You are on page 1of 69

CCNP 3 v4 Module 7 Minimizing Service Loss and Data Theft in a Switched Network

© 2003, Cisco Systems, Inc. All rights reserved.

1

Objectives
• • • Switch Security Issues Mitigating VLAN attacks Mitigating Spoof Attacks


Implementing Authentication, Authorization and Accounting – AAA
Defending Network Switches

© 2003, Cisco Systems, Inc. All rights reserved.

2

Overview
• • This module describes some measures to secure Cisco’s multilayer switches based on Cisco’s SAFE blueprint. Cisco Systems has implemented a number of device level countermeasures to defend the individual devices as well as the entire network from security threats. In this module we will spell out possible vulnerabilities, define threats, and describes the countermeasures that should be implemented to mitigate security risks

© 2003, Cisco Systems, Inc. All rights reserved.

3

Switch Security Concerns
• Network security coverage often focuses on perimeter devices and the filtering of packets based upon Layer 3 and 4 headers, ports, stateful packet inspection and VPNs. Campus Access devices and Layer 2 communication are left largely unconsidered in most security discussions.
© 2003, Cisco Systems, Inc. All rights reserved.

4

Firewalls, Routers and Switches
• Firewalls, placed at the organizational borders, arrive in a secure operational mode and allow no communication, until configured to do so. The opposite is true for routers and switches.
– Unlike firewalls, routers and switches have a default operational mode that forwards all traffic unless configured otherwise

© 2003, Cisco Systems, Inc. All rights reserved.

5

Securing more than the perimeter

© 2003, Cisco Systems, Inc. All rights reserved.

6

Layer 2 Attacks

Attacks launched against switches and at Layer 2 can be grouped as follows:
– MAC Layer Attacks
– VLAN Attacks – Spoof Attacks – Attacks on Switch Devices

© 2003, Cisco Systems, Inc. All rights reserved.

7

MAC Flooding Attack

© 2003, Cisco Systems, Inc. All rights reserved.

8

MAC Flooding
• A common Layer 2/switch attack is MAC Flooding, resulting in CAM table overflow that causes flooding of regular data frames out all switch ports.
– A network intruder can maliciously flood a switch with a large number of frames from a range of invalid source MAC addresses.


Once the CAM is full the switch cannot create any additional CAM table entries.
The switch must flood new legitimate frames out all ports (the switch is in dumb hub mode).

The intruding device can now be attached to any switchport and see all traffic that flows through that switch.

© 2003, Cisco Systems, Inc. All rights reserved.

9

Mitigation for MAC Flood Attacks

Configure Port Security to define the number of MAC addresses that are allowed on a given port.
Port security can also specify what MAC address is allowed on a given port.
– Sticky configuration with maximum MAC address count.

© 2003, Cisco Systems, Inc. All rights reserved.

10

Port Security
• Port security restricts a switch port to a specific set and/or number of MAC addresses.
– Addresses can be learned dynamically or configured statically.

To dynamically allow a set of MAC address on an interface, use the “sticky” configuration.
– – – When configured on an interface, the interface converts dynamically learned addresses to "sticky secure" addresses. The sticky configuration cannot be applied to trunk ports The swtichport must be in switchport mode access

Switch(config-if)# switchport port-security mac-address sticky
© 2003, Cisco Systems, Inc. All rights reserved.

11

Port Security Configuration

Switch(config)#int fa0/1 Switch(config-if)#switchport port-security Command rejected: Fa0/1 is not an access port. Switch(config-if)#switchport mode access Switch(config-if)#switchport port-security Switch(config-if)#switchport port-security mac-address sticky Switch(config-if)#switchport port-security maximum 4 Switch(config-if)#switchport port-security violation ? protect Security violation protect mode restrict Security violation restrict mode shutdown Security violation shutdown mode
© 2003, Cisco Systems, Inc. All rights reserved.

12

show port-security

© 2003, Cisco Systems, Inc. All rights reserved.

13

show port-security address

© 2003, Cisco Systems, Inc. All rights reserved.

14

Caveats to Port Security Configuration

• •

Port security is enabled on a port-by-port basis By default, only one MAC address is allowed access through a given switch port when port security is enabled. Static MAC address entries for a given switchport may interfere with the maximum MAC address configuration. The default violation action is shutdown.

© 2003, Cisco Systems, Inc. All rights reserved.

