Table Of Contents
Setting Up Switched Port Analyzer for Monitoring and Recording IP-ICD Agents on the Cisco ICS 7750
November 22, 2002
This document describes the setup and configuration steps required for using the Switched Port Analyzer (SPAN) feature on the Cisco Integrated Communications System 7750 (Cisco ICS 7750) to monitor or record IP-ICD agents.
To access the documentation suite for the Cisco ICS 7750, go to the Cisco ICS 7750 documentation page on Cisco.com. To access the latest software upgrades for the Cisco ICS 7750, go to the Software Center.
Note System software release 2.5.0 and Cisco Customer Response Solutions (CRS) 3.0 or later are required in order to support the configurations that are described in this document.
For a summary of the system requirements for Cisco CallManager and system software on the Cisco ICS 7750, refer to the Cisco ICS 7750 Installation and Configuration Guide.
This document provides information about the following topics:
In its most common implementation, SPAN is used to select network traffic for analysis by a network analyzer such as Cisco SwitchProbe. SPAN mirrors traffic from one or more source ports on any VLAN to a destination port for analysis (see Figure 1).
Figure 1 Typical SPAN Implementation
In Figure 1, all traffic on Ethernet port 5 (the source port) is mirrored on Ethernet port 10. A network analyzer on Ethernet port 10 receives all the network traffic from Ethernet port 5 without being physically attached to Ethernet port 5.
SPAN does not affect the switching of network traffic that is received on source ports; a copy of the packets that are received by the source ports is still sent to the destination port.
When to Use SPAN on the Cisco ICS 7750
On the Cisco ICS 7750, a supervisor in an IP-based call center can use SPAN with CRS 3.0 to monitor and record conversations between call center agents and the customers who call those agents. In this configuration, SPAN would capture the control and Real-Time Transport Protocol (RTP) packets that flow between a customer and an agent. The RTP packets contain information about voice traffic in either direction.
An IP switch typically passes only regular packets between endpoints for which it has identified Media Access Control (MAC) addresses. If SPAN is being used, the IP switch also forwards the packets that are going through monitored source ports to a destination monitoring port. A sniffer application on an system processing engine (SPE) intercepts and selects those packets that are part of the RTP stream between the two parties, records them on a hard disk for later playback, or forwards those packets to a supervisor.
Packet sniffing gives a node on an IP network the ability to examine every packet that passes through its network port, including packets that were not intended for that network port. On a Catalyst switch, a monitoring port may sniff all packets that are traveling on a cable segment that is connected to another port, as long as the other port and the monitoring port are connected to the same VLAN.
This document describes three SPAN scenarios:
•MRP scenario—Calls are monitored or recorded between agents and customers through a multiservice route processor (MRP) in a Cisco ICS 7750.
•External router scenario—Calls are monitored or recorded between agents and customers through an external router.
•Agent-to-agent scenario—Calls are monitored or recorded between agents.
All three scenarios are based on the assumption that agents are using IP phones, that the IP phones are connected to an IP switch, and that the IP switch is connected to one of the two external ports on the system switch processor (SSP). In a typical configuration, a Catalyst 3524-PWR XL switch is also used, since it can provide power to IP phones.
Note The following conventions are used for the illustrations in this document: a circle with two arrows above it indicates that a switch source port is being monitored, and an arrow that points away from a circle shows the destination SPAN port on the same switch.
In an MRP scenario, public switched telephone network (PSTN) calls to an agent are monitored, as shown in Figure 2. Those calls pass through an MRP. IP-based calls that come through a WAN port on an MRP can also be monitored. This scenario is based on the assumption that SPAN is configured on MRP ports that have connectivity to the PSTN, to avoid unnecessary handling of IP traffic between the IP phones and the computers of the agents and supervisors. Traffic that does not flow through the MRP is not monitored.
