Thursday, 22 June 2023

What is Smurf attack DDoS attack? How to configure Smurf attack?

A Smurf attack is a form of a DDoS attack (distributed denial of service). Smurf attack occurs at layer 3. A Smurf attack is named after the malware DDoS Smurf and more widely Smurf attack is named after a cartoon because it takes down a big target by working together.

Smurf attack exploiting vulnerabilities of IP and ICMP.

First, the attacker builds a Smurf malware spoofed packet that has its source address set to the targeted victim and this packet is sent to the destination address is a subnet broadcast address of a router or firewall. This is also called a directed broadcast. Now it sends requests (ICMP) to every host device address inside the network. More numbers of devices mean more requests. All the devices receive these requests and they reply to the target victim host with an ICMP packet. This attack makes the victim overwhelmed and results in denial-of-service to legitimate traffic.

I am assuming you understand the DDoS Smurf's attack, now let's configure and then we will see how to prevent these attacks.

Topology: -

configure the topology as per the diagram
assign the IP addresses on servers and PCs as per the topology.
assign the IP address Kali Linux 2-2 as per the topology
configure trunk and allowed all VLANs on the switch
configure PC ports as access ports.
configure static routing between routers
target server-1 from Kali 2-2
configure Smurf to attack the victim server with ICMP messages
make sure the server choked up and make it almost dead.

{assign the IP addresses on servers and PCs as per the topology}

SERVER-1> show ip all

NAME IP/MASK GATEWAY MAC DNS

SERVER-192.168.1.20/24 192.168.1.1 00:50:79:66:68:04

SERVER-2> show ip all

NAME IP/MASK GATEWAY MAC DNS

SERVER-192.168.1.21/24 192.168.1.1 00:50:79:66:68:06

SERVER-3> show ip all

NAME IP/MASK GATEWAY MAC DNS

SERVER- 192.168.1.22/24 192.168.1.1 00:50:79:66:68:05

PC1> show ip all

NAME IP/MASK GATEWAY MAC DNS

PC1 192.168.1.10/24 192.168.1.1 00:50:79:66:68:00

PC2> show ip all

NAME IP/MASK GATEWAY MAC DNS

PC2 192.168.1.11/24 192.168.1.1 00:50:79:66:68:01

PC3> show ip all

NAME IP/MASK GATEWAY MAC DNS

PC3 192.168.1.12/24 192.168.1.1 00:50:79:66:68:02

PC4> show ip all

NAME IP/MASK GATEWAY MAC DNS

PC4 192.168.1.13/24 192.168.1.1 00:50:79:66:68:03

{assign the IP address Kali Linux 2-2 as per the topology}

{configure trunk and allowed all VLANs on the switch}

SWITCH-1#show interface trunk

Port Mode Encapsulation Status Native vlan

Gi0/0 on 802.1q trunking 1

Port Vlans allowed on trunk

Gi0/0 1-4094

Port Vlans allowed and active in management domain

Gi0/0 1,100,200,300

Port Vlans in spanning tree forwarding state and not pruned

Gi0/0 1,100,200,300

{configure static routing between routers}

R1(config)#interface serial 4/0

R1(config-if)#ip address 1.1.1.1 255.0.0.0

R1(config-if)#no shutdown

R1(config-if)#exit

*Jun 22 17:30:44.111: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial4/0, changed state to up

R1(config)#interface fastethernet 0/0

R1(config-if)#ip addres 192.168.1.1 255.255.255.0

R1(config-if)#no shutdown

R1(config-if)#exit

*Jun 22 17:31:13.959: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0,

R2(config)#interface serial 4/0

R2(config-if)#ip address 1.1.1.2 255.0.0.0

R2(config-if)#no shutdown

R2(config-if)#exit

*Jun 22 12:27:58.131: %LINK-3-UPDOWN: Interface Serial4/0, changed state to up

*Jun 22 12:27:59.135: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial4/0,

R2(config)#interface fastethernet 0/0

R2(config-if)#ip address 192.168.2.1 255.255.255.0

R2(config-if)#no shutdown

R2(config-if)#exit

R1(config)#ip route 1.0.0.0 255.0.0.0 1.1.1.2

R1(config)#ip route 192.168.2.0 255.255.255.0 1.1.1.2

R2(config)#ip route 1.0.0.0 255.0.0.0 1.1.1.1

R2(config)#ip route 192.168.1.0 255.255.255.0 1.1.1.1

R2(config)#exit

R2#show ip route static

S 192.168.1.0/24 [1/0] via 1.1.1.1

R1#show ip route static

S 192.168.2.0/24 [1/0] via 1.1.1.2

(Now we try to ping from PCs to KALI and we will make sure the network is working fine)

PC1> ping 192.168.2.25

84 bytes from 192.168.2.25 icmp_seq=1 ttl=62 time=62.669 ms

84 bytes from 192.168.2.25 icmp_seq=2 ttl=62 time=66.405 ms

84 bytes from 192.168.2.25 icmp_seq=3 ttl=62 time=63.907 ms

84 bytes from 192.168.2.25 icmp_seq=4 ttl=62 time=70.719 ms

84 bytes from 192.168.2.25 icmp_seq=5 ttl=62 time=62.990 ms

SERVER-1> ping 192.168.2.25

84 bytes from 192.168.2.25 icmp_seq=1 ttl=62 time=63.265 ms

84 bytes from 192.168.2.25 icmp_seq=2 ttl=62 time=64.596 ms

84 bytes from 192.168.2.25 icmp_seq=3 ttl=62 time=72.530 ms

84 bytes from 192.168.2.25 icmp_seq=4 ttl=62 time=63.830 ms

84 bytes from 192.168.2.25 icmp_seq=5 ttl=62 time=64.962 ms

(AS OF NOW EVERYTHING IS WORKING FINE, NOW WE ARE GOING TO ATTACK OUR VICTIM SERVER-1)

(Now we are going to capture traffic with the help of Wireshark)

(As you can see from the above output, we are capturing traffic between router-1 and router-2 and router-1 is getting thousands of ICMP requests. now capture traffic between server and switch)

(Now you will see router-1 sending ICMP requests and now our server is getting down) let's see on the server)

SERVER-1>

SERVER-1> ping 192.168.1.10

84 bytes from 192.168.1.10 icmp_seq=1 ttl=64 time=25.006 ms

queue is full

84 bytes from 192.168.1.10 icmp_seq=2 ttl=64 time=5.128 ms

queue is full

84 bytes from 192.168.1.10 icmp_seq=3 ttl=64 time=10.348 ms

queue is full

84 bytes from 192.168.1.10 icmp_seq=4 ttl=64 time=7.397 ms

queue is full

84 bytes from 192.168.1.10 icmp_seq=5 ttl=64 time=6.493 ms

queue is full

SERVER-1>

(When we try to ping PC1 from the server the queue is full. Soon our server goes down and it chocked up)

(Now the question comes to how to prevent SMURF ATTACK)

R1(config)#interface serial 4/0

R1(config-if)#no ip broadcast-address

R1(config-if)#ip verify unicast source reachable-via rx allow-default allow-self-ping

R1(config-if)#ip cef

(Now again we try to ping from server to PC)

SERVER-1> ping 192.168.1.10

84 bytes from 192.168.1.10 icmp_seq=1 ttl=64 time=13.014 ms

84 bytes from 192.168.1.10 icmp_seq=2 ttl=64 time=6.296 ms

84 bytes from 192.168.1.10 icmp_seq=3 ttl=64 time=6.508 ms

84 bytes from 192.168.1.10 icmp_seq=4 ttl=64 time=9.503 ms

84 bytes from 192.168.1.10 icmp_seq=5 ttl=64 time=6.806 ms

(As you can see the server is working fine no queues full one more thing try to capture traffic between the victim and switch)

(Now our network is working fine and thank you so much for reading)

if you like this blog please visit our YouTube program.

https://www.youtube.com/watch?v=jCmgkqlCjuY&t=4s

Tuesday, 13 June 2023

How to configure MAC address flooding attack? How to prevent MAC flooding attack? | cyber security | ethical hacking

MAC address flooding attack or CAM overflow attack is a very serious concern for ethical hackers, this can leave your systems vulnerable to attack.

