1
00:00:01,150 --> 00:00:14,940
So now on Thursday 751 the switch that the monitoring station is connected to confetti monitor session.

2
00:00:15,160 --> 00:00:22,960
We want to configure a spend sessions so we use the session command on the switch Sixty-Six spend sessions

3
00:00:22,990 --> 00:00:28,770
could be configured if we wanted to configure spanne on the 21:15 switch.

4
00:00:28,930 --> 00:00:37,710
It doesn't support the same number of sessions on the switch it only supports two sessions the number

5
00:00:37,710 --> 00:00:41,420
of active spend sessions however is switch dependent.

6
00:00:41,430 --> 00:00:48,730
Have a look at the documentation of the switch here we'll simply configure session one to keep it simple.

7
00:00:48,920 --> 00:00:54,350
We need to specify a source as well as a destination of the spend session.

8
00:00:54,350 --> 00:01:04,290
So the source in our example will be the LAN one and I want to capture traffic both St. and received

9
00:01:04,710 --> 00:01:13,230
in Villon one you need to be careful spending a villain if a lot of traffic is transmitted and received

10
00:01:13,230 --> 00:01:14,220
on that.

11
00:01:14,610 --> 00:01:21,330
You could oversubscribed the port as an example if the switch had 24 ports and you spanned all of those

12
00:01:21,330 --> 00:01:29,640
ports to this single interface you would possibly overwhelm the physical interface as another example

13
00:01:29,640 --> 00:01:35,910
you don't want to span a gigabit port to 100 make port and in the same way you need to make sure that

14
00:01:35,910 --> 00:01:39,720
you're capturing device can handle the traffic that it's receiving.

15
00:01:39,960 --> 00:01:47,940
You don't want to as an example for one gigabits per second of traffic to a PC with a slow you that

16
00:01:47,940 --> 00:01:52,800
can't capture or handle the amount of traffic that you throwing at it.

17
00:01:53,040 --> 00:02:01,440
As an analogy we as people may drink water from a glass or from a tap but generally not from a fire

18
00:02:01,470 --> 00:02:09,070
hydrant because the rate of water that's sent out of a fire hydrant is far more than you can drink.

19
00:02:09,270 --> 00:02:17,060
So don't overload or overwhelm the port as well as the PC by sending too much spam traffic out of this

20
00:02:17,060 --> 00:02:18,450
port.

21
00:02:18,480 --> 00:02:26,850
So now monitus session we need to specify the same session number and we going to specify a destination.

22
00:02:27,030 --> 00:02:35,630
In this case it's going to be a local interface on the switch fast Ethernet 1 0 5.

23
00:02:35,830 --> 00:02:40,660
I'll talk about the encapsulation and ingress options in a moment.

24
00:02:40,660 --> 00:02:50,280
For now we're just going to forward the traffic out of the Port Said do show run piping clewed monitor.

25
00:02:50,480 --> 00:02:55,360
We can get this command as well as the command on the switch.

26
00:02:55,580 --> 00:02:56,750
Show monitor

27
00:02:59,500 --> 00:03:01,970
we can see that we have one active session.

28
00:03:02,020 --> 00:03:03,790
It's a local session.

29
00:03:03,790 --> 00:03:10,740
It's looking at traffic sent and received on villaine one that's the source destination is port phos

30
00:03:10,780 --> 00:03:12,490
Ethan at 1 0 5.

31
00:03:12,790 --> 00:03:20,960
We're using the native land as the encapsulation ingress traffic is disabled.

32
00:03:21,020 --> 00:03:27,800
So now on the capturing piece will filter it for ICMP and let's restart that capture.

33
00:03:30,450 --> 00:03:40,970
And on Route 1 all ping route to and notice we can see the traffic which we weren't able to see before.

34
00:03:41,970 --> 00:03:49,000
Here is a source ICMP packet from wrote a one note as the MAC address ending in 0 1.

35
00:03:49,170 --> 00:03:50,790
Going to write it to.

36
00:03:50,940 --> 00:03:57,560
It's a unicast here the IP addresses are 10 1 1 1 Going to 10 1 1 2.

