5.3.2.3 Lab – Implement Local SPAN (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.
Topology

Addressing Table
Device | Interface | IP Address | Subnet Mask | Default Gateway |
---|---|---|---|---|
R1 | G0/1 | 192.168.1.1 | 255.255.255.0 | N/A |
S1 | VLAN 1 | 192.168.1.2 | 255.255.255.0 | 192.168.1.1 |
S3 | VLAN 1 | 192.168.1.3 | 255.255.255.0 | 192.168.1.1 |
PC-A | NIC | 192.168.1.254 | 255.255.255.0 | 192.168.1.1 |
PC-C | NIC | 192.168.1.10 | 255.255.255.0 | 192.168.1.1 |
Objectives
- Part 1: Build the Network and Verify Connectivity
- Part 2: Configure Local SPAN and Capture Copied Traffic with Wireshark
Background / Scenario
As the network administrator you want to analyze traffic entering and exiting the local network. To do this, you will set up port mirroring on the switch port connected to the router and mirror all traffic to another switch port. The goal is to send all mirrored traffic to an intrusion detection system (IDS) for analysis. In this initial implementation, you will send all mirrored traffic to a PC which will capture the traffic for analysis using a port sniffing program. To set up port mirroring you will use the Switched Port Analyzer (SPAN) feature on the Cisco switch. SPAN is a type of port mirroring that sends copies of a frame entering a port, out another porton the same switch. It is common to find a device running a packet sniffer or Intrusion Detection System (IDS) connected to the mirrored port.
Note: The routers used with CCNA hands-on labs are Cisco 1941 Integrated Services Routers (ISRs) with Cisco IOS Release 15.4(3) (universalk9 image). The switches used are Cisco Catalyst 2960s with Cisco IOS Release 15.0(2) (lanbasek9 image). Other routers, switches, and Cisco IOS versions can be used. Depending on the model and Cisco IOS version, the commands available and output produced might vary from what is shown in the labs. Refer to the Router Interface Summary Table at the end of this lab for the correct interface identifiers.
Note: Make sure that the routers and switches have been erased and have no startup configurations. If you are unsure, contact your instructor.
Instructor Note: Refer to the Instructor Lab Manual for the procedures to initialize and reload devices.
Required Resources
- 1 Router (Cisco 1941 with Cisco IOS Release 15.4(3) universal image or comparable)
- 2 Switches (Cisco 2960 with Cisco IOS Release 15.0(2) lanbasek9 image or comparable)
- 2 PCs (Windows with terminal emulation program, such as Tera Term)
- Console cables to configure the Cisco IOS devices via the console ports
- Ethernet and serial cables as shown in the topology
Part 1: Build the Network and Verify Connectivity
In Part 1, you will set up the network topology and configure basic settings, such as the interface IP addresses, static routing, device access, and passwords.
Step 1: Cable the network as shown in the topology.
Attach the devices as shown in the topology diagram, and cable as necessary.
Step 2: Configure PC hosts.
Step 3: Initialize and reload the routers and switches as necessary.
Step 4: Configure basic settings for the router.
a. Disable DNS lookup.
b. Configure the device name as shown in the topology.
c. Configure an IP address for the router as listed in the Addressing Table.
d. Assign class as the encrypted privileged EXEC mode password.
e. Assign cisco for the console and vty password, enable login.
f. Set the vty lines to transport input telnet.
g. Configure logging synchronous to prevent console messages from interrupting command entry.
h. Copy the running configuration to the startup configuration.
Step 5: Configure basic settings for each switch.
a. Disable DNS lookup.
b. Configure the device name as shown in the topology.
c. Assign class as the encrypted privileged EXEC mode password.
d. Configure IP addresses for the switches as listed in the Addressing Table.
e. Configure the default gateway on each switch.
f. Assign cisco for the console and vty password and enable login.
g. Configure logging synchronous to prevent console messages from interrupting command entry.
h. Copy the running configuration to the startup configuration.
Step 6: Verify connectivity.
a. From PC-A, you should be able to ping the interface on R1, S1, S3, and PC-C. Were all pings successful? __________
Yes
If the pings are not successful, troubleshoot the basic device configurations before continuing.
b. From PC-C, you should be able to ping the interface on R1, S1, S3, and PC-A. Were all pings successful? __________
Yes
If the pings are not successful, troubleshoot the basic device configurations before continuing.
Part 2: Configure Local SPAN and Capture Copied Traffic with Wireshark
To configure Local SPAN you need to configure one or more source ports called monitored ports and a single destination port also called a monitored port for copied or mirrored traffic to be sent out of. SPAN source ports can be configured to monitor traffic in either ingress or egress, or both directions (default).
The SPAN source port will need to be configured on the port that connects to the router on S1 switch port F0/5. This way all traffic entering or exiting the LAN will be monitored. The SPAN destination port will be configured on S1 switch port F0/6 which is connected to PC-A running Wireshark.
Step 1: Configure SPAN on S1.
a. Console into S1 and configure the source and destination monitor ports on S1. Now all traffic entering or leaving F0/5 will be copied and forwarded out of F0/6
S1(config)# monitor session 1 source interface f0/5 S1(config)# monitor session 1 destination interface f0/6
Step 2: Start a Wireshark Capture on PC-A.
a. Open Wireshark on PC-A, set the capture interface to Ethernet.

