Yet another trick for spanning ports and capturing traffic on Cisco switches

I recently came across another way to span traffic to ports on Cisco switches. This one was new to me since I usually just use VACL Capture for traffic spanning. I found it while reading the latest release notes for Cisco IPS version 6.2(1)E3 that just released. This IPS version includes tons of IPv6 features and signature engines. What I didn’t know was that my favorite capture method, VACL Capture, does not currently support IPv6 traffic. Capturing IPv6 traffic forces you to use up some of those precious few span sessions. In the IPS release notes they document a way to spread out your SPAN sessions among even more ports than normal. It works like this: The following configuration uses one SPAN session to send all of the traffic on any of the specified VLANs to all of the specified ports. Each port configuration only allows a particular VLAN or VLANs to pass. Thus you can send data from different VLANs to different sensors or virtual sensors all with one SPAN configuration line:


!First clear all trunk vlans from your span destinations.
clear trunk 4/1-4 1-4094
!Next configure each span destination port with one or more of the trunk vlans that you want sent there for analysis. VLANs not configured will not be sent to that port.
set trunk 4/1 on dot1q 930
set trunk 4/2 on dot1q 932
set trunk 4/3 on dot1q 960
set trunk 4/4 on dot1q 962
!Finish by setting up your span source. It will send to multiple ports and capture multiple vlans
set span 930, 932, 960, 962 4/1-4 both
Anyone have any experience using this type of spanning? Have any other spanning tips to share?

The opinions and information presented here are my personal views and not those of my employer.

More from Jamey Heary: Credit Card Skimming: How thieves can steal your card info without you knowing it Cisco enters the crowded AV and DLP client marketCisco's new ASA code allows you to securely take your Cisco IP Phone with you anywhereCisco targets Symantec, McAfee with its new antivirus client Google's Chrome raises security concerns and tastes like chicken feet a>Go to Jamey’s Blog for more articles on security.

*

*

*

*

*

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)