Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,100 --> 00:00:15,000 So now on 37 51 the switch that the monitoring station is connected to confetti monitor session. 2 00:00:15,080 --> 00:00:22,880 We want to configure a spend session so we use the session command on do the switch 66 span sessions 3 00:00:22,910 --> 00:00:30,320 could be configured if we wanted to configure span on the twenty nine fifty switch it doesn't support 4 00:00:30,350 --> 00:00:39,480 the same number of sessions on the switch it only supports two sessions the number of active span sessions 5 00:00:39,480 --> 00:00:41,370 however is switch dependent. 6 00:00:41,370 --> 00:00:47,880 Have a look at the documentation of the switch here we'll simply configure session one to keep it simple 7 00:00:48,840 --> 00:00:56,340 we need to specify a source as well as a destination of the span session so the source in our example 8 00:00:56,730 --> 00:01:08,230 will be the LAN one and I want to capture traffic both sent and received in VLAN 1 you need to be careful 9 00:01:08,350 --> 00:01:15,730 spanning a v lan if a lot of traffic is transmitted and received on that VLAN you could oversubscribed 10 00:01:15,730 --> 00:01:23,230 the port as an example of the switch had 24 ports and you spanned all of those ports to this single 11 00:01:23,230 --> 00:01:30,040 interface you would possibly overwhelm this physical interface as another example you don't want to 12 00:01:30,040 --> 00:01:37,120 span a gigabit port to 100 make port and in the same way you need to make sure that your capturing device 13 00:01:37,120 --> 00:01:43,180 can handle the traffic that it's receiving you don't want to as an example forward one gigabits per 14 00:01:43,180 --> 00:01:51,490 second of traffic to P.C. with a slow CPSU that can't capture or handle the amount of traffic that you 15 00:01:51,490 --> 00:02:00,670 throwing at it as an analogy we as people may drink water from a gloss or from a tap but generally not 16 00:02:00,670 --> 00:02:08,170 from a fire hydrant because the rate of water that's sent out of a fire hydrant is far more than you 17 00:02:08,170 --> 00:02:16,600 can drink so don't overload or overwhelm the port as well as the P.C. by sending too much spam traffic 18 00:02:16,630 --> 00:02:25,300 out of this port so now monitor session we need to specify the same session no and we're going to specify 19 00:02:25,300 --> 00:02:35,900 a destination in this case it's going to be a local interface on the switch fast ethernet 1 0 5 I'll 20 00:02:35,900 --> 00:02:40,280 talk about the encapsulation and ingress options in a moment. 21 00:02:40,580 --> 00:02:47,600 For now we're just going to forward the traffic out of the port so do show run pipe include monitor 22 00:02:50,400 --> 00:02:56,670 we configured this command as well as this command on the switch show monitor 23 00:02:59,420 --> 00:03:05,420 we can see that we have one active session it's a local session it's looking at traffic sent and received 24 00:03:05,420 --> 00:03:15,020 on VLAN 1 that's the source destination is Port Fost Ethan at 1 0 5 we're using the native a villain 25 00:03:15,050 --> 00:03:24,630 as the encapsulation ingress traffic is disabled so now on the capturing P.S. we'll filter for ICMP 26 00:03:25,720 --> 00:03:27,560 and let's restart that capture 27 00:03:30,400 --> 00:03:40,230 and en route a one all ping routed to and notice we can see the traffic which we weren't able to see 28 00:03:40,230 --> 00:03:41,770 before. 29 00:03:41,910 --> 00:03:48,880 Here is a source ICMP packet from router 1 Notice the MAC address ending in 0 1. 30 00:03:49,080 --> 00:03:58,450 Going to write it to it's a unit cost here the IP addresses a 10 1 1 1 going to 10 1 1 2 it's an echo 31 00:03:58,450 --> 00:03:59,470 request. 32 00:03:59,620 --> 00:04:12,120 Here's the reply It's also a unique cost frame from Rod a 2 to write a 1 unit cost IP addresses it's 33 00:04:12,120 --> 00:04:23,940 a ping reply now if write a 1 Telnet to write a 2 and logs in we should be able to see that telnet traffic 34 00:04:24,270 --> 00:04:33,330 on the capturing device and we can so notice as an example he has some telnet information I'll scroll 35 00:04:33,330 --> 00:04:47,630 down the road is asking for a password he has the password C I S CEO We could also follow the DCP stream 36 00:04:50,490 --> 00:04:56,380 and we'll be able to see the password in this example because we are capturing traffic sent and received 37 00:04:56,380 --> 00:04:57,260 on the V Line. 38 00:04:57,280 --> 00:05:07,920 We're getting some duplicates but as an example if on top enable password show run and look at the running 39 00:05:07,920 --> 00:05:22,580 config of that router if I fall to 4 telnet traffic again we'll be able to see the line Viti Y and the 40 00:05:22,580 --> 00:05:27,740 password is shown on the line Viti y in the running config of the Rada. 41 00:05:27,760 --> 00:05:34,110 So that's the conflict on the router and here it's seen in the wash out capture. 42 00:05:34,360 --> 00:05:42,920 I could once again follow the TCB stream and I'll see the full configuration of the rudder as captured 43 00:05:42,950 --> 00:05:45,290 on the monitoring station. 44 00:05:45,350 --> 00:05:50,930 So what's happening now is when traffic is received or sent on VLAN 1 it's been forwarded out of this 45 00:05:50,930 --> 00:05:56,010 port and the capturing device running why shark is able to view the traffic. 