How MAC flooding attack works?

The first attacker finds the connection and connects to your switch then the attacker starts to flood large numbers of fake source MAC addresses to switch with port mappings. Now we know switches have a limited amount of memory and when memory is full and there is no space left for a new MAC address in the table. Our switch will act like a hub and frames are flooded to all ports. Now attackers can capture sensitive data from the network.

Now let’s configure MAC address flooding attack and then we see how to prevent overflow attacks.

configure the topology as per the diagram
configure the IP addresses as per the topology
configure a static IP address on KALI MACHINE
make sure all the PC able to communicate including KALI with the ping command.
configure Wireshark on the KALI machine for ICMP capture
and configure CYBER ATTACK MAC flooding with the help of Kali.
check the MAC table on the switch if it's full of FAKE MAC addresses
configure port security on a switch and make sure will not happen again.
try again MAC flooding ATTACK and make sure to switch take action shutdown attacking port.

{configure the IP addresses as per the topology}

PC1> show ip all

NAME IP/MASK GATEWAY MAC DNS

PC1 10.1.1.3/8 10.1.1.1 00:50:79:66:68:00

PC2> show ip all

NAME IP/MASK GATEWAY MAC DNS

PC2 10.1.1.4/8 10.1.1.1 00:50:79:66:68:01

PC3> show ip all

NAME IP/MASK GATEWAY MAC DNS

PC3 10.1.1.5/8 10.1.1.1 00:50:79:66:68:02

PC4> show ip all

NAME IP/MASK GATEWAY MAC DNS

PC4 10.1.1.6/8 10.1.1.1 00:50:79:66:68:03

PC5> show ip all

NAME IP/MASK GATEWAY MAC DNS

PC5 10.1.1.7/8 10.1.1.1 00:50:79:66:68:04

{configuring Kali first bootup}

{now configure a static IP address on KALI MACHINE}

{verify the IP address}

{make sure all the PC able to communicate including KALI with the ping command}

PC1> ping 10.1.1.2

84 bytes from 10.1.1.2 icmp_seq=1 ttl=64 time=10.039 ms

84 bytes from 10.1.1.2 icmp_seq=2 ttl=64 time=15.646 ms

84 bytes from 10.1.1.2 icmp_seq=3 ttl=64 time=18.816 ms

84 bytes from 10.1.1.2 icmp_seq=4 ttl=64 time=8.456 ms

84 bytes from 10.1.1.2 icmp_seq=5 ttl=64 time=64.010 ms

PC2> ping 10.1.1.5

84 bytes from 10.1.1.5 icmp_seq=1 ttl=64 time=34.211 ms

84 bytes from 10.1.1.5 icmp_seq=2 ttl=64 time=8.096 ms

84 bytes from 10.1.1.5 icmp_seq=3 ttl=64 time=25.769 ms

84 bytes from 10.1.1.5 icmp_seq=4 ttl=64 time=10.434 ms

84 bytes from 10.1.1.5 icmp_seq=5 ttl=64 time=18.360 ms

PC1 : 10.1.1.5 255.0.0.0 gateway 10.1.1.1

PC3> ping 10.1.1.6

84 bytes from 10.1.1.6 icmp_seq=1 ttl=64 time=13.186 ms

84 bytes from 10.1.1.6 icmp_seq=2 ttl=64 time=12.276 ms

84 bytes from 10.1.1.6 icmp_seq=3 ttl=64 time=38.496 ms

84 bytes from 10.1.1.6 icmp_seq=4 ttl=64 time=34.286 ms

84 bytes from 10.1.1.6 icmp_seq=5 ttl=64 time=15.887 ms

PC4> ping 10.1.1.7

84 bytes from 10.1.1.7 icmp_seq=1 ttl=64 time=26.638 ms

84 bytes from 10.1.1.7 icmp_seq=2 ttl=64 time=10.758 ms

84 bytes from 10.1.1.7 icmp_seq=3 ttl=64 time=48.530 ms

84 bytes from 10.1.1.7 icmp_seq=4 ttl=64 time=81.011 ms

84 bytes from 10.1.1.7 icmp_seq=5 ttl=64 time=60.035 ms

PC5> ping 10.1.1.3