15

Switchport Violation Actions
• There are three violation actions that can be configured on the secure port:
– Protect – frames from the non-allowed address are dropped but there is no log of the violation


Restrict – frames from the non-allowed address are dropped and a log message is created
Shutdown – if any frames are seen from a nonallowed address, the interface is errdisabled and a log message is created. • To bring a switchport out of errdisable, you must manually use the shutdown/no shutdown inteface configuration mode command.

Shutdown is the default violation action.
© 2003, Cisco Systems, Inc. All rights reserved.

16

VLAN Hopping
• VLAN hopping is a network attack whereby an end system sends packets to, or collects them from, a VLAN that should not be accessible to that end system.
– VLAN Hopping can be accomplished by Switch Spoofing or Double Tagging
http://www.sans.org/resources/idfaq/vlan.php
http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a008014870f.shtml

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml
© 2003, Cisco Systems, Inc. All rights reserved.

17

Switch Spoofing
• In a Switch Spoofing attack, the network attacker configures a system to spoof itself as a switch by emulating ISL or 802.1Q signaling and using DTP. – Doing so, allows the end system to negotiate a trunk link with the switch. – Remember, by default Cisco switchports are set to dynamic desirable mode. The solution to switch spoofing is to configure all edge ports as access ports which essentially turns off trunking.

• •

You can also change the native VLAN from the default of 1 so that the trunk is not negotiated properly. Switch(config)# int range fa0/ 1 – 20 Switch(config-range-if)# switchport mode access Switch(config-if)# switchport trunk native vlan 10
© 2003, Cisco Systems, Inc. All rights reserved.

18

Private VLANs
• Private VLANs provide traffic isolation between ports although they may exist on the same Layer 3 segment and VLAN.
– Private VLANs (PVLANs) can be implemented on Catalyst 4500s and 6500s to keep some switch ports shared and some switch ports isolated, although all ports exist on the same VLAN.

The 2950 and 3550 support "protected ports" which is functionally similar to PVLANs on a per switch basis.

© 2003, Cisco Systems, Inc. All rights reserved.

19

Private VLAN Port Types
A port in a PVLAN can be one of three types: • Isolated An isolated port has complete Layer 2 separation from other ports within the same PVLAN except for the promiscuous port. – Traffic received from an isolated port is forwarded only to promiscuous ports. Promiscuous A promiscuous port can communicate with all ports within the PVLAN, including the community and isolated ports. – The default gateway for the segment would likely be hosted on a promiscuous port. Community Community ports communicate among themselves and with their promiscuous ports. – These interfaces are isolated at Layer 2 from all other interfaces in other communities.
© 2003, Cisco Systems, Inc. All rights reserved.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htm
20

Private VLAN Configuration Guidelines

• •

VTP does not support private VLANs so you must configure your VTP mode to transparent and manually add each primary and the associated private VLANs to each switch. VLAN 1 and VLANs 1002 – 1005 cannot be private VLANs.
A primary VLAN can have one isolated VLAN and multiple community VLANs.
– An isolated or community VLAN can have only one primary VLAN associated with it.

• • •

If you delete a VLAN used in the private VLAN configuration, the private VLAN ports associated with the VLAN become inactive Private VLAN ports can be on different network devices if the devices are trunk-connected and the primary and secondary VLANs have not been removed from the trunk. All primary, isolated, and community VLANs associated within a private VLAN must maintain the same topology across trunks.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htm
© 2003, Cisco Systems, Inc. All rights reserved.

21

Private VLAN Configuration Example
Router# configure terminal Router(config)# vlan 202 Router(config-vlan)# private-vlan primary Router(config-vlan)# exi Router(config)# vlan 303 Router(config-vlan)# private-vlan community Router(config-vlan)# exi Router(config)# vlan 440 Router(config-vlan)# private-vlan isolated Router(config-vlan)# exi Router(config)# vlan 202 Router(config-vlan)# private-vlan association 303-307,309,440 Router(config-vlan)# end Router(config)# interface fastethernet 5/1 Router(config-if)# switchport mode private-vlan host | promiscuous Router(config-if)# switchport private-vlan host-association 202 303 Router(config)# interface fastethernet 5/2 Router(config-if)# switchport mode private-vlan host | promiscuous Router(config-if)# switchport private-vlan host-association 202 440 Router# show vlan private-vlan Switch(config)# show vlan private-vlan Primary Secondary Type Ports

------- --------- ----------------- -----------------------------------------202 303 community Fa5/1 202 440 isolated
© 2003, Cisco Systems, Inc. All rights reserved.

