Switch Port Mirroring

 

The advent of switched networks resulted in Network IDS having great difficulty in promiscuously monitoring their networks. This was overcome by configuring a switch to replicate the data from all ports or VLAN's onto a single port.  This function has a multitude of names including; Port Mirroring, Monitoring Port, Spanning Port, SPAN port and Link Mode port.

 

Port Mirroring generally indicates the ability to copy the traffic from a single port to a mirror port but disallows any type of bidirectional traffic on the port.

Spanning Port usually indicates the ability to copy traffic from all the ports to a single port but also typically disallows bidirectional traffic on the port.

In the case of Cisco, SPAN stands for Switch Port ANalyzer. Some switches do not allow SPAN ports to transmit packets, this is an issue if you wish to use IDS TCP countermeasures such as resets. 

 

It may also be worth looking at Network Taps which allow you to tap into a network, taking a parallel feed for the Network IDS.

 

Links to Products

Extreme Newer
Extreme Older v4.1
Cisco SPAN Info
Cisco 2900 3500XL

Cisco 2950 3550 3750
Cisco 2950
Cisco 3500 XL
Cisco 5000

Cisco 4000 6000 Cat
Cisco 4000 6000 IOS
Foundry
Juniper M or T

 

 

Extreme Switches Newer

Submitted By Kevin Farnes
Information Updated: 16 Aug 2004

 

{enable | disable} mirroring on port Port No
configure mirroring { add | delete } { vlan VLAN | port Port No
}
The first line basically turns on or off the mirroring and what port the mirrored output should be sent to. The second line specifies what is
to be mirrored. The second line can be repeated any number of times. There are some limitations on capability however, such as if
you are mirroring a port then it must be on the same blade as the port being mirrored to.

 

Extreme Switches Older eg 48 ExtremeWare Version 4.1

Submitted By Joel Snyder
Information Updated: 16 Aug 2004

 

In the older Summit Extremes (like the 48, not the 48i), you are blocked at v4 of their software
enable mirror to port <port-no> (both enables mirroring, and says where to send it.  Notice that you cannot provide a list of ports, unfortunately)
disable mirror    (disables mirroring)
config mirror add port <portno>       (adds port <portno>, all VLANs that this port participates in)
config mirror add port <portno> vlan <vlan name or #>     (adds port <portno>, but only VLAN <vlan> traffic will be mirrored)
config mirror add vlan <vlan name or #>      (adds all ports that have this VLAN)
You can add more than one port by repeating the above lines.
config mirror del port <portno>
config mirror del vlan <vlan>     (does the obvious thing)
show mirror     (shows status of mirroring, including whether the port is up or not (!))
One thing to be careful of in the Extreme is that with mirroring (at least in this version of the O/S), you get both IN and OUT mirroring,
which means that if you pick a VLAN as the mirror object, you may see  the same frame a couple of times if it goes in one port on the VLAN and out a different one.

 

Cisco Catalyst SPAN Support

Submitted By Mark McDonagh
Information Updated: 16 Aug 2004

 

Switch                      SPAN Sessions         TCP Countermeasures
2900/3500XL             No Limit                      No
2950                         1                               Yes
3550                         2                               Yes
3750                         2                               Yes
4000 w CatOS           5                               Yes
4500 w Native IOS      6 (both considered 2)   No
6000 w CatOS           2 Rx or Both, 4 Tx      Yes
6000 w Native IOS      2                                No

 

Cisco Catalyst 2900/3500XL

Submitted By Mark McDonagh
Information Updated: 17 Aug 2004

 

c3550(config)#monitor session 1 source ?
  
interface SPAN source interface
   remote SPAN source Remote
   vlan SPAN source VLAN
c3550(config)#monitor session 1 source interface fa0/1 - 3 rx
c3550(config)#monitor session 1 destination interface fa0/24
Only an Rx SPAN session can have multiple source ports. Note the spaces in syntax when specifying multiple interfaces. Can be “–” or “,”
With Source VLAN's
c3550(config)#monitor session 1 source vlan 1 - 10 rx
c3550(config)#monitor session 1 destination interface fa0/24
TCP Resets
c3550(config)#monitor session 1 source vlan 1 - 10 rx
c3550(config)#monitor session 1 destination interface fa0/24 ingress vlan 1
The Catalyst 2950/3550 will allow you to configure a single VLAN to receive untagged TCP Reset packets. TCP Reset support is configured through the “ingress vlan” keywords. Only one VLAN is permitted. In this example, non-802.1q-tagged TCP Resets to servers or attackers existing on or through VLAN 1 would be allowed, but not if the attack or target was on VLAN 2-10. If the RST is a response to an attack detected by IDS 4.x where the 802.1q tag has been maintained, the RST will be sent on the appropriate VLAN.
If you are monitoring a VLAN trunk port, you may wish to filter one or more of the VLANs on that trunk. This example only monitors VLANs 5 and 100-200 on the trunk.
c3550(config)#monitor session 1 source interface gigabit0/1
c3550(config)#monitor session 1 filter vlan 5 , 100 - 200
c3550(config)#monitor session 1 destination interface fa0/24
If the monitor session destination port is a trunk, you should also use keyword ‘encapsulation dot1q’. If you do not, packets will be sent on the interface in native format.

 

Cisco Catalyst 2950 3550 3750

Submitted By Mark McDonagh
Information Updated: 17 Aug 2004

 

int fa0/24
port monitor fa0/1
port monitor fa0/2
port monitor fa0/3
^Z
show port monitor
Monitor Port Port Being Monitored
--------------------- ---------------------
FastEthernet0/24 FastEthernet0/1
FastEthernet0/24 FastEthernet0/2
FastEthernet0/24 FastEthernet0/3
Monitored ports must be on same VLAN
Cannot modify monitored ports
port monitor vlan” is only valid for VLAN 1, and will only monitor management traffic destined to the IP address configured as VLAN 1 on the switch “port monitor”, by itself, will configure the port to monitor all ports on the switch that belong to the vlan that port is assigned to.

 

Cisco Catalyst 4000 6000  with CatOS Switches

Submitted By Mark McDonagh
Information Updated: 16 Aug 2004

 

On Cat6k:
set span {src_mod/src_ports| src_vlans | sc0} {dest_mod/dest_port} [rx | tx | both] [inpkts {enable | disable}] [learning {enable | disable}] [multicast {enable | disable}] [filter vlans...] [create]

On Cat4k:
set span {src_mod/src_ports | src_vlan} dest_mod/dest_port [rx | tx | both] [filter vlan] [inpkts {enable | disable}] [learning {enable | disable}] [create]
Use the ‘create’ keyword with different destination ports to create multiple SPAN sessions.
If the ‘create’ keyword is not used, and a span session exists with the same destination port, the existing session will be replaced. If the destination port is different, then a new session will be created.
With source 2/1 and destination 3/5
c6500 (enable) set span 2/1 3/5

 

Cisco Catalyst 4000 6000  with IOS Switches

Submitted By Mark McDonagh
Information Updated: 16 Aug 2004

 

Syntax for Cat4k:
Cat4k(config)# [no] monitor session {session_number} {source {interface type/num} | {vlan vlan_ID}} [, | - | rx | tx | both]
Cat4k(config)# [no] monitor session {session_number} {destination {interface type/num} }

Syntax for Cat6k:
Cat6k(config)# monitor session session_number source {{single_interface | interface_list | interface_range | mixed_interface_list | single_vlan | vlan_list | vlan_range | mixed_vlan_list} [rx | tx | both]} | {remote vlan rspan_vlan_ID}}
Cat6k(config)# monitor session session_number destination {single_interface | interface_list | interface_range | mixed_interface_list} | {remote vlan rspan_vlan_ID}}

 

Cisco Catalyst 2950 Switches

Submitted By Kevin Farnes
Information Updated: 16 Aug 2004

 

( From Configuration Mode )
monitor session 1 source interface Interface
monitor session 1 destination interface Interface

The first line determines which ports are being monitored in the session and can be repeated. The second line determines where the
monitor output is to be sent. On the 2950 only ports can be monitored. With Cisco the monitoring capability and commands can vary significantly with different models of switch.

 

Cisco 3500XL Switches

Submitted By Chris McCulloh
Information Updated: 16 Aug 2004

 

Connect via a command line, then enter enable mode (type 'en').. then execute the following commands, assuming the sniffer is plugged into port 14 on the switch, and all other ports in a 24 port switch are desired except 23:
configure terminal
interface f14
port monitor f1-13, f15-22,f24
end

The box should then see all traffic.

 

Cisco Catalyst 5000 Switches

Submitted By Dave Rodrigue
Information Updated: 16 Aug 2004

 

set span 2-3 5/7 create
where 2-3 are the VLANs I'm monitoring.
Switch ports can be specified as well
set span 2/3 5/7 create     to monitor port 2/3
~From Cisco's docs, in case that makes it clearer:
set span {src_mod/src_ports | src_vlan | sc0} dest_mod/dest_port [rx | tx | both] [inpkts {enable | disable}] [learning {enable | disable}] [multicast {enable | disable}] [create]

 

Foundry Switches

Submitted By Kevin Farnes
Information Updated: 16 Aug 2004

 

( From Configuration Mode )
interface Interface
port monitor interface { rx | tx | both
}
The first line takes you into the interface that the mirror output should be presented on. The second line defines those interfaces you wish to have mirrored and whether just the input, output or both are copied.

 

Juniper M or T Series

Submitted By Donald Smith
Information Updated: 20 Aug 2004

 

Port Mirroring
Define the destination where copies of sampled packets will be sent:
[edit]
user@router# show forwarding-options
port-mirroring { input {family inet; rate <sample-rate>; run-length
<run-length>;} output {interface <interface-name> {next-hop<address>;}
no-filter-check;} }
2. Define a sampling filter to identify "interesting" traffic:
[edit]
user@router# show firewall filter mirror-sample
from {...} then {sample; accept;}
3. Apply the filter to the incoming interface
[edit]
user@router# show interface <interface-name> unit 0 family inet
filter {input mirror-sample;}
Notes:
1. Packets that pass the input filter are sampled based on the <sample-rate> and <run-length>.  In each batch of <sample-rate>   packets, the first <run-length> packets are mirrored.
2. The mirror interface should not participate in any routing. The sampled packets are not in any way encapsulated, so the raw packets are sent out the interface.  Hopefully, the device on the far end is a traffic analyzer and not another router!
3. The <address> needs to be specified when the mirror interface is a multi-access media, and is used to fil in the MAC address.
4. Works only for IPv4 packets, and only for transit traffic.
5. You can only set up one mirror interface per router; all   "sampled" traffic is mirrored.