84 bytes from 10.1.1.3 icmp_seq=1 ttl=64 time=20.204 ms

84 bytes from 10.1.1.3 icmp_seq=2 ttl=64 time=61.496 ms

84 bytes from 10.1.1.3 icmp_seq=3 ttl=64 time=15.266 ms

84 bytes from 10.1.1.3 icmp_seq=4 ttl=64 time=19.207 ms

84 bytes from 10.1.1.3 icmp_seq=5 ttl=64 time=10.576 ms

{now ping from Kali}

(Now let's take a look at the switch MAC table we have 6 PCs)

vIOS-L2-01#show mac address-table

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

1 0050.7966.6800 DYNAMIC Gi0/1

1 0050.7966.6801 DYNAMIC Gi0/2

1 0050.7966.6802 DYNAMIC Gi0/3

1 0050.7966.6803 DYNAMIC Gi1/0

1 0050.7966.6804 DYNAMIC Gi1/1

1 0c67.5676.0000 DYNAMIC Gi0/0

Total Mac Addresses for this criterion: 6

(As of now everything is working good now let configure MAC flooding ATTACK)

configure Wireshark on the KALI machine for ICMP capture)

{now configure MAC flooding ATTACK}

(As you can see from the above image our machine sending fake MAC address continuously now let's take a look on Wireshark)

{now let's take a look at our switch MAC address table}

(As you can see from the above output, the MAC address table is getting full by FAKE MAC addresses and it's getting from Gig 0/0 which is connected with the KALI machine)

configure port security on a switch and make sure will not happen again.

vIOS-L2-01(config)#interface gigabitEthernet 0/0

vIOS-L2-01(config-if)#switchport

vIOS-L2-01(config-if)#switchport mode access

vIOS-L2-01(config-if)#switch port-security

vIOS-L2-01(config-if)#switch port-security maximum 2

vIOS-L2-01(config-if)#switchport port-security mac-address sticky

vIOS-L2-01(config-if)#switchport port-security violation shutdown

vIOS-L2-01(config-if)#exit

vIOS-L2-01#show port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

(Count) (Count) (Count)

---------------------------------------------------------------------------

Gi0/0 2 1 0 Protect

---------------------------------------------------------------------------

Total Addresses in System (excluding one mac per port) : 0

Max Addresses limit in System (excluding one mac per port) : 4096

{try again MAC flooding ATTACK and make sure to switch take action shutdown attacking port}

(Now let's see the switch is taking action or not)

*Jun 13 07:36:41.843: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi0/0, putting Gi0/0 in err-disable state

vIOS-L2-01(config)#

*Jun 13 07:36:41.848: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address bebc.f55f.9ae2 on port GigabitEthernet0/0.

vIOS-L2-01(config)#

*Jun 13 07:36:42.844: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down

vIOS-L2-01(config)#

*Jun 13 07:36:43.848: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to down

(As you can see the switch is shutdown the violation hacker port. this is how we can prevent MAC flooding attacks)

vIOS-L2-01#show mac address-table

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

1 0050.7966.6800 DYNAMIC Gi0/1

Total Mac Addresses for this criterion: 1

thank you so much for visiting, please visit our YouTube video

https://www.youtube.com/channel/UCTntCPU-JjRSarfNdM7BHQg

Saturday, 10 June 2023

How to configure PAT NAT on ASA Firewall?