Fa5/2
22

Protected Ports
• •

Protected ports do not forward any traffic to other ports that are also protected ports. Forwarding behavior between a protected port and a nonprotected port proceeds as usual.

Switch# configure terminal Switch(config)# interface fastethernet0/1 Switch(config-if)# switchport protected Switch(config-if)# end

© 2003, Cisco Systems, Inc. All rights reserved.

23

VLAN Security using ACLs
Cisco multilayer switches support three types of ACLs:
• Router access control lists (RACLs) Supported in the ternary content addressable memory (TCAM) hardware on Cisco multilayer switches Quality of service (QoS) access control lists Supported in the TCAM hardware on Cisco multilayer switches VLAN access control lists (VACLs) Supported in software on Cisco multilayer switches
– VACLs are also referred to as VLAN maps

• •

© 2003, Cisco Systems, Inc. All rights reserved.

24

VLAN ACL Examples

© 2003, Cisco Systems, Inc. All rights reserved.

25

Routed ACLs

RACLs are supported in hardware through IP standard ACLs and IP extended ACLs, with permit and deny actions.
– With RACLs, access list statistics and logging are not supported.

© 2003, Cisco Systems, Inc. All rights reserved.

26

VLAN ACLs
• VACLs (also called VLAN access maps in IOS software) apply to all traffic on the VLAN.
– VACLs are similar to route maps and follow routemap conventions, where map sequences are checked in order.


VLAN maps have three actions that can be configured:
Drop


Forward
Redirect

© 2003, Cisco Systems, Inc. All rights reserved.

27

VLAN Map Configuration
ALSwitch7(config)#ip access-list extended HRServerAllowed ALSwitch7(config-ext-nacl)#permit tcp 172.16.50.16 0.0.0.15 host 172.16.50.240 eq www ALSwitch7(config-ext-nacl)#exit ALSwitch7(config)#ip access-list extended HRServerBlocked ALSwitch7(config-ext-nacl)#permit tcp 172.16.50.0 0.0.0.127 host 172.16.50.240 eq www ALSwitch7(config-ext-nacl)#exit ALSwitch7(config)#ip access-list extended HRServerDefaults ALSwitch7(config-ext-nacl)#permit ip any any ALSwitch7(config-ext-nacl)#exit ALSwitch7(config)#vlan access-map HRServerMap 10 ALSwitch7(config-access-map)#match ip address HRServerAllowed ALSwitch7(config-access-map)#action forward ALSwitch7(config-access-map)#exit ALSwitch7(config)#vlan access-map HRServerMap 20 ALSwitch7(config-access-map)#match ip address HRServerBlocked ALSwitch7(config-access-map)#action drop ALSwitch7(config-access-map)#exit ALSwitch7(config)#vlan access-map HRServerMap 30 ALSwitch7(config-access-map)#match ip address HRServerDefaults ALSwitch7(config-access-map)#action forward ALSwitch7(config-access-map)#end ALSwitch7#config t ALSwitch7(config)# vlan filter HRServerMap vlan-list 20
© 2003, Cisco Systems, Inc. All rights reserved.

28

show vlan map and show vlan filter
ALSwitch7#show vlan access-map Vlan access-map "HRServer" 10 Match clauses: ip address: HRServerAllowed Action: forward Vlan access-map "HRServerMap" 20 Match clauses: ip address: HRServerBlocked Action: drop Vlan access-map "HRServerMap" 30 Match clauses: ip address: HRServerDefaults Action: forward ALSwitch7#show vlan filter VLAN Map HRServerMap is filtering VLANs: 50 ALSwitch7#
© 2003, Cisco Systems, Inc. All rights reserved.

29

Defending Network Switches

CDP can be selectively disabled on interfaces where management is not being performed or if you do not want CDP information learned out of that interface.
Switch(config-if)#no cdp enable

© 2003, Cisco Systems, Inc. All rights reserved.

30

Controlling VTY Access
• • Cisco provides ACLs to permit or deny Telnet access to the VTY ports of a switch. Use the access-class line configuration mode command to specify a subnet that is allowed to telnet to the switch.
– The access-class command uses a standard ACL with the in keyword.

