Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:01,100 --> 00:00:15,000
So now on 37 51 the switch that the monitoring station is connected to confetti monitor session.
2
00:00:15,080 --> 00:00:22,880
We want to configure a spend session so we use the session command on do the switch 66 span sessions
3
00:00:22,910 --> 00:00:30,320
could be configured if we wanted to configure span on the twenty nine fifty switch it doesn't support
4
00:00:30,350 --> 00:00:39,480
the same number of sessions on the switch it only supports two sessions the number of active span sessions
5
00:00:39,480 --> 00:00:41,370
however is switch dependent.
6
00:00:41,370 --> 00:00:47,880
Have a look at the documentation of the switch here we'll simply configure session one to keep it simple
7
00:00:48,840 --> 00:00:56,340
we need to specify a source as well as a destination of the span session so the source in our example
8
00:00:56,730 --> 00:01:08,230
will be the LAN one and I want to capture traffic both sent and received in VLAN 1 you need to be careful
9
00:01:08,350 --> 00:01:15,730
spanning a v lan if a lot of traffic is transmitted and received on that VLAN you could oversubscribed
10
00:01:15,730 --> 00:01:23,230
the port as an example of the switch had 24 ports and you spanned all of those ports to this single
11
00:01:23,230 --> 00:01:30,040
interface you would possibly overwhelm this physical interface as another example you don't want to
12
00:01:30,040 --> 00:01:37,120
span a gigabit port to 100 make port and in the same way you need to make sure that your capturing device
13
00:01:37,120 --> 00:01:43,180
can handle the traffic that it's receiving you don't want to as an example forward one gigabits per
14
00:01:43,180 --> 00:01:51,490
second of traffic to P.C. with a slow CPSU that can't capture or handle the amount of traffic that you
15
00:01:51,490 --> 00:02:00,670
throwing at it as an analogy we as people may drink water from a gloss or from a tap but generally not
16
00:02:00,670 --> 00:02:08,170
from a fire hydrant because the rate of water that's sent out of a fire hydrant is far more than you
17
00:02:08,170 --> 00:02:16,600
can drink so don't overload or overwhelm the port as well as the P.C. by sending too much spam traffic
18
00:02:16,630 --> 00:02:25,300
out of this port so now monitor session we need to specify the same session no and we're going to specify
19
00:02:25,300 --> 00:02:35,900
a destination in this case it's going to be a local interface on the switch fast ethernet 1 0 5 I'll
20
00:02:35,900 --> 00:02:40,280
talk about the encapsulation and ingress options in a moment.
21
00:02:40,580 --> 00:02:47,600
For now we're just going to forward the traffic out of the port so do show run pipe include monitor
22
00:02:50,400 --> 00:02:56,670
we configured this command as well as this command on the switch show monitor
23
00:02:59,420 --> 00:03:05,420
we can see that we have one active session it's a local session it's looking at traffic sent and received
24
00:03:05,420 --> 00:03:15,020
on VLAN 1 that's the source destination is Port Fost Ethan at 1 0 5 we're using the native a villain
25
00:03:15,050 --> 00:03:24,630
as the encapsulation ingress traffic is disabled so now on the capturing P.S. we'll filter for ICMP
26
00:03:25,720 --> 00:03:27,560
and let's restart that capture
27
00:03:30,400 --> 00:03:40,230
and en route a one all ping routed to and notice we can see the traffic which we weren't able to see
28
00:03:40,230 --> 00:03:41,770
before.
29
00:03:41,910 --> 00:03:48,880
Here is a source ICMP packet from router 1 Notice the MAC address ending in 0 1.
30
00:03:49,080 --> 00:03:58,450
Going to write it to it's a unit cost here the IP addresses a 10 1 1 1 going to 10 1 1 2 it's an echo
31
00:03:58,450 --> 00:03:59,470
request.
32
00:03:59,620 --> 00:04:12,120
Here's the reply It's also a unique cost frame from Rod a 2 to write a 1 unit cost IP addresses it's
33
00:04:12,120 --> 00:04:23,940
a ping reply now if write a 1 Telnet to write a 2 and logs in we should be able to see that telnet traffic
34
00:04:24,270 --> 00:04:33,330
on the capturing device and we can so notice as an example he has some telnet information I'll scroll
35
00:04:33,330 --> 00:04:47,630
down the road is asking for a password he has the password C I S CEO We could also follow the DCP stream
36
00:04:50,490 --> 00:04:56,380
and we'll be able to see the password in this example because we are capturing traffic sent and received
37
00:04:56,380 --> 00:04:57,260
on the V Line.
38
00:04:57,280 --> 00:05:07,920
We're getting some duplicates but as an example if on top enable password show run and look at the running
39
00:05:07,920 --> 00:05:22,580
config of that router if I fall to 4 telnet traffic again we'll be able to see the line Viti Y and the
40
00:05:22,580 --> 00:05:27,740
password is shown on the line Viti y in the running config of the Rada.
41
00:05:27,760 --> 00:05:34,110
So that's the conflict on the router and here it's seen in the wash out capture.
42
00:05:34,360 --> 00:05:42,920
I could once again follow the TCB stream and I'll see the full configuration of the rudder as captured
43
00:05:42,950 --> 00:05:45,290
on the monitoring station.
44
00:05:45,350 --> 00:05:50,930
So what's happening now is when traffic is received or sent on VLAN 1 it's been forwarded out of this
45
00:05:50,930 --> 00:05:56,010
port and the capturing device running why shark is able to view the traffic.
46
00:05:56,180 --> 00:06:03,710
So what we did is create a monitoring session monitor session 1 capturing on VLAN 1 and the destination
47
00:06:03,710 --> 00:06:04,900
as fast Ethernet.