Figure 2 MRP Scenario
For example, consider the following Cisco ICS 7750 configuration:
•An MRP in slot 1
•An SPE running CRS in slot 5
•An SPE running Cisco CallManager in slot 6
In this example, the MRP, the servicing CRS, and the SPE running Cisco CallManager are connected to SSP Fast Ethernet ports 3, 7, and 8, respectively. Port monitoring on the SSP can be configured by entering the following Cisco IOS commands in global configuration mode:interface fastEthernet 0/7port monitor fastEthernet 0/3port monitor fastEthernet 0/8no shutdownend
In this configuration, the SPE running Cisco CallManager is monitored so that conference calls, such as those created with the CRS supervisor barge-in feature, can be recorded. (It is assumed that the conference bridge feature is enabled on the SPE running Cisco CallManager.)
Note It is assumed that CRS and Cisco CallManager are installed on the same SPE and that CRS is operating in promiscuous mode, CRS packet monitoring would capture packets to and from a Cisco CallManager conference bridge.
Port monitoring as described in this section is supported, provided that the calls to be monitored pass through one of the MRPs. Calls between agents, IP calls through an external router, and PSTN calls through an external router are not monitored in this configuration. Changes to the topology of the IP telephony solution, whether an ICS-based solution or a similar Media Convergence Server (MCS)-based solution, might require changes to the configuration of the switch that is configured for port monitoring. On the Cisco ICS 7750, if the SPE that is configured to record or monitor the RTP traffic is moved to a different chassis slot, corresponding changes would need to be made to the SSP ports. In general, if the node that is monitoring or recording RTP traffic is connected to a different port on the switch, the switch needs to be configured accordingly. Similarly, if the configuration of a card that is being monitored is changed, other configuration changes might be needed to enable monitoring to continue to function.
External Router Scenario
In an external router scenario, IP and PSTN calls to an agent are monitored. Calls pass through an external router that is connected to a Catalyst 3524-PWR-XL switch, as shown in Figure 3. Calls that are placed to an agent, through an MRP, as described in the "MRP Scenario" section, can also be monitored in this configuration. Calls between agents cannot be monitored.
Figure 3 External Router Scenario
For example, consider the following configuration:
•External routers and switches:
–External router connected to port 2 of a Catalyst 3524-PWR XL switch
–Port 1 of the Catalyst 3524-PWR XL switch connected to external port 1 of the SSP
•Cisco ICS 7750:
–An MRP in slot 1
–An SPE running CRS in slot 5
–An SPE running Cisco CallManager in slot 6
In this example, the MRP, SPE running Cisco CallManager, and the SPE running CRS cards are connected to SSP Fast Ethernet ports 3, 7, and 8, respectively. Port monitoring on the SSP can be configured by entering the following Cisco IOS commands in global configuration mode:interface fastEthernet 0/7port monitor fastEthernet 0/1no shutdownend
Note This scenario does not require direct port monitoring of the SPE running Cisco CallManager, because monitoring the external port of the SSP involves monitoring of the conference call streams between the SPE running Cisco CallManager and an agent.
Port monitoring on the Catalyst switch can also be enabled by entering the following Cisco IOS commands in global configuration mode:interface fastEthernet 0/1port monitor fastEthernet 0/2no shutdownend
The configuration described in this section is most likely to be chosen when adding supplemental or legacy routers to support voice traffic. Provided that there are limits on the use of an external router, SPAN monitoring on both the Catalyst 3524-PWR-XL switch and the SSP can be supported.
Changes to the topology of the IP telephony solution, whether an ICS-based solution or a similar MCS-based solution, might require changes to the configuration of the switch that is configured for port monitoring. On the Cisco ICS 7750, if the SPE that is configured to record or monitor the RTP traffic is moved to a different chassis slot, corresponding changes would need to be made to the SSP ports. In general, if the node that is monitoring or recording RTP traffic is connected to a different port on the switch, the switch needs to be configured accordingly. Similarly, if the configuration of a card that is being monitored is changed, other configuration changes might be needed to enable monitoring to continue to function.
Note Significantly more traffic may enter through the SSP external port than would be the case if MRPs were used. If the external router is also a path for substantial Internet traffic, the SSP or the Catalyst 3524-PWR XL switches could be overwhelmed. However, if multiple VLANs are configured on the external router to separate voice traffic from other Internet traffic, then overwhelming of the SSP can be avoided.
In this scenario, calls between two agents are monitored. All agents are connected to a Catalyst 3524-PWR XL switch that is connected to the SSP (in SPAN mode), as shown in Figure 4. PSTN and IP calls to agents can also be monitored in this configuration.
Note In order to configure SPAN, the ports on the SSP and the Catalyst 3524-PWR XL that connect to each other must be in static access mode, not in dynamic access mode, multi-VLAN mode, or trunking mode.
Figure 4 Agent-to-Agent Scenario (Without VLANs)
In an agent-to-agent scenario without VLANs, all traffic between agents is monitored, including IP phone packets and any traffic associated with PCs connected to the switch port of an agent's phone. The amount of traffic being monitored in this case is considerable, and it could exceed the capacity of the SSP, the Catalyst 3524-PWR XL switches, or the SPE running CRS. It is therefore recommended that this non-VLAN configuration be used only in lab or test environments in which excessive PC traffic can be suppressed.
VLANs can be configured to limit the traffic that arrives at the SSP and the SPE running CRS. A router (such as an MRP300) must be used to route packets among the management and voice VLAN, (VLAN 1, which has port monitoring), and any other data-only VLANs (which do not have port monitoring). Since the port-monitoring recipient can be configured only on a port that belongs to VLAN 1, two Ethernet cables are needed between the SSP and an external switch. One cable carries the VLAN 1 traffic for voice and management, and the other cable carries the traffic of the other VLANs.
If more than one external switch is needed to monitor voice traffic, then a pair of Ethernet cables would be required for each pairing of external switches. Just as a pair of cables is required between the SSP and its connected Catalyst 3524-PWR XL switch, one cable between external switches would configure SPAN on VLAN 1, while the other cable would carry traffic for the remaining VLANs. The topology of the switches and cables that are being used for port monitoring on VLAN 1 should form a tree. Otherwise, if a loop were formed for VLAN 1, then the SPAN configuration would quickly overwhelm the switches with looping packets. SPAN would override the spanning-tree algorithm since the usual packet forwarding restrictions would not be followed.
Caution Due to the greater complexity of VLANs, errors are more likely when configuring VLANs.
For example, consider the following configuration, as shown in Figure 5:
•External switches and other devices:
–Port 3 through port 12 of a Catalyst 3524-PWR XL switch connected to IP phones
–PC connected to each IP phone
–Port 1 and port 2 of the Catalyst 3524-PWR XL switch connected to external port 1 and port 2 of the SSP
•Cisco ICS 7750:
–An MRP in slot 1
–An SPE running CRS in slot 5
–An SPE running Cisco CallManager in slot 6
Figure 5 Agent-to-Agent Scenario (with VLANs)
In this example, the MRP, the SPE running CRS, and the SPE running Cisco CallManager are connected to SSP FastEthernet ports 3, 7, and 8, respectively. Port monitoring on the SSP can be configured by entering the following Cisco IOS commands in global configuration mode:interface fastEthernet 0/1switchport mode accessswitchport access vlan 1no shutdownexitinterface fastEthernet 0/2switchport mode trunkswitchport trunk encapsulation dot1qspanning-tree vlan 1 port-priority 255no shutdownexitinterface fastEthernet 0/3switchport mode trunkswitchport trunk encapsulation dot1qno shutdownexitinterface fastEthernet 0/7switchport mode accessswitchport access vlan 1port monitor fastEthernet 0/1spanning-tree portfastno shutdownexitinterface fastEthernet 0/8switchport mode accessswitchport access vlan 1spanning-tree portfastno shutdownexitinterface vlan 1managementend
Note In this configuration, VLAN 1 carries voice and management traffic, and VLAN 2 carries other data traffic. (802.1Q trunk mode encapsulation could be used to permit even more VLANs if necessary.)
Note In this configuration, Cisco IOS spanning-tree portfast commands are entered on SPE ports that cannot create spanning tree loops, to avoid delays in computing the switch spanning-tree.
Port monitoring on the Catalyst 3524-PWR XL switch can also be configured by entering the following Cisco IOS commands in global configuration mode:interface fastEthernet 0/1switchport mode accessswitchport access vlan 1port monitor fastEthernet 0/3...port monitor fastEthernet 0/13no shutdownexitinterface fastEthernet 0/2switchport trunk encapsulation dot1qspanning-tree vlan 1 port-priority 255no shutdownexitinterface fastEthernet 0/3switchport mode trunkswitchport trunk encapsulation dot1qswitchport voice vlan 1switchport trunk native vlan 2no shutdownexit...interface fastEthernet 0/13switchport mode trunkswitchport trunk encapsulation dot1qswitchport voice vlan 1switchport trunk native vlan 2no shutdownexitinterface vlan 1managementend
For ICS System Manager to manage the cards, the Cisco ICS 7750 cards must be on VLAN 1, including the SPE running CRS. In this configuration, VLAN 1 is port-monitored on one external port. When the other external port is in trunk mode, that port is not allowed to remove VLAN 1. In order to prevent the spanning-tree algorithm from blocking the interfaces that are port-monitoring, the Cisco IOS command spanning-tree vlan 1 port-priority 255 is configured on both ends of the trunk (between the switches).
Configuring VLAN to VLAN Routing
An MRP can be configured to route between the VLANs by entering the following Cisco IOS commands, in global configuration mode. (If an MRP200 is used in this configuration, it can serve only as a VLAN endpoint.)interface fastEthernet 0/0ip address 10.10.10.6 255.255.255.0exitinterface fastEthernet 0/0.2encapsulation dot1q 2ip address 10.10.11.6 255.255.255.0end
Note If a second router is present, routing protocols can be configured to improve the redundancy of the routing between VLANs. The first IP address that is shown in this sample configuration, 10.10.10.6/24, should be the same as the IP address that is assigned to the MRP in ICS System Manager. The primary interface uses the native VLAN. As dictated by the SSP configuration, the native VLAN is VLAN 1.
Note In order to support Voice over IP (VoIP) traffic, it might be necessary to enter additional Cisco IOS commands on the switches and the routers to address quality of service (QoS) issues and raise the processing priority of voice packets.
Limitations and Restrictions
The following limitations and restrictions have been observed when using SPAN on the Cisco ICS 7750:
•If SPAN is used to record RTP streams, when port monitoring is enabled, the switch functions somewhat like a hub, and this can result in more network traffic being sent to all nodes. Incorrect configuring of a switch could cause problems on nodes that cannot handle increased amounts of traffic or unexpected types of traffic.
•Changing the slots of certain cards can cause problems. For example, moving the SPE running CRS to another slot could result in traffic being directed to the wrong slot.
•SPAN requires that all ports being monitored be on the same VLAN. IP networks that use multiple VLANs need to be carefully designed, and all nodes requiring monitoring should be on same VLAN.
•SPAN cannot be used from a switch port that has been configured for trunking. Thus, when configuring SPAN to monitor ports on external switches, one of the ports connecting the SSP to the switch must be in static access mode on the corresponding VLAN.
•If a Catalyst 3524-PWR XL switch is configured for SPAN, its monitoring port should be configured so that it is in static access mode. Note, however, that configuring SPAN for monitoring IP phone ports can result in too much traffic reaching the switch from PCs connected to IP phones.
