Thoughts on SPAN Configurations

I've been trying to understand how to configure Cisco switches for use in network security monitoring solutions. By reading Configuring the Catalyst Switched Port Analyzer (SPAN) I learned:

"For the SPAN on the Catalyst 2900XL/3500XL switches... the main restriction is that all the ports related to a given session (whether source or destination) must belong to the same VLAN... Unlike the Catalysts 2900XL/3500XL, the Catalyst 4000/5000/6000 can monitor ports belonging to several different VLANs."

I also learned "The Catalyst 2950 Switches can have only one SPAN session active at a time and can monitor only source ports, it can not monitor VLANs. The Catalyst 3550 Switches can support up to two SPAN sessions at a time and can monitor source ports as well as VLANs... Unlike the 2900XL and 3500XL family Switches, the Catalyst 2950 and 3550 faimly Switches are able SPAN source port traffic in receive direction only, (Rx span or ingress span) or in tranmsit direction only (Tx span or egress span) or both." (The spelling errors belong to Cisco!)

When running CatOS, according to a chart in the document, the Catalyst switches have these limitations for monitoring local ports:


  • Catalyst 4000 support 5 Rx or Both SPAN sessions

  • Catalyst 5000 support 1 Rx or Both SPAN sessions

  • Catalyst 6000 support 2 Rx or Both SPAN sessions


When running Cisco IOS, Catalyst 2950/3550, 4000, and 6000 each support 2 Rx or Both SPAN sessions for monitoring local ports.

Here's another note with some grammar issues: "Catalyst 2950 switches using software release 12.1.(9)EA1d and earlier versions in 12.1 train supported SPAN with the caveat that all packets seen on the SPAN destination port (connected to the sniffing device/PC) had a 802.1Q tag on them, even though the SPAN source port (monitored port) may not be a 802.1Q trunk port. If the sniffing device or PC NIC does not understand 802.1Q tagged packets, they may drop the packets or have difficulty decoding them. Ability to see the 802.1Q tagged frames is important only when the SPAN source port is a trunk port. Starting from 12.1(11)EA1, you can enable/disable tagging of the packets at the SPAN destination port. Issue the monitor session session_number destination interface interface-id encapsulation dot1q command to enable encapsulation of the packets at the destination port. If the encapsulation keyword is not specified, the packets are sent untagged, which is the default starting from 12.1(11)EA1."

This means your sniffer must be able to decode VLAN tags, if using older versions of Cisco IOS. Since Snort v1.8, Snort has supported decoding 802.1q VLAN tags. The TCPdump man page mentions VLAN tagging as well.

The FAQ at the document's end is useful:

Can I Have Several SPAN Sessions Running at the Same Time?


  • On the Catalyst 2900XL/3500XL family, the number of destination ports available on the switch is the only limit to the number of SPAN sessions.

  • On the Catalyst 2950 family, you can have only one assigned monitor port at any given time. If you select another port as the monitor port, the previous monitor port is disabled, and the newly selected port becomes the monitor port. (Me: This seems to conflict with guidance above on having two SPAN ports?)

  • On the Catalyst 4000/5000/6000, since CatOS 5.1, you can have several concurrent SPAN sessions:



The product specific-literature is more detailed. The Catalyst 3550 Multilayer Switch Software Configuration Guide, 12.1(13)EA1 includes Configuring SPAN and RSPAN, and the Catalyst 2950 and 2955 Switches, Rel. 12.1(13)EA1 also includes Configuring SPAN and RSPAN. The bottom line appears to be that SPANning multiple VLANs is not a problem, but there are limits as to what data is available regarding where the packets come or go.

I learned of a new term -- port snooping. This applies to layer 3 switches like the Cisco 8500 series.

The Cisco Catalyst 3550 24 10/100 port switch with two gigabit interface converter (GBIC) ports for sells for about $2100. The Cisco Catalyst 2950G-24 24 port switch with 2 GBIC ports sells at CDW for about $1800. A cheaper 2950 sells for a little under $1000, but I don't immediately recognize the differences.

Comments

Anonymous said…
This comment has been removed by a blog administrator.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics