Cisco CCNA Packet Tracer Ultimate labs: Local SPAN: Answers Part 2

Packet Tracer file (PT Version 7.1): https://goo.gl/aaFD6n
Get the Packet Tracer course for only $10 by clicking here: https://goo.gl/vikgKN
Get my ICND1 and ICND2 courses for $10 here: https://goo.gl/XR1xm9 (you will get ICND2 as a free bonus when you buy the ICND1 course).

For lots more content, visit http://www.davidbombal.com – learn about GNS3, CCNA, Packet Tracer, Python, Ansible and much, much more.

#CCNA #PacketTracer #CCENT

Local SPAN-The SPAN feature is local when the monitored ports are all located on the same switch as the destination port. This feature is in contrast to Remote SPAN (RSPAN), which this list also defines.

Remote SPAN (RSPAN)-Some source ports are not located on the same switch as the destination port. RSPAN is an advanced feature that requires a special VLAN to carry the traffic that is monitored by SPAN between switches. RSPAN is not supported on all switches. Check the respective release notes or configuration guide to see if you can use RSPAN on the switch that you deploy.

Port-based SPAN (PSPAN)-The user specifies one or several source ports on the switch and one destination port.

VLAN-based SPAN (VSPAN)-On a particular switch, the user can choose to monitor all the ports that belong to a particular VLAN in a single command.

Local SPAN Overview
A local SPAN session is an association of source ports and source VLANs with one or more destinations. You configure a local SPAN session on a single switch. Local SPAN does not have separate source and destination sessions.

Local SPAN sessions do not copy locally sourced RSPAN VLAN traffic from source trunk ports that carry RSPAN VLANs. Local SPAN sessions do not copy locally sourced RSPAN GRE-encapsulated traffic from source ports.

Each local SPAN session can have either ports or VLANs as sources, but not both.

You can analyze network traffic passing through ports or VLANs by using SPAN or RSPAN to send a copy of the traffic to another port on the switch or on another switch that has been connected to a network analyzer or other monitoring or security device. SPAN copies (or mirrors) traffic received or sent (or both) on source ports or source VLANs to a destination port for analysis. SPAN does not affect the switching of network traffic on the source ports or VLANs. You must dedicate the destination port for SPAN use. Except for traffic that is required for the SPAN or RSPAN session, destination ports do not receive or forward traffic.

Only traffic that enters or leaves source ports or traffic that enters or leaves source VLANs can be monitored by using SPAN; traffic routed to a source VLAN cannot be monitored. For example, if incoming traffic is being monitored, traffic that gets routed from another VLAN to the source VLAN cannot be monitored; however, traffic that is received on the source VLAN and routed to another VLAN can be monitored.

You can use the SPAN or RSPAN destination port to inject traffic from a network security device. For example, if you connect a Cisco Intrusion Detection System (IDS) sensor appliance to a destination port, the IDS device can send TCP reset packets to close down the TCP session of a suspected attacker.

Local SPAN supports a SPAN session entirely within one switch; all source ports or source VLANs and destination ports are in the same switch or switch stack. Local SPAN copies traffic from one or more source ports in any VLAN or from one or more VLANs to a destination port for analysis.

Transcription:

Now on switch 2, we need to configure SPAN so that traffic sent by PC 5, PC 8 & PC 7 is copied to PC 6.

On switch 2, show vlan brief
shows us that port F0/2 is configured in VLAN 2, other ports are configured in VLAN 1.
So if PC 5 sends a broadcast, those packets will be flooded to PC 8 and PC 7 but not to PC 6.

So those packets are not seen by PC 6 at all. Anything sent from PC 5 to the other PCs is only seen by those PCs because they are in a separate VLAN.

So let’s change that.
On the switch monitor, pick a number for the session. I’ll pick 2 the source interface would typically be a VLAN but packet tracer doesn’t support that command.

So I’m going to say interface F0/1, F0/3 or FastEthernet 0/3, FastEthernet 0/4
do show run, | include monitor
That single command has resulted in this configuration.
Monitor session needs be the same number to destination interface. It’s going to be FastEthernet 0/2.

So again, show monitor
that’s our configuration traffic received both inbound and sent outbound on those ports will be copied to FastEthernet 0/2.

So let’s test that again.
Go to simulation mode; go on to PC 5 send the broadcast. Traffic hits the switch and notice is copied to PC 6. This is a broadcast from 10.1.1.5 to a broadcast address even though PC 6 is in different VLAN and different subnet, notice it’s in subnet 10.1.2.0 whereas these PCs are in subnet 10.1.1.0 PC 6 receives the traffic.

subscribe
  • David Bombal

Search

Categories

Recent Posts

Is this your Biggest Security Threat? Rogue AI Agents Are Coming for you …
What happens when it’s stolen or lost? #iphone #android #google #yubikey
Top 3 Skills for 2025! (includes FREE courses)
Cisco Certification Updates: What you need to know.
Will this Tiny Chip Change EVERYTHING in Quantum Computing?
Is it time to Stop Trusting VPN Companies? Host Your Own (WireGuard getting started guide)
PewDiePie Just Switched to Linux… Here’s Why You Should Too
AI Won’t Take Your Job… But THIS Will
Tails Linux USB with Persistence (Be invisible online in 5 minutes)
What happens when there is no DHCP server?