A standard ACL is used because the access-class command filters inbound connections
‘out’ can also be used to filter outbound VTY connections.

Switch(config-line)#access-class 5 in –

© 2003, Cisco Systems, Inc. All rights reserved.

31

Access-class Example

© 2003, Cisco Systems, Inc. All rights reserved.

32

Use Secure Shell – SSH
• SSH can be configured for remote access to Cisco multilayer switches. – Catalyst 2950s do not support SSH

Switch(config)#hostname ALSwitch ALSwitch(config)#ip domain-name cisco.com ALSwitch(config)#ip ssh version 2 Please create RSA keys to enable SSH. ALSwitch(config)#crypto key generate rsa general-keys The name for the keys will be: ALSwitch.cisco.com Choose the size of the key modulus in the range of 360 to 2048 for your How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys ...[OK] ALSwitch(config)# 00:47:18: %SSH-5-ENABLED: SSH 1.99 has been enabled ALSwitch(config)#line vty 0 15 ALSwitch(config-line)#transport input ssh ALSwitch(config-line)#login local ALSwitch(config-line)#exit ALSwitch(config)#username leo privilege 15 secret baca
© 2003, Cisco Systems, Inc. All rights reserved.

33

Encrypt Password
• • Make sure to use encrypted passwords. Encrypted password can be used for enable passwords, user passwords, console and vty passwords.

ALSwitch(config)#enable secret class ALSwitch(config)#username user1 secret userpass ALSwitch(config)#username leo privilege 15 secret baca ALSwitch(config)#exi ALSwitch#sho run ... ! hostname ALSwitch ! enable secret 5 $1$kH1o$2yH/E500t6PC1rCCDeFEb1 ! username leo privilege 15 secret 5 $1$nwnw$rvATQge3PqFS8qARlTOd51 username user1 secret 5 $1$CalZ$rCMYfxqKPrJfWENUrHIZL.
© 2003, Cisco Systems, Inc. All rights reserved.

34

Service Password Encryption
• Some passwords are not encrypted by default, such as the enable password command and the line configuration mode password command To encrypt any plaintext passwords or keystrings, use the global configuration mode command: This will encrypt plaintext passwords with Cisco level 7 encryption.
– This encryption level is not very strong
© 2003, Cisco Systems, Inc. All rights reserved.

Switch(config)# service password-encryption

35

END PART 1

PART 1 STOP HERE

© 2003, Cisco Systems, Inc. All rights reserved.

36

DHCP Spoof Attack

© 2003, Cisco Systems, Inc. All rights reserved.

37

DHCP Snooping
• DHCP Snooping is a Catalyst feature that determines which switch ports can respond to DHCP requests.
– Ports are identified as trusted and untrusted.

Trusted ports can source all DHCP messages while untrusted ports can source requests only.
– Trusted ports host a DHCP server or can be an uplink toward the DHCP server.

If a rogue device on an untrusted port attempts to send a DHCP response packet into the network, the port is shut down.

© 2003, Cisco Systems, Inc. All rights reserved.

38

DHCP Snooping Example

© 2003, Cisco Systems, Inc. All rights reserved.

39

DHCP Snooping Configuration

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea5/2950scg/swdhcp82.htm
© 2003, Cisco Systems, Inc. All rights reserved.

40

show ip dhcp snooping

© 2003, Cisco Systems, Inc. All rights reserved.

41

MAC Address Spoofing
• MAC Spoofing attacks occur when a device spoofs the MAC address of a valid network device to gain access to frames of the valid device. The attacker generates a single frame with a source MAC address of the valid device.
– Once the valid host sends new frames, the spoofed CAM table entry is overwritten so forwarding to that MAC address resumes on the legitimate port.

© 2003, Cisco Systems, Inc. All rights reserved.

42

MAC Address Spoofing Example

© 2003, Cisco Systems, Inc. All rights reserved.

43

ARP Table Entries
• • • In normal ARP operation, a host sends a broadcast to determine the MAC address of a host with a particular IP address. The device at that IP address replies with its MAC address. The host that originated the request then caches the ARP response, creating an ARP table entry.
– ARP table entries are used to populate the destination Layer 2 header of packets sent to that IP address.

© 2003, Cisco Systems, Inc. All rights reserved.

44

ARP Table Example

© 2003, Cisco Systems, Inc. All rights reserved.