46 00:05:56,180 --> 00:06:03,710 So what we did is create a monitoring session monitor session 1 capturing on VLAN 1 and the destination 47 00:06:03,710 --> 00:06:04,900 as fast Ethernet. 48 00:06:05,030 --> 00:06:18,300 1 05 if we remove the monitoring session so do show run pipe include monitor we can see that there's 49 00:06:18,330 --> 00:06:23,250 no output in other words the monitoring session has been removed. 50 00:06:23,340 --> 00:06:24,930 Now when we do the capture 51 00:06:30,820 --> 00:06:42,070 and we for instance filter for ICMP traffic and paying a T from Route 1 we don't see any output. 52 00:06:42,190 --> 00:06:47,140 So no ICMP traffic is shown if we fall to 4 telnet 53 00:06:49,970 --> 00:06:54,520 and then Telnet to 10 1 1 2. 54 00:06:54,860 --> 00:07:04,190 We don't see anything but if we put to the monitoring session back so monitor session choose a number 55 00:07:04,190 --> 00:07:04,960 one. 56 00:07:05,170 --> 00:07:14,750 And in this case all monitor and interface if one 0 3 which is this interface over here and we'll do 57 00:07:14,750 --> 00:07:29,490 both and then we'll specify a destination of first Ethan at 1 0 5 what we should see now is once that 58 00:07:29,490 --> 00:07:38,680 kicks in as you can see over there we are able to see the Telnet information so there's the prompt of 59 00:07:38,690 --> 00:07:42,140 wrote it to and if I scroll up we can see the password. 60 00:07:42,150 --> 00:07:49,200 So the right is asking for a enabled password and he has the password that I typed which Cisco and then 61 00:07:49,200 --> 00:07:58,580 I pressed into once again if we follow that stream you can see the password that was typed so it's as 62 00:07:58,580 --> 00:08:02,800 simple as that to create a monitoring session to show. 63 00:08:02,810 --> 00:08:11,950 Monitor in this example we've got session one which was a local session capturing traffic in and out 64 00:08:12,250 --> 00:08:24,110 of this port and it's going to this destination port 1 0 5 encapsulation is native English traffic is 65 00:08:24,110 --> 00:08:25,210 disabled. 66 00:08:25,370 --> 00:08:35,020 So let's talk about ingress traffic when you enable span on a switch as we've got over here the switch 67 00:08:35,080 --> 00:08:45,010 no longer learns mac addresses on the span destination port it also doesn't allow traffic to be received 68 00:08:45,310 --> 00:08:47,260 from that port. 69 00:08:47,260 --> 00:08:52,410 So if road A one pings write a t it works 70 00:08:55,300 --> 00:09:03,520 and the MAC addresses are shown in the MAC address table but rather one is not able to ping the capturing 71 00:09:03,520 --> 00:09:04,880 device. 72 00:09:05,290 --> 00:09:17,950 So filtering for ICMP the pings are being received from Radio a 1 to the P.C. but no replies are being 73 00:09:17,950 --> 00:09:19,750 accepted by the switch. 74 00:09:19,780 --> 00:09:26,980 So in other words the ping from rudder one to the capturing device is received on this port and because 75 00:09:26,980 --> 00:09:33,490 of the port mirroring or span the traffic is being sent out of this port and is received by the capturing 76 00:09:33,490 --> 00:09:34,480 device. 77 00:09:34,480 --> 00:09:40,870 But when the capturing device replies that traffic is not accepted on the destination spend port. 78 00:09:40,960 --> 00:09:42,100 So the pings are failing 79 00:09:44,830 --> 00:09:51,800 so once again notice there were no successes on the ping from of one to the capturing device. 80 00:09:52,060 --> 00:10:00,730 And just to confirm that is the IP address of the capturing device if we want to allow that device to 81 00:10:00,730 --> 00:10:08,170 send traffic we have to configure the monitoring session to receive that traffic. 82 00:10:08,170 --> 00:10:13,360 So destination interface is fast ethernet 1 0 5 83 00:10:16,530 --> 00:10:21,060 and we have to add this option ingress to enable ingress traffic forwarding 84 00:10:23,910 --> 00:10:32,810 and to specify that is on tagged traffic in VLAN 1. 85 00:10:32,880 --> 00:10:34,620 So I'll start the capture again 86 00:10:38,300 --> 00:10:49,200 and let's see if Rada one is able to ping that capturing station notice the pings succeed here's the 87 00:10:49,200 --> 00:10:56,010 ping from Route One to the capturing device here's the reply and the pings succeeded. 88 00:10:56,010 --> 00:10:58,950 So just to prove that again I'll do a repeat of just one 89 00:11:02,040 --> 00:11:05,930 play the one shall capture one ping. 90 00:11:06,150 --> 00:11:13,910 There's the ping sent from Rada one he has the reply we've seen duplicates because we are looking at 91 00:11:13,910 --> 00:11:17,180 traffic sent and received on this port. 92 00:11:17,360 --> 00:11:23,660 So we are receiving duplicates because we are sending traffic to the monitoring station that's received 93 00:11:23,690 --> 00:11:26,040 or transmitted on this port. 94 00:11:26,210 --> 00:11:39,390 So we get some duplicates but they point to remember is that if we don't use the ingress command the 95 00:11:39,390 --> 00:11:44,160 monitoring station is not able to participate in the network. 96 00:11:44,760 --> 00:11:51,710 Essentially the Mac address is removed from the Mac address table so the Mac addresses is not learnt 97 00:11:51,920 --> 00:11:53,870 as you can see over here. 98 00:11:53,870 --> 00:12:02,180 Traffic is not allowed to be received on this interface but with the ingress option it can be received 99 00:12:03,710 --> 00:12:06,590 and the device is allowed to participate in the network. 11486