FWSM Traffic Capture Product Tech Note
Document ID: 116059
Contributed by Scott Nishimura, Cisco TAC Engineer.
Apr 02, 2013
Contents
Introduction
Prerequisites
Requirements
Components Used
Conventions
SPAN Reflector
FWSM Traffic Capture on the Switch Backplane
Step 1: Determine Port Channel Used by FWSM
Step 2: Define Source and Destination Interfaces
Step 3: Verify Monitor Session
Related Information
Introduction
This document describes how to monitor traffic sent to and received from a Firewall Services Module
(FWSM). On the Cisco Catalyst 6500/Cisco 7600 Series Routers platform, there are two switched port
analyzer (SPAN) sessions that can be used to redirect traffic to a destination port for activities such as
captures or transmissions to other physical security devices (such as an Intrusion Detection System). SPAN
sessions are also known as monitor sessions.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
• Network security
• Familiarity with data captures (sniffers)
Components Used
The information in this document is based on these software and hardware versions:
• Cisco Catalyst 6500/7600 Series Switches
• Cisco Catalyst 6500/Cisco 7600 Series Supervisor Engine 720
• Cisco FWSM
The information in this document was created from the devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.
Conventions
Refer to Cisco Technical Tips Conventions for information on document conventions.
SPAN Reflector
Some service modules, such as the FWSM, use one of their two monitor sessions for all the service modules
in order to communicate with the ASICs on the Supervisor. This communication path enables multicast
traffic, as well as other traffic that requires the central rewrite engine, to be switched when egressing the
FWSM or other service modules. This type of session is known as the SPAN reflector and is enabled by
default. The SPAN reflector is required if the switch uses distributed (cross−module) etherchannel; a
distributed etherchannel exists when a port channel has multiple interfaces that are bundled and that cross
multiple linecards.
Note: The Adaptive Security Appliance Service Module (ASA−SM) does not require the SPAN reflector, so
you can disable the reflector if no other service modules require it.
The second session can be used for other monitor sessions, such as packet sniffing.
Use the show monitor session all command in order to see the status of the monitor sessions; look for Service
Module Session as the Type.
6513#sh monitor sess all
Session 1
−−−−−−−−−
Type
: Local Session
Source Ports
:
Both
: Po272
Destination Ports
: Gi13/13
Session 2
−−−−−−−−−
Type
Modules allowed
Modules active
BPDUs allowed
:
:
:
:
Service Module Session
1−13
1,3
Yes
FWSM Traffic Capture on the Switch Backplane
Use a monitor session in order to span the traffic that is sent to and received from the FWSM on the internal
backplane interfaces. In this example, Session 1 is set up to sniff the traffic to and from the FWSM.
Step 1: Determine Port Channel Used by FWSM
The FWSM generally uses an internal port channel number numbered 270 or higher. Use the show
etherchannel summary command in order to determine which port is in use.
6513#show etherchannel summary
Flags:
D − down
P − bundled in port−channel
I − stand−alone s − suspended
H − Hot−standby (LACP only)
R − Layer3
S − Layer2
U − in use
f − failed to allocate aggregator
M − not in use, minimum links not met
u − unsuitable for bundling
w − waiting to be aggregated
Number of channel−groups in use: 10
Number of aggregators:
10
Group Port−channel Protocol
Ports
−−−−−−+−−−−−−−−−−−−−+−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
1
Po1(SD)
LACP
Gi5/7(D)
Gi5/8(D)
2
Po2(SD)
−
3
Po3(SD)
−
22
Po22(SU)
LACP
Gi5/23(P) Gi5/24(P)
105
Po105(SU)
LACP
Fa2/25(w) Fa2/26(P)
106
Po106(SU)
LACP
Fa2/27(P) Fa2/28(P)
223
Po223(SD)
LACP
Gi5/39(I) Gi5/40(I)
224
Po224(SD)
LACP
Gi5/41(I) Gi5/42(I)
270
Po270(SU)
−
Gi1/1(P)
Gi1/2(P)
Gi1/3(P)
Gi1/4(P)
Gi1/5(P)
Gi1/6(P)
272
Po272(SU)
−
Gi3/1(P) Gi3/2(P) Gi3/3(P) Gi3/4(P) Gi3/5(P) Gi3/6(P)
In this example, port channel ID 272 is assigned for the FWSM in slot 3. The FWSM connects to the switch
backplane via six 1 GB ports, which are bundled into an internal etherchannel.
Step 2: Define Source and Destination Interfaces
Use the monitor session 1 source interface and monitor session 1 destination interface commands in order
to define the source and destination interfaces for the monitor sessions. In this example, the source interface is
port channel 272 (as identified in Step 1), and the destination interface is the port gigabit 5/48 where a
physical sniffer device will be connected.
monitor session 1 source interface po272
monitor session 1 destination interface gig5/48
Step 3: Verify Monitor Session
Use the show monitor session 1 command in order to verify the monitor session.
6513# show monitor session 1
Session 1
−−−−−−−−−
Type
Source Ports
Both
Destination Ports
: Local Session
:
: Po272
: Gi5/48
The output shows that port channel 272 (Po272) is the span source and that it will monitor all traffic sent to
and received from the FWSM in slot 3.
Note: If you span the six−port 1 GB etherchannel, you may exceed the packet rate (or sniffer input rate) of the
destination interface. If there is more traffic on the FWSM port channel than is physically possible on a 1 GB
ethernet interface (the transmit rate of the destination port Gi5/48), the destination interface may not be able to
output all of the packets to the sniffer.
Related Information
• Catalyst 6500 Release 12.2SXF and Rebuilds Software Configuration Guide: Local SPAN, Remote
SPAN (RSPAN), and Encapsulated RSPAN
• Technical Support & Documentation − Cisco Systems
Updated: Apr 02, 2013
Document ID: 116059