NAT (Network Address Translation) is used to translate private IP addresses into public IP addresses. NAT changes the source and destination IP addresses and ports. NAT Address translation reduces the need for IPv4 public addresses and it also hides private network address ranges. NAT generally operates on a router or firewall. previously we configure SNAT, DNAT, and PAT on the router now we are going to configure PAT on the ASA firewall.

Port Address Translation (PAT)- This NAT is also known as dynamic NAT overload. PAT allows thousands of users can access to the internet using only one real global registered public IP address. PAT maps thousands to one by using ports. PAT is the only reason or solution we have not run out of valid IP addresses on the internet. This PAT is cost-effective because of single public IP is used; the port number is used to distinguish the traffic means which traffic belongs to which IP address.

let's configure PAT on the ASA firewall:

Topology: -

configure the topology as per the diagram
configure the IP addresses as per the topology
configure the Access-list permit ICMP traffic from lower level to higher level.
configure access-list on the interface
configure network object
configure PAT statement

(On ASA)

ciscoasa(config)# int Gig 0

ciscoasa(config-if)# no shut

ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0

ciscoasa(config-if)# nameif INSIDE

ciscoasa(config-if)# security-level 100

ciscoasa(config-if)# exit

ciscoasa(config)# int Gig 1

ciscoasa(config-if)# no shut

ciscoasa(config-if)# ip address 192.168.2.1 255.255.255.0

ciscoasa(config-if)# nameif DMZ

ciscoasa(config-if)# security-level 50

ciscoasa(config-if)# exit

ciscoasa(config)# int Gig 2

ciscoasa(config-if)# no shut

ciscoasa(config-if)# ip address 101.1.1.1 255.255.255.0

ciscoasa(config-if)# nameif OUTSIDE

ciscoasa(config-if)# security-level 0

ciscoasa(config-if)# exit

(On router)

R1(config)#interface fastEthernet 0/0

R1(config-if)#ip address 101.1.1.2 255.255.255.0

R1(config-if)#no shutdown

R1(config-if)#exit

R1(config)#interface fastEthernet 1/0

R1(config-if)#ip address 30.1.1.1 255.0.0.0

R1(config-if)#no shutdown

R1(config-if)#exit

ciscoasa# show interface ip brief

Interface IP-Address OK? Method Status Protocol

GigabitEthernet0 192.168.1.1 YES manual up up

GigabitEthernet1 192.168.2.1 YES manual up up

GigabitEthernet2 101.1.1.1 YES manual up up

(On PC 1)

PC1> ip 192.168.1.10 255.255.255.0 192.168.1.1

Checking for duplicate addresses...

PC1 : 192.168.1.10 255.255.255.0 gateway 192.168.1.1

(On PC2)

PC2> ip 192.168.2.10 255.255.255.0 192.168.2.1

Checking for duplicate addresses...

PC1 : 192.168.2.10 255.255.255.0 gateway 192.168.2.1

(On PC3)

PC3> ip 30.1.1.2 255.0.0.0 30.1.1.1

Checking for duplicate addresses...

