 SW1(config)#end SW1#show monitor session 1 Session 1 --------- Source Ports: RX Only: None TX Only: None Both: Fa1/1 Source VLANs: RX Only: None TX Only: None Both: None Destination Ports: Fa1/2 Filter VLANs: None SW1#
This is fantastic job