48
00:06:05,030 --> 00:06:18,300
1 05 if we remove the monitoring session so do show run pipe include monitor we can see that there's
49
00:06:18,330 --> 00:06:23,250
no output in other words the monitoring session has been removed.
50
00:06:23,340 --> 00:06:24,930
Now when we do the capture
51
00:06:30,820 --> 00:06:42,070
and we for instance filter for ICMP traffic and paying a T from Route 1 we don't see any output.
52
00:06:42,190 --> 00:06:47,140
So no ICMP traffic is shown if we fall to 4 telnet
53
00:06:49,970 --> 00:06:54,520
and then Telnet to 10 1 1 2.
54
00:06:54,860 --> 00:07:04,190
We don't see anything but if we put to the monitoring session back so monitor session choose a number
55
00:07:04,190 --> 00:07:04,960
one.
56
00:07:05,170 --> 00:07:14,750
And in this case all monitor and interface if one 0 3 which is this interface over here and we'll do
57
00:07:14,750 --> 00:07:29,490
both and then we'll specify a destination of first Ethan at 1 0 5 what we should see now is once that
58
00:07:29,490 --> 00:07:38,680
kicks in as you can see over there we are able to see the Telnet information so there's the prompt of
59
00:07:38,690 --> 00:07:42,140
wrote it to and if I scroll up we can see the password.
60
00:07:42,150 --> 00:07:49,200
So the right is asking for a enabled password and he has the password that I typed which Cisco and then
61
00:07:49,200 --> 00:07:58,580
I pressed into once again if we follow that stream you can see the password that was typed so it's as
62
00:07:58,580 --> 00:08:02,800
simple as that to create a monitoring session to show.
63
00:08:02,810 --> 00:08:11,950
Monitor in this example we've got session one which was a local session capturing traffic in and out
64
00:08:12,250 --> 00:08:24,110
of this port and it's going to this destination port 1 0 5 encapsulation is native English traffic is
65
00:08:24,110 --> 00:08:25,210
disabled.
66
00:08:25,370 --> 00:08:35,020
So let's talk about ingress traffic when you enable span on a switch as we've got over here the switch
67
00:08:35,080 --> 00:08:45,010
no longer learns mac addresses on the span destination port it also doesn't allow traffic to be received
68
00:08:45,310 --> 00:08:47,260
from that port.
69
00:08:47,260 --> 00:08:52,410
So if road A one pings write a t it works
70
00:08:55,300 --> 00:09:03,520
and the MAC addresses are shown in the MAC address table but rather one is not able to ping the capturing
71
00:09:03,520 --> 00:09:04,880
device.
72
00:09:05,290 --> 00:09:17,950
So filtering for ICMP the pings are being received from Radio a 1 to the P.C. but no replies are being
73
00:09:17,950 --> 00:09:19,750
accepted by the switch.
74
00:09:19,780 --> 00:09:26,980
So in other words the ping from rudder one to the capturing device is received on this port and because
75
00:09:26,980 --> 00:09:33,490
of the port mirroring or span the traffic is being sent out of this port and is received by the capturing
76
00:09:33,490 --> 00:09:34,480
device.
77
00:09:34,480 --> 00:09:40,870
But when the capturing device replies that traffic is not accepted on the destination spend port.
78
00:09:40,960 --> 00:09:42,100
So the pings are failing
79
00:09:44,830 --> 00:09:51,800
so once again notice there were no successes on the ping from of one to the capturing device.
80
00:09:52,060 --> 00:10:00,730
And just to confirm that is the IP address of the capturing device if we want to allow that device to
81
00:10:00,730 --> 00:10:08,170
send traffic we have to configure the monitoring session to receive that traffic.
82
00:10:08,170 --> 00:10:13,360
So destination interface is fast ethernet 1 0 5
83
00:10:16,530 --> 00:10:21,060
and we have to add this option ingress to enable ingress traffic forwarding
84
00:10:23,910 --> 00:10:32,810
and to specify that is on tagged traffic in VLAN 1.
85
00:10:32,880 --> 00:10:34,620
So I'll start the capture again
86
00:10:38,300 --> 00:10:49,200
and let's see if Rada one is able to ping that capturing station notice the pings succeed here's the
87
00:10:49,200 --> 00:10:56,010
ping from Route One to the capturing device here's the reply and the pings succeeded.
88
00:10:56,010 --> 00:10:58,950
So just to prove that again I'll do a repeat of just one
89
00:11:02,040 --> 00:11:05,930
play the one shall capture one ping.
90
00:11:06,150 --> 00:11:13,910
There's the ping sent from Rada one he has the reply we've seen duplicates because we are looking at
91
00:11:13,910 --> 00:11:17,180
traffic sent and received on this port.
92
00:11:17,360 --> 00:11:23,660
So we are receiving duplicates because we are sending traffic to the monitoring station that's received
93
00:11:23,690 --> 00:11:26,040
or transmitted on this port.
94
00:11:26,210 --> 00:11:39,390
So we get some duplicates but they point to remember is that if we don't use the ingress command the
95
00:11:39,390 --> 00:11:44,160
monitoring station is not able to participate in the network.
96
00:11:44,760 --> 00:11:51,710
Essentially the Mac address is removed from the Mac address table so the Mac addresses is not learnt
97
00:11:51,920 --> 00:11:53,870
as you can see over here.
98
00:11:53,870 --> 00:12:02,180
Traffic is not allowed to be received on this interface but with the ingress option it can be received
99
00:12:03,710 --> 00:12:06,590
and the device is allowed to participate in the network.
11486
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.