b. Click the Wireshark icon to start capture

Step 3: Telnet into R1 and create ICMP traffic on the LAN.
a. Telnet from S1 to R1.
S1# Telnet 192.168.1.1 Trying 192.168.1.1 . . . Open User Access Verification Password: R1>
b. From privileged mode, ping PC-C, S1 and S3.
R1> enable Password: R1# ping 192.168.1.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms R1# ping 192.168.1.2 <Output omitted> R1# ping 192.168.1.3 <Output omitted>
Step 4: Stop the Wireshark Capture on PC-A and Filter for ICMP.
a. Return to PC-A and stop the running Wireshark capture on PC-A.

b. Filter the Wireshark capture for ICMP packets.

c. Examine the Wireshark capture filtered for ICMP packets.

d. Were the pings from R1 to PC-C, S1 and S3 successfully copied and forwarded out f0/6 to PC-A? __________
Yes
e. Was the traffic monitored and copied in both directions? __________
Yes
Reflection
In this scenario, instead of using PC-A, and a packet sniffer, would an IDS or an IPS be more appropriate? __________
This scenario is designed for an IDS since copying traffic to a mirrored port is useful for analysis and detection but not prevention since undesirable traffic is allowed to reach its intended destination.
Router Interface Summary Table
Router Interface Summary | ||||
---|---|---|---|---|
Router Model | Ethernet Interface #1 | Ethernet Interface #2 | Serial Interface #1 | Serial Interface #2 |
1800 | Fast Ethernet 0/0 (F0/0) | Fast Ethernet 0/1 (F0/1) | Serial 0/0/0 (S0/0/0) | Serial 0/0/1 (S0/0/1) |
1900 | Gigabit Ethernet 0/0 (G0/0) | Gigabit Ethernet 0/1 (G0/1) | Serial 0/0/0 (S0/0/0) | Serial 0/0/1 (S0/0/1) |
2801 | Fast Ethernet 0/0 (F0/0) | Fast Ethernet 0/1 (F0/1) | Serial 0/1/0 (S0/1/0) | Serial 0/1/1 (S0/1/1) |
2811 | Fast Ethernet 0/0 (F0/0) | Fast Ethernet 0/1 (F0/1) | Serial 0/0/0 (S0/0/0) | Serial 0/0/1 (S0/0/1) |
2900 | Gigabit Ethernet 0/0 (G0/0) | Gigabit Ethernet 0/1 (G0/1) | Serial 0/0/0 (S0/0/0) | Serial 0/0/1 (S0/0/1) |
Note: To find out how the router is configured, look at the interfaces to identify the type of router and how many interfaces the router has. There is no way to effectively list all the combinations of configurations for each router class. This table includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device. The table does not include any other type of interface, even though a specific router may contain one. An example of this might be an ISDN BRI interface. The string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands to represent the interface. |
Device Configs
R1#show run Building configuration... Current configuration : 1379 bytes ! version 15.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! ! enable secret 5 $1$9VIJ$vAdKomdXQ9N4SieMoFxeD1 ! no aaa new-model ! ! no ip domain lookup ip cef no ipv6 cef ! multilink bundle-name authenticated ! cts logging verbose ! ! redundancy ! ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 no ip address shutdown duplex auto speed auto ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 duplex auto speed auto ! interface Serial0/0/0 no ip address shutdown clock rate 2000000 ! interface Serial0/0/1 no ip address shutdown ! ip forward-protocol nd ! no ip http server no ip http secure-server ! control-plane ! ! line con 0 password cisco logging synchronous login line aux 0 line 2 no activation-character no exec transport preferred none transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 password cisco login transport input telnet ! scheduler allocate 20000 1000 ! end
