11.4.6 Packet Tracer – Implement a Local SPAN Answers

Packet Tracer – Implement a Local SPAN (Answers Version)

Answers Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Addressing Table

Blank Line, No additional information

Objectives

Part 1: Verify Connectivity and Configure the Sniffer

Part 2: Configure Local SPAN and Capture Copied Traffic

Background / Scenario

As the network administrator you want to analyze traffic entering and exiting the local network. To do this, you will set up port mirroring on the switch port connected to the router and mirror all traffic to another switch port. The goal is to send all mirrored traffic to an intrusion detection system (IDS) for analysis. In this implementation, you will send all mirrored traffic to a sniffer which will display the traffic. To set up port mirroring, you will use the Switched Port Analyzer (SPAN) feature on the Cisco switch. SPAN is a type of port mirroring that sends copies of a frame entering a port, out another port on the same switch.

Instructions

Part 1:Verify Connectivity and Configure the Sniffer

In this part, you will verify end-to-end connectivity and verify the configuration on the sniffer. The privileged EXEC password is class and the vty password is cisco for simplicity.

Step 1:Verify end-to-end connectivity.

From the PCs, you should be able to ping the interface on R1, S1, and S2.

If the pings are not successful, troubleshoot the basic device configurations before continuing.

Step 2:Configure the Sniffer.

1. Access the Sniffer and click GUI.
2. Verify Service is set to On.
3. Click Edit Filters and select ICMP.
4. Leave the Sniffer window open.

Part 2:Configure Local SPAN and Capture Copied Traffic

To configure Local SPAN, you need to configure one or more source ports called monitored ports and a single destination port also called a monitored port for copied or mirrored traffic to be sent out from. SPAN source ports can be configured to monitor traffic in either ingress or egress, or both directions (default).

The SPAN source port will need to be configured on the port that connects to the router on S1 switch port F0/5. This way all traffic entering or exiting the LAN will be monitored. The SPAN destination port will be configured on S1 switch port F0/6 which is connected to a sniffer.

Step 1:Configure SPAN on S1.

1. Access S1 and configure the source and destination monitor ports on S1. Now all traffic entering or leaving F0/5 will be copied and forwarded out of F0/6.

Open configuration window

S1(config)# monitor session 1 source interface f0/5

S1(config)# monitor session 1 destination interface f0/6

2. Verify SPAN configuration for session 1.

S1# show monitor session 1

Session 1

———

Type: Local Session

Description: –

Source Ports:

Both: Fa0/5

Destination Ports: Fa0/6

Encapsulation: Native

Ingress: Disabled

Step 2:Telnet into R1 and create ICMP traffic on the LAN.

1. Telnet from S1 to R1. The password is cisco.

S1# telnet 192.168.1.1

Trying 192.168.1.1 . . . Open

User Access Verification

Password:

R1>

2. From user privileged mode, ping PC0, PC1, S1 and S2.

R1> enable

Password:

R1# ping 192.168.1.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

R1# ping 192.168.1.2

<Output omitted>

R1# ping 192.168.1.3

<Output omitted>

Close configuration window

Step 3:Examine the ICMP packets.

1. Return to Sniffer.
2. Examine the captured ICMP packets. Click each ICMP and scroll down to the ICMP heading. Note the source and destination IP addresses.

Questions:

Were the pings from R1 to PCs and switches successfully copied and forwarded out F0/6 to Sniffer?

Type your answers here.

Yes

Was the traffic monitored and copied in both directions?

Type your answers here.

Yes

Answer Scripts

Switch S1

enable

config terminal

monitor session 1 source interface f0/5

monitor session 1 destination interface f0/6

end

• Recommend