37
00:03:57,970 --> 00:03:59,610
It's an echo request.

38
00:03:59,680 --> 00:04:02,030
Here's the reply.

39
00:04:02,110 --> 00:04:11,960
It's also a unicast frame from Rodda to to route one unicast IP addresses.

40
00:04:11,960 --> 00:04:13,970
It's a ping reply.

41
00:04:13,970 --> 00:04:24,560
Now if Router one telnet to router 2 and logs in we should be able to see that telnet traffic on the

42
00:04:24,560 --> 00:04:30,050
capturing device and we can so notice as an example.

43
00:04:30,260 --> 00:04:38,400
Some telnet information while scroll down the road is asking for a password

44
00:04:40,910 --> 00:04:45,330
Here's the password c i s c o.

45
00:04:45,570 --> 00:04:47,680
We could also follow the TZP stream

46
00:04:50,550 --> 00:04:56,430
and we'll be able to see the password in this example because we are capturing traffic safety and received

47
00:04:56,430 --> 00:04:57,330
on the villain.

48
00:04:57,330 --> 00:05:07,980
We're getting some duplicates but as an example if on top enable password show run and look at the running

49
00:05:07,980 --> 00:05:22,530
config of that router if I fall to full telnet traffic again we'll be able to see the line Viti Y and

50
00:05:22,540 --> 00:05:27,800
the password is shown on the line Viti Y in the running config of the rods.

51
00:05:27,820 --> 00:05:30,090
So that's the config on the router.

52
00:05:30,220 --> 00:05:34,150
And here it's seen in the wash or capture.

53
00:05:34,410 --> 00:05:42,970
I could once again follow the TZP stream and I'll see the full configuration of the Rodda as captured

54
00:05:42,970 --> 00:05:44,350
on the monitoring station.

55
00:05:45,410 --> 00:05:50,780
So what's happening now is when traffic is received or sent on villain 1 it's been forwarded out of

56
00:05:50,780 --> 00:05:56,230
this port and the capturing device running was shock is able to view the traffic.

57
00:05:56,240 --> 00:06:03,770
So what we did is create a monitoring session monitor session one capturing and Villon one and the destination

58
00:06:03,770 --> 00:06:07,180
is Fasi Ethan at 1 0 5.

59
00:06:07,520 --> 00:06:18,570
If we remove the monitoring session so do show run piping clewed monitor we can see that there's no

60
00:06:18,570 --> 00:06:18,990
output.

61
00:06:18,990 --> 00:06:21,190
In other words the monitoring session has been removed.

62
00:06:23,390 --> 00:06:25,010
Now when we do the capture

63
00:06:30,880 --> 00:06:42,220
and we for instance filter for ICMP traffic and paying rodef to from Rodda one we don't see any output.

64
00:06:42,220 --> 00:06:45,310
So no ICMP traffic is shown.

65
00:06:45,540 --> 00:06:47,220
If we fail to TELLEMENT

66
00:06:50,020 --> 00:06:56,450
and then telnet to 10 1 1 2 we don't see anything.

67
00:06:56,860 --> 00:07:04,950
But if we put to the monitoring session back to session choose a number one.

68
00:07:05,230 --> 00:07:12,620
And in this case all monitor and interface if one does 0 3 which is this interface over here.

69
00:07:14,350 --> 00:07:26,750
And we'll do both and then we'll specify a destination of FASA Ethan at 1 0 5.

70
00:07:26,780 --> 00:07:36,050
What we should see now is once that kicks in as you can see over there we are able to see the telenet

71
00:07:36,530 --> 00:07:37,790
information.

72
00:07:37,820 --> 00:07:39,500
So is the prompt of rotted too.

73
00:07:39,530 --> 00:07:45,830
And if I scroll up we can see the password so the road is asking for the Enable password and he has

74
00:07:45,830 --> 00:07:54,380
the posture that he typed which is Cisco and then pressed into Once again if we follow that stream you

75
00:07:54,380 --> 00:07:56,180
can see the password that was typed.

76
00:07:58,360 --> 00:08:04,810
So it's as simple as that to create a monitoring sessions a show to monitor.