PC1 : 30.1.1.2 255.0.0.0 gateway 30.1.1.1

(On ASA)

ciscoasa(config)# access-list traffic_out permit icmp any any

ciscoasa(config)# access-list traffic_dmz permit icmp any any

ciscoasa(config)# access-group traffic_out in interface outside

ciscoasa(config)# access-group traffic_dmz in interface dmz

ciscoasa(config)# object network inside-nat

ciscoasa(config-network-object)# subnet 192.168.1.0 255.255.255.0

ciscoasa(config-network-object)# exit

ciscoasa(config)# nat (INSIDE,OUTSIDE) source dynamic inside-nat interface

ciscoasa(config)#object network dmz-nat

ciscoasa(config-network-object)# subnet 192.168.2.0 255.255.255.0

ciscoasa(config-network-object)# exit

ciscoasa(config)# nat (DMZ,OUTSIDE) source dynamic dmz-nat interface

ciscoasa(config)# object network dmz-nat-pool

ciscoasa(config-network-object)# range 120.1.1.1 120.1.1.10

ciscoasa(config-network-object)# exit

ciscoasa(config)# route OUTSIDE 0.0.0.0 0.0.0.0 101.1.1.2

(Now ping from INSIDE to OUTSIDE and from DMZ to OUTSIDE)

(from PC1)

(From PC 2)

(As you can see, we can ping outside from inside and DMZ)

(from ASA)

ciscoasa# show xlate

10 in use, 15 most used

Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice

ICMP PAT from DMZ:192.168.2.10/2689 to OUTSIDE:101.1.1.1/61018 flags ri idle 0:00:02 timeout 0:00:30

ICMP PAT from DMZ:192.168.2.10/2433 to OUTSIDE:101.1.1.1/25249 flags ri idle 0:00:03 timeout 0:00:30

ICMP PAT from DMZ:192.168.2.10/2177 to OUTSIDE:101.1.1.1/28580 flags ri idle 0:00:04 timeout 0:00:30

ICMP PAT from DMZ:192.168.2.10/1921 to OUTSIDE:101.1.1.1/6494 flags ri idle 0:00:05 timeout 0:00:30

ICMP PAT from DMZ:192.168.2.10/1665 to OUTSIDE:101.1.1.1/14856 flags ri idle 0:00:06 timeout 0:00:30

ICMP PAT from INSIDE:192.168.1.10/2177 to OUTSIDE:101.1.1.1/21203 flags ri idle 0:00:05 timeout 0:00:30

ICMP PAT from INSIDE:192.168.1.10/1665 to OUTSIDE:101.1.1.1/1845 flags ri idle 0:00:06 timeout 0:00:30

ICMP PAT from INSIDE:192.168.1.10/1409 to OUTSIDE:101.1.1.1/63559 flags ri idle 0:00:07 timeout 0:00:30

ICMP PAT from INSIDE:192.168.1.10/897 to OUTSIDE:101.1.1.1/56354 flags ri idle 0:00:08 timeout 0:00:30

ICMP PAT from INSIDE:192.168.1.10/385 to OUTSIDE:101.1.1.1/51849 flags ri idle 0:00:08 timeout 0:00:30

ciscoasa# show nat pool

UDP PAT pool INSIDE, address 0.0.0.0, range 1-511, allocated 0

UDP PAT pool INSIDE, address 0.0.0.0, range 512-1023, allocated 0

UDP PAT pool INSIDE, address 0.0.0.0, range 1024-65535, allocated 4

UDP PAT pool DMZ, address 192.168.2.1, range 1-511, allocated 0

UDP PAT pool DMZ, address 192.168.2.1, range 512-1023, allocated 0

UDP PAT pool DMZ, address 192.168.2.1, range 1024-65535, allocated 4

UDP PAT pool OUTSIDE, address 0.0.0.0, range 1-511, allocated 0

UDP PAT pool OUTSIDE, address 0.0.0.0, range 512-1023, allocated 0

UDP PAT pool OUTSIDE, address 0.0.0.0, range 1024-65535, allocated 4

ICMP PAT pool OUTSIDE, address 101.1.1.1, range 1-511, allocated 0

ICMP PAT pool OUTSIDE, address 101.1.1.1, range 512-1023, allocated 0

ICMP PAT pool OUTSIDE, address 101.1.1.1, range 1024-65535, allocated 0

{thank you so much for visiting, please watch our YouTube videos)

https://youtube.com/@internetworkss

Thursday, 25 May 2023

What is Switch Port Analyzer SPAN, RSPAN? How to configure SPAN and RSPAN?

