This document describes how to monitor traffic sent to and received from a Firewall Services Module (FWSM). On the Cisco Catalyst 6500/Cisco 7600 Series Routers platform, there are two switched port analyzer (SPAN) sessions that can be used to redirect traffic to a destination port for activities such as captures or transmissions to other physical security devices (such as an Intrusion Detection System). SPAN sessions are also known as monitor sessions.
Cisco recommends that you have knowledge of these topics:
- Network security
- Familiarity with data captures (sniffers)
The information in this document is based on these software and hardware versions:
- Cisco Catalyst 6500/7600 Series Switches
- Cisco Catalyst 6500/Cisco 7600 Series Supervisor Engine 720
- Cisco FWSM
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to Cisco Technical Tips Conventions for information on document conventions.
Some service modules, such as the FWSM, use one of their two monitor sessions for all the service modules in order to communicate with the ASICs on the Supervisor. This communication path enables multicast traffic, as well as other traffic that requires the central rewrite engine, to be switched when egressing the FWSM or other service modules. This type of session is known as the SPAN reflector and is enabled by default. The SPAN reflector is required if the switch uses distributed (cross-module) etherchannel; a distributed etherchannel exists when a port channel has multiple interfaces that are bundled and that cross multiple linecards.
Note: The Adaptive Security Appliance Service Module (ASA-SM) does not require the SPAN reflector, so you can disable the reflector if no other service modules require it.
The second session can be used for other monitor sessions, such as packet sniffing.
Use the show monitor session all command in order to see the status of the monitor sessions; look for Service Module Session as the Type.
6513#sh monitor sess all
Type : Local Session
Source Ports :
Both : Po272
Destination Ports : Gi13/13
Type : Service Module Session
Modules allowed : 1-13
Modules active : 1,3
BPDUs allowed : Yes
FWSM Traffic Capture on the Switch Backplane
Use a monitor session in order to span the traffic that is sent to and received from the FWSM on the internal backplane interfaces. In this example, Session 1 is set up to sniff the traffic to and from the FWSM.
Step 1: Determine Port Channel Used by FWSM
The FWSM generally uses an internal port channel number numbered 270 or higher. Use the show etherchannel summary command in order to determine which port is in use.
6513#show etherchannel summary
D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
Number of channel-groups in use: 10
Number of aggregators: 10
Group Port-channel Protocol Ports
1 Po1(SD) LACP Gi5/7(D) Gi5/8(D)
2 Po2(SD) -
3 Po3(SD) -
22 Po22(SU) LACP Gi5/23(P) Gi5/24(P)
105 Po105(SU) LACP Fa2/25(w) Fa2/26(P)
106 Po106(SU) LACP Fa2/27(P) Fa2/28(P)
223 Po223(SD) LACP Gi5/39(I) Gi5/40(I)
224 Po224(SD) LACP Gi5/41(I) Gi5/42(I)
270 Po270(SU) - Gi1/1(P) Gi1/2(P) Gi1/3(P) Gi1/4(P)
272 Po272(SU) - Gi3/1(P) Gi3/2(P) Gi3/3(P) Gi3/4(P) Gi3/5(P) Gi3/6(P)
In this example, port channel ID 272 is assigned for the FWSM in slot 3. The FWSM connects to the switch backplane via six 1 GB ports, which are bundled into an internal etherchannel.
Step 2: Define Source and Destination Interfaces
Use the monitor session 1 source interface and monitor session 1 destination interface commands in order to define the source and destination interfaces for the monitor sessions. In this example, the source interface is port channel 272 (as identified in Step 1), and the destination interface is the port gigabit 5/48 where a physical sniffer device will be connected.
monitor session 1 source interface po272
monitor session 1 destination interface gig5/48
Step 3: Verify Monitor Session
Use the show monitor session 1 command in order to verify the monitor session.
6513# show monitor session 1
Type : Local Session
Source Ports :
Both : Po272
Destination Ports : Gi5/48
The output shows that port channel 272 (Po272) is the span source and that it will monitor all traffic sent to and received from the FWSM in slot 3.
Note: If you span the six-port 1 GB etherchannel, you may exceed the packet rate (or sniffer input rate) of the destination interface. If there is more traffic on the FWSM port channel than is physically possible on a 1 GB ethernet interface (the transmit rate of the destination port Gi5/48), the destination interface may not be able to output all of the packets to the sniffer.