Guest

Cisco Services Modules

FWSM Traffic Capture Product Tech Note

Techzone Article content

Document ID: 116059

Updated: Apr 02, 2013

Contributed by Scott Nishimura, Cisco TAC Engineer.

   Print

Introduction

This document describes how to monitor traffic sent to and received from a Firewall Services Module (FWSM). On the Cisco Catalyst 6500/Cisco 7600 Series Routers platform, there are two switched port analyzer (SPAN) sessions that can be used to redirect traffic to a destination port for activities such as captures or transmissions to other physical security devices (such as an Intrusion Detection System). SPAN sessions are also known as monitor sessions.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

  • Network security
  • Familiarity with data captures (sniffers)

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco Catalyst 6500/7600 Series Switches
  • Cisco Catalyst 6500/Cisco 7600 Series Supervisor Engine 720
  • Cisco FWSM

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for information on document conventions.

SPAN Reflector

Some service modules, such as the FWSM, use one of their two monitor sessions for all the service modules in order to communicate with the ASICs on the Supervisor. This communication path enables multicast traffic, as well as other traffic that requires the central rewrite engine, to be switched when egressing the FWSM or other service modules. This type of session is known as the SPAN reflector and is enabled by default. The SPAN reflector is required if the switch uses distributed (cross-module) etherchannel; a distributed etherchannel exists when a port channel has multiple interfaces that are bundled and that cross multiple linecards.

Note: The Adaptive Security Appliance Service Module (ASA-SM) does not require the SPAN reflector, so you can disable the reflector if no other service modules require it.

The second session can be used for other monitor sessions, such as packet sniffing.

Use the show monitor session all command in order to see the status of the monitor sessions; look for Service Module Session as the Type.

6513#sh monitor sess all  
Session 1  
---------  
Type                   : Local Session  
Source Ports           :
     Both              : Po272  
Destination Ports      : Gi13/13    

Session 2  
---------  
Type                   : Service Module Session  
Modules allowed        : 1-13  
Modules active         : 1,3  
BPDUs allowed          : Yes

FWSM Traffic Capture on the Switch Backplane

Use a monitor session in order to span the traffic that is sent to and received from the FWSM on the internal backplane interfaces. In this example, Session 1 is set up to sniff the traffic to and from the FWSM.

Step 1: Determine Port Channel Used by FWSM

The FWSM generally uses an internal port channel number numbered 270 or higher. Use the show etherchannel summary command in order to determine which port is in use.

6513#show etherchannel summary   
Flags:
          D - down        P - bundled in port-channel
          I - stand-alone s - suspended
          H - Hot-standby (LACP only)
          R - Layer3      S - Layer2
          U - in use      f - failed to allocate aggregator
          M - not in use, minimum links not met
          u - unsuitable for bundling
          w - waiting to be aggregated  
Number of channel-groups in use: 10  
Number of aggregators:           10  
  
Group  Port-channel  Protocol    Ports  
------+-------------+-----------+-----------------------------------------------  
1      Po1(SD)         LACP      Gi5/7(D)   Gi5/8(D)     
2      Po2(SD)          -          
3      Po3(SD)          -          
22     Po22(SU)        LACP      Gi5/23(P)  Gi5/24(P)    
105    Po105(SU)       LACP      Fa2/25(w)  Fa2/26(P)    
106    Po106(SU)       LACP      Fa2/27(P)  Fa2/28(P)    
223    Po223(SD)       LACP      Gi5/39(I)  Gi5/40(I)    
224    Po224(SD)       LACP      Gi5/41(I)  Gi5/42(I)    
270    Po270(SU)        -        Gi1/1(P)   Gi1/2(P)   Gi1/3(P)   Gi1/4(P)
Gi1/5(P) Gi1/6(P) 272 Po272(SU) - Gi3/1(P) Gi3/2(P) Gi3/3(P) Gi3/4(P) Gi3/5(P) Gi3/6(P)

In this example, port channel ID 272 is assigned for the FWSM in slot 3. The FWSM connects to the switch backplane via six 1 GB ports, which are bundled into an internal etherchannel.

Step 2: Define Source and Destination Interfaces

Use the monitor session 1 source interface and monitor session 1 destination interface commands in order to define the source and destination interfaces for the monitor sessions. In this example, the source interface is port channel 272 (as identified in Step 1), and the destination interface is the port gigabit 5/48 where a physical sniffer device will be connected.

monitor session 1 source interface po272
monitor session 1 destination interface gig5/48

Step 3: Verify Monitor Session

Use the show monitor session 1 command in order to verify the monitor session.

6513# show monitor session 1

Session 1
---------
Type : Local Session
Source Ports :
Both : Po272
Destination Ports : Gi5/48

The output shows that port channel 272 (Po272) is the span source and that it will monitor all traffic sent to and received from the FWSM in slot 3.

Note: If you span the six-port 1 GB etherchannel, you may exceed the packet rate (or sniffer input rate) of the destination interface. If there is more traffic on the FWSM port channel than is physically possible on a 1 GB ethernet interface (the transmit rate of the destination port Gi5/48), the destination interface may not be able to output all of the packets to the sniffer.

Related Information

Updated: Apr 02, 2013
Document ID: 116059