77
00:08:04,890 --> 00:08:14,000
In this example we've got session 1 which is a local section capturing traffic in and out of this port

78
00:08:14,970 --> 00:08:23,680
and it's going to a destination port 1 0 5 kept the nation is native English.

79
00:08:23,680 --> 00:08:25,290
Traffic is disabled.

80
00:08:25,420 --> 00:08:31,940
So let's talk about ingress traffic when you enable spanne on a switch.

81
00:08:32,220 --> 00:08:39,990
As we've got over here the switch no longer learns mac addresses on the span.

82
00:08:39,990 --> 00:08:46,800
Destination port it also doesn't allow traffic to be received from that port.

83
00:08:47,340 --> 00:08:52,440
So if road a one painting's Ratatouille it works

84
00:08:55,350 --> 00:09:03,600
and the MAC addresses are shown in the MAC address table but rather one is not able to paying the capturing

85
00:09:03,600 --> 00:09:04,980
device.

86
00:09:05,370 --> 00:09:18,010
So filtering for ICMP the pings are being received from radio one to the PC but no replies are being

87
00:09:18,010 --> 00:09:19,810
accepted by the switch.

88
00:09:19,810 --> 00:09:26,520
So in other words the ping from Radio 1 to the capturing device is received on this port.

89
00:09:26,530 --> 00:09:32,830
And because of the port murthering or span the traffic is being sent out of this port and is received

90
00:09:32,830 --> 00:09:34,280
by the capturing device.

91
00:09:34,510 --> 00:09:40,960
But when the capturing device replies that traffic is not accepted on the destination spend port.

92
00:09:41,020 --> 00:09:44,810
So the pings are failing.

93
00:09:44,880 --> 00:09:51,980
So once again notice there were no successes on the paying from rodder one to the capturing device.

94
00:09:52,140 --> 00:09:58,210
And just to confirm that is the IP address of the capturing device.

95
00:09:58,530 --> 00:10:06,240
If we want to allow that device to send traffic we have to configure the monitoring session to receive

96
00:10:06,570 --> 00:10:08,220
that traffic.

97
00:10:08,230 --> 00:10:13,430
So destination interface is Fosset Ethan at 1 0 5

98
00:10:16,610 --> 00:10:21,110
and we have to add the option ingress to enable ingress traffic forwarding

99
00:10:23,940 --> 00:10:30,940
and specify that as untagged traffic in the.

100
00:10:31,020 --> 00:10:34,710
One cell start to the capture again

101
00:10:38,320 --> 00:10:48,680
and let's see if Rodda one is able to ping that capturing station notice the pings succeed.

102
00:10:48,810 --> 00:10:52,200
Here's the ping from one to the capturing device.

103
00:10:52,200 --> 00:10:55,580
Here's the reply and the pings succeeded.

104
00:10:56,070 --> 00:10:59,030
So just to prove that again I'll do a repeat of just one

105
00:11:02,110 --> 00:11:08,620
play of the watch shall capture one ping ping sent from Rodda one.

106
00:11:08,720 --> 00:11:10,130
Here's the reply.

107
00:11:10,200 --> 00:11:17,370
We've seen duplicates because we are looking at traffic sent and received on the port.

108
00:11:17,420 --> 00:11:23,720
So we are receiving duplicates because we are sending traffic to the monitoring station that's received

109
00:11:23,720 --> 00:11:26,180
or transmitted on this port.

110
00:11:26,270 --> 00:11:28,450
So we get some duplicates.

111
00:11:28,560 --> 00:11:42,030
But the point to remember is that if we don't use the ingress command the monitoring station is not

112
00:11:42,030 --> 00:11:44,660
able to participate in the network.

113
00:11:44,820 --> 00:11:48,840
Essentially the MAC address is removed from the MAC address table.

114
00:11:50,260 --> 00:11:53,560
So the MAC address is not learnt as you can see over here.

115
00:11:53,950 --> 00:12:02,220
Traffic is not allowed to be received on the interface but with the ingress option it can be received

116
00:12:03,760 --> 00:12:06,840
and the device is allowed to participate in the network.