45

ARP Spoofing
• By spoofing an ARP reply, an attacking device appears to be the destination MAC address sought by the senders.
– Now the attacker’s MAC address is stored with the legitimate dest. IP address.

All packets destined for that IP address will be forwarded through the attacker’s system on the Ethernet network.
ARP Cache Poisoning
http://www.grc.com/nat/arp.htm
© 2003, Cisco Systems, Inc. All rights reserved.

46

ARP Spoof Example

© 2003, Cisco Systems, Inc. All rights reserved.

47

Dynamic ARP Inspection (DAI)
• • Dynamic ARP Inspection (DAI) prevents ARP spoofing by intercepting and validating all ARP requests and responses. Each intercepted ARP reply is verified for valid MAC to IP address bindings before it is forwarded to a PC.
– ARP replies coming from invalid devices are dropped.

The switch checks the MAC to IP binding in the ARP reply with the trusted DHCP snooping database.
– This database is built by DHCP snooping if DHCP snooping is enabled on the VLANs and on the switch.

http://www.cisco.com/en/US/products/hw/switches/ps5528/products_configuration_guide_chapter09186a0080509b6f.html
48

© 2003, Cisco Systems, Inc. All rights reserved.

Dynamic ARP Inspection Example

Configure all Access switch ports as untrusted and all switch ports connected to other switches as trusted.

© 2003, Cisco Systems, Inc. All rights reserved.

49

Dynamic ARP Inspection
• To ensure that only valid ARP requests and responses are relayed, DAI takes the following actions:
– Forwards ARP packets received on a trusted interface without any checks


Intercepts all ARP packets on untrusted ports
Verifies that each intercepted packet has a valid IPto-MAC address binding before forwarding packets that can update the local ARP cache.

Drops and/or logs ARP packets with invalid IP-toMAC address bindings.

© 2003, Cisco Systems, Inc. All rights reserved.

50

Dynamic ARP Inspection Configuration

Dynamic ARP inspection is enabled on a per-VLAN basis Make sure to enable DHCP snooping first

Dynamic ARP Inspection is not supported on 29xx series switches

© 2003, Cisco Systems, Inc. All rights reserved.

51

What is AAA?
• • •

AAA stands for Authentication, Authorization and Accounting. AAA is an architectural framework for configuring access control security functions. AAA is generally concerned with access control to a network or network device.
– For instance, an AAA server can be used to authenticate remote users via a VPN or it can be used to authenticate local users to a router, switch or firewall.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/scfaaa.htm
© 2003, Cisco Systems, Inc. All rights reserved.

52

AAA in a Nutshell
• Authentication provides the method of identifying users.
– The most common method of authentication is username/password.

Authorization provides a method of controlling access to what a user can do.
– Authorization is usually tied to a policy, profile or group.

Accounting provides a method for collecting and sending security server information used for billing, auditing, and reporting.
– Accounting collects data as to what a user did once logged in.

© 2003, Cisco Systems, Inc. All rights reserved.

53

AAA Servers and Authentication
• AAA uses protocols such as RADIUS, TACACS+, or 802.1X to administer its security functions. There is an authenticator (device) that permits or denies access to the network or network resource and an authentication server that provides the actual database of user identification.
– The Authenticator can be a switch, router, firewall, wireless access point, VPN server or access server.

© 2003, Cisco Systems, Inc. All rights reserved.

54

Using AAA for Login Security
• The AAA security services facilitate a variety of login authentication methods.
– Use ‘aaa authentication login’ to enable AAA authentication.

With the ‘aaa authentication login’ command, it is possible to create one or more lists of authentication methods that are tried at login. The ‘login authentication’ line configuration command applies these lists to login attempts.

© 2003, Cisco Systems, Inc. All rights reserved.

55

AAA Login Configuration

© 2003, Cisco Systems, Inc. All rights reserved.

56

AAA Login Configuration Example

Switch(config)#aaa new-model Switch(config)#tacacs-server host 147.144.51.46 key 0 tacacskey Switch(config)#aaa group server tacacs+ TACACS Switch(config-sg-tacacs+)#server 147.144.51.46 Switch(config-sg-tacacs+)#exi Switch(config)# Switch(config)#aaa authentication login TACACS local Switch(config)#line con 0 Switch(config-line)#login authentication TACACS

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/scfathen.htm

© 2003, Cisco Systems, Inc. All rights reserved.