•If agents are using Cisco IP SoftPhone on PCs that are not on the VLAN, the activities of those agents cannot be monitored or recorded. If agents are using IP SoftPhone on their PCs, in order to monitor those PCs, they would have to be assigned to the management and voice VLAN. However, partly because of the other types of traffic these PCs generate, they could overburden that VLAN. It is therefore recommended that IP SoftPhones not be used on the PCs of agents that are to be monitored.
The following sections describe the documentation available for the Cisco ICS 7750.
Use this document with the documents listed in the following sections:
The following documents are specific to CRS 3.0:
•Release Notes for Cisco Customer Response Applications 3.0 on the Cisco 1CS 7750 at this URL:
•Cisco Customer Response Applications 3.0 Documentation at this URL:
The document described in this section has information about the SPAN feature.
Configuring the Catalyst Switched Port Analyzer (SPAN) Feature. This document describes SPAN features and terminology. You can access this document at the following URL:
Cisco ICS 7750 Documents
Documentation for the Cisco ICS 7750 is available on Cisco.com and on CD:
Products & Services: Voice Application Systems: Cisco ICS 7700 Series Integrated Communication Systems: Instructions and Guides
On the Documentation CD-ROM (order number DOC-CONDOCCD=) at:
Cisco Product Documentation: Voice/Telephony: Cisco ICS 7750
The following sections provide sources for obtaining documentation from Cisco Systems.
World Wide Web
You can access the most current Cisco documentation on the World Wide Web at the following URL:
Translated documentation is available at the following URL:
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or as an annual subscription.
Cisco documentation is available in the following ways:
•Registered Cisco Direct Customers can order Cisco Product documentation from the Networking Products MarketPlace:
•Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription Store:
•Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco corporate headquarters (California, USA) at 408 526-7208 or, in North America, by calling 800 553-NETS(6387).
If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco.
You can e-mail your comments to firstname.lastname@example.org.
To submit your comments by mail, for your convenience many documents contain a response card behind the front cover. Otherwise, you can mail your comments to the following address:
Cisco Systems, Inc.
Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
Obtaining Technical Assistance
Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools. For Cisco.com registered users, additional troubleshooting tools are available from the TAC website.
Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.
Cisco.com is a highly integrated Internet application and a powerful, easy-to-use tool that provides a broad range of features and services to help you to
•Streamline business processes and improve productivity
•Resolve technical issues with online support
•Download and test software packages
•Order Cisco learning materials and merchandise
•Register for online skill assessment, training, and certification programs
You can self-register on Cisco.com to obtain customized information and service. To access Cisco.com, go to the following URL:
Technical Assistance Center
The Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two types of support are available through the Cisco TAC: the Cisco TAC Web Site and the Cisco TAC Escalation Center.
Inquiries to Cisco TAC are categorized according to the urgency of the issue:
•Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities, product installation, or basic product configuration.
•Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue.
•Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects of business operations. No workaround is available.
•Priority level 1 (P1)—Your production network is down, and a critical impact to business operations will occur if service is not restored quickly. No workaround is available.
Which Cisco TAC resource you choose is based on the priority of the problem and the conditions of service contracts, when applicable.
Cisco TAC Web Site
The Cisco TAC Web Site allows you to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC Web Site, go to the following URL:
All customers, partners, and resellers who have a valid Cisco services contract have complete access to the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to the following URL to register:
If you cannot resolve your technical issues by using the Cisco TAC Web Site, and you are a Cisco.com registered user, you can open a case online by using the TAC Case Open tool at the following URL:
If you have Internet access, it is recommended that you open P3 and P4 cases through the Cisco TAC Web Site.
Cisco TAC Escalation Center
The Cisco TAC Escalation Center addresses issues that are classified as priority level 1 or priority level 2; these classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer will automatically open a case.
To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to the following URL:
Before calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled; for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). In addition, please have available your service agreement number and your product serial number.
This document is to be used with the documents listed in the "Related Documentation" section.
Copyright © 2002, Cisco Systems, Inc.
All rights reserved.