S1#show run Building configuration... Current configuration : 1605 bytes ! version 15.0 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname S1 ! boot-start-marker boot-end-marker ! enable secret 4 06YFDUHH61wAE/kLkDq9BGho1QM5EnRtoyr8cHAUg.2 ! no aaa new-model system mtu routing 1500 ! ! no ip domain-lookup ! ! spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! ! interface FastEthernet0/1 ! interface FastEthernet0/2 ! interface FastEthernet0/3 ! interface FastEthernet0/4 ! interface FastEthernet0/5 ! interface FastEthernet0/6 ! interface FastEthernet0/7 ! interface FastEthernet0/8 ! interface FastEthernet0/9 ! interface FastEthernet0/10 ! interface FastEthernet0/11 ! interface FastEthernet0/12 ! interface FastEthernet0/13 ! interface FastEthernet0/14 ! interface FastEthernet0/15 ! interface FastEthernet0/16 ! interface FastEthernet0/17 ! interface FastEthernet0/18 ! interface FastEthernet0/19 ! interface FastEthernet0/20 ! interface FastEthernet0/21 ! interface FastEthernet0/22 ! interface FastEthernet0/23 ! interface FastEthernet0/24 ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface Vlan1 ip address 192.168.1.2 255.255.255.0 ! ip default-gateway 192.168.1.1 ip http server ip http secure-server ! ! line con 0 password cisco logging synchronous login line vty 0 4 password cisco login line vty 5 15 password cisco login ! ! monitor session 1 source interface Fa0/5 monitor session 1 destination interface Fa0/6 end
S3#show run Building configuration... Current configuration : 1482 bytes ! version 15.0 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname S3 ! boot-start-marker boot-end-marker ! enable secret 5 $1$YRtb$6k0fixPDtcRtjKATQH5Op1 ! no aaa new-model system mtu routing 1500 ! ! no ip domain-lookup ! ! spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! ! interface FastEthernet0/1 ! interface FastEthernet0/2 ! interface FastEthernet0/3 ! interface FastEthernet0/4 ! interface FastEthernet0/5 ! interface FastEthernet0/6 ! interface FastEthernet0/7 ! interface FastEthernet0/8 ! interface FastEthernet0/9 ! interface FastEthernet0/10 ! interface FastEthernet0/11 ! interface FastEthernet0/12 ! interface FastEthernet0/13 ! interface FastEthernet0/14 ! interface FastEthernet0/15 ! interface FastEthernet0/16 ! interface FastEthernet0/17 ! interface FastEthernet0/18 ! interface FastEthernet0/19 ! interface FastEthernet0/20 ! interface FastEthernet0/21 ! interface FastEthernet0/22 ! interface FastEthernet0/23 ! interface FastEthernet0/24 ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface Vlan1 ip address 192.168.1.3 255.255.255.0 ! ip default-gateway 192.168.1.1 ip http server ip http secure-server ! ! line con 0 password cisco login line vty 0 4 password cisco login line vty 5 15 password cisco login ! end