57

Authentication Methods

© 2003, Cisco Systems, Inc. All rights reserved.

58

AAA Authorization
• • AAA authorization enables the limitation of the services available to a user. When AAA authorization is enabled, the device uses information retrieved from the user profile
– The user profile is located either in the local user database on the switch or on the security server

You can configure up to 16 hierarchical levels of commands for each mode.

Setting Passwords and Privileges
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fothersf/scfpass.htm
© 2003, Cisco Systems, Inc. All rights reserved.

59

AAA Accounting

Accounting is the process of keeping track of the activity of each user who is accessing the network resources. Accounting data is used for trend analysis, capacity planning, billing, auditing and cost allocation.

© 2003, Cisco Systems, Inc. All rights reserved.

60

802.1X Port-based Authentication

Authenticator Supplicant

© 2003, Cisco Systems, Inc. All rights reserved.

61

802.1X Port-based Authentication

Until the workstation is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the switchport. After authentication is successful, normal traffic can pass through the port. The port starts in the unauthorized state.
– – While in this state, the port disallows all ingress and egress traffic except for 802.1x protocol packets. When a client is successfully authenticated, the port transitions to the authorized state

• •

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea5/2950scg/sw8021x.htm

© 2003, Cisco Systems, Inc. All rights reserved.

62

802.1X Configuration
Switch1(config)#aaa new-model Switch1(config)#aaa authentication dot1x TACACS local Switch1(config)#dot1x system-auth-control Switch1(config)#interface range fa0/2 - 20 Switch1(config-if-range)#switchport mode access Switch1(config-if-range)#dot1x port-control auto Switch1(config-if-range)#end Switch1# show run ! interface FastEthernet0/1 ! interface FastEthernet0/2 switchport mode access dot1x port-control auto spanning-tree portfast
© 2003, Cisco Systems, Inc. All rights reserved.

63

Capturing Traffic in a Switched Network

If a network analyzer is connected to a switch port, by default the analyzer will only collect data directed to the MAC address of the analyzer. To resolve this issue, we configure Switch Port Analyzer (SPAN) ports. SPAN sends a copy of frames generated on one port or an entire VLAN to another switch port hosting a network analyzer.
– Also known as port mirroring or port monitoring

• •

http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225see/scg/swspan.htm
© 2003, Cisco Systems, Inc. All rights reserved.

64

SPAN Example

© 2003, Cisco Systems, Inc. All rights reserved.

65

Remote SPAN (RSPAN)

RSPAN sends traffic from a monitored port through an intermediate switch network to a traffic analyzer on another switch.
RSPAN supports source ports, source VLANs, and destination ports on different switches. RSPAN provides remote monitoring of ports on multiple switches across the network

• •

© 2003, Cisco Systems, Inc. All rights reserved.

66

RSPAN Example

© 2003, Cisco Systems, Inc. All rights reserved.

67

Reflector Ports
• • The reflector port is the mechanism that copies packets onto an RSPAN VLAN. The reflector port forwards only the traffic from the RSPAN source session with which it is affiliated. – Any device connected to a port set as a reflector port loses connectivity until the RSPAN source session is disabled. The reflector port has these characteristics:

• •
• • •

It is a port set to loopback. It cannot be an EtherChannel group, it does not trunk, and it cannot do protocol filtering. A port used as a reflector port cannot be a SPAN source or destination port, nor can a port be a reflector port for more than one session at a time.
It is invisible to all VLANs. Spanning tree is automatically disabled on a reflector port.
© 2003, Cisco Systems, Inc. All rights reserved.

68

SPAN and RSPAN Configuration
SPAN:
Switch(config)#monitor Switch(config)#monitor Switch(config)#monitor Switch(config)#monitor session session session session 1 1 1 1 source interface fa0/2 source interface fa0/2 - 24 source vlan 33 , 34 , 40 - 50 destination interface fa0/10

RSPAN:
SourceSw(config)#vlan 100 SourceSw(config-vlan)#remote-span SourceSw(config-vlan)#exi SourceSw(config)#monitor session 1 source interface fa0/10 both SourceSw(config)#monitor session 1 destination remote vlan 100 reflector-port fa0/12
DestSw(config)#monitor session 1 source remote vlan 100 DestSw(config)#monitor session 1 destination interface fa0/5
© 2003, Cisco Systems, Inc. All rights reserved.

69