• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2937
  • Last Modified:

Can a span/mirror port be configured to transmit and receive data?

Websense documentation mentions that only one port needs to be used on their appliance if the premise switch supports bidirectional spanning. That way monitoring and blocking can both be done on the same interface.

Are there switches that allow a port to be the destination port of a span/mirror and still send/xmit data?

I don't think Cisco will but I have found conflicting statements on the web:

http://www.nettechonline.net/index.php?option=com_content&view=article&id=99:port-monitoring-cisco-3750&catid=60:ccna

"The Catalyst 2950 and 3550 Switches can forward traffic on a destination SPAN port in Cisco IOS Software Release 12.1(13)EA1 and later."


http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_13_ea1/configuration/guide/swspan.html#wp1036816

"When you configure a switch port as a SPAN destination port, it is no longer a normal switch port; only monitored traffic passes through the SPAN destination port. "

If Cisco does not support this feature are there any other brands that do?
0
Dragon0x40
Asked:
Dragon0x40
  • 2
3 Solutions
 
Rich RumbleSecurity SamuraiCommented:
Depends on the switch, but by default you need "inpkts enable" to enable the span port to send/recieve as a normal port. But this only works if you have an IP set on the device that is listening to the span port.
-rich
0
 
Dragon0x40Author Commented:
thanks Rich, after searching for "inpkts enable" it seems that is the correct command to enable inbound packets with the legacy CAT OS but the newer Cisco IOS uses the "ingress vlan x" command. The Websense appliance would be connected to the destination port to examine all traffic and need an IP address configured and would also be used to send tcp resets into the destination span port.


SPAN with INGRESS associated with the destination command.  (EG,  monitor session 1 dst int fa0/24 ingress Vlan 146)

      When Cisco DOCs say this "If ingress traffic forwarding is enabled for a network security device, the destination port forwards traffic at Layer 2."   I say what is that reason for allowing this?   I read small blurb about letting a security device send a TCP Reset to a received/sensed attack


https://learningnetwork.cisco.com/thread/23332

maybe "ingress vlan X" is the command that I am looking for?

Switch(config)# monitor session 1 destination interface fastethernet 5/48
encapsulation dot1q ingress vlan 7
With this configuration, traffic from SPAN sources associated with session 1 would be copied out of interface Fast Ethernet 5/48, with 802.1q encapsulation. Incoming traffic would be accepted and switched, with untagged packets being classified into VLAN 7.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/25ew/configuration/guide/span.html#wp1036989
0
 
Rich RumbleSecurity SamuraiCommented:
Yes, that is correct, I was not sure what equipment you had.

monitor session 1 source vlan 7 rx
monitor session 1 destination int fa5/48 ingress vlan 7

I don't recall (and I don't have it configured) using encapsulation, I use several different vendors and equipment that send rst packets (WAF/IPS)
-rich
0
 
Aaron StreetInfrastructure ManagerCommented:
Yes while you can't have a standard communication over a span port, you can allow the monitoring station to send data to the network (ingress)

As you have mentioned the reason for this is so the monitoring station can react to the data it is monitoring .

For example if you have something like a Websence device inspecting the traffic on the span port looking at the HTTP / HTTPS traffic and looking for webpages such as Porn or Gambling, when it sees one it needs a way to block the traffic.

AS it is not inline it cant directly block the traffic, so what it does is send a TCP reset packet to both ends of the connection. What this does it causes both end stations to close the open connections so breaks the link. It is basically a denial of service attack agisnt the end stations but in this case a controlled one.

So in short, You can send in to the network from a monitored port (if configured) but you can't set up a session between the monitoring stations and other devices. For management of the monitoring station you need a second connection in to the network over a standard network port.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now