What are SPAN and RSPAN?

Cisco Catalyst Switches have a feature called SPAN (Switch Port Analyzer). This feature is used for directing all traffic from a source port or source VLAN to a single port. Or in other words this feature copies all traffic from a source port or source VLAN to a destination interface. sometimes SPAN is referred to as session monitoring because of the commands used to configure SPAN.

Switch Port Analyzer is very useful for many applications and also a number of reasons:

SPAN is useful for data collection purposes.
If you want to use Wireshark to capture traffic from an interface that is connected to a workstation, server, phone, or anything else you want to sniff.
all traffic from VoIP VLAN can be delivered to a single switch port to so you can record the calls in a VoIP network.
Another common use of this feature is to (IDS/IPS)

SPAN session source can be a port or ports and VLAN. This is why this offers us great flexibility in monitoring traffic. we can be transmitted, received, or both directions to the destination interface.

If the destination port for SPAN is on the Local switch (same switch) this we call SPAN. If the destination SPAN is on a different switch, then we call this remote SPAN or RSPAN.

In RSPAN, a specific VLAN need to be configured across the entire switching path from the source port or VLAN to the RSPAN destination port to carry the traffic that you are copying. So, the traffic can travel from the source switch to the destination switch. This requires that the RSPAN VLAN be included in any trunk in that path too.

Restriction of SPAN and RSPAN.

You can configure the source interface whatever you want switch port, routed port, access port, trunk port, EtherChannel, etc but you can’t mix interfaces and VLANs.

Do not overload an interface with the entire VLAN.

When you configure the destination interface (port). The previous configuration is overwritten. When you remove the SPAN configuration the original configuration is restored.

Destination port do not support any layer 2 protocol like STP, CDP, VTP, DTP, etc.
Destination port do not support port security.
Destination port do not support private VLAN.

let's configure, the SPAN witch source VLAN.

Topology: -

configure the topology as per the diagram
assign the IP to their port as per the topology
configure monitor session on the switch
configure fa0/2 to 5 as the source port
test the lab

remove the configuration
configure source VLAN
verify the Lab

assign the IP to PCs

:\>ipconfig

IP Address......................: 10.1.1.1

Subnet Mask.....................: 255.0.0.0

Default Gateway.................: 0.0.0.0

:\>ipconfig

IP Address......................: 10.1.1.2

Subnet Mask.....................: 255.0.0.0

Default Gateway.................: 0.0.0.0

:\>ipconfig

IP Address......................: 10.1.1.3

Subnet Mask.....................: 255.0.0.0

Default Gateway.................: 0.0.0.0

:\>ipconfig

IP Address......................: 10.1.1.4

Subnet Mask.....................: 255.0.0.0

Default Gateway.................: 0.0.0.0

Switch(config)#monitor session 1 source interface fastEthernet 0/2 - 5

Switch#show monitor session 1

Session 1

---------

Type : Local Session

Description : -

Source Ports :

Both : Fa0/2,Fa0/3,Fa0/4,Fa0/5

Destination Ports : Fa0/1

Encapsulation : Native

Ingress : Disabled

Switch#show monitor detail

Session 1

---------

Type : Local Session

Description : -

Source Ports :

RX Only : None

TX Only : None

Both : Fa0/2,Fa0/3,Fa0/4,Fa0/5

Source VLANs :

RX Only : None

TX Only : None

Both : None

Source RSPAN VLAN : None

Destination Ports : Fa0/1

Encapsulation : Native

Ingress : Disabled

Filter VLANs : None

Dest RSPAN VLAN : None

(Now generate some traffic using ping from PCs and then open our sniffer)

(As you can see our sniffer received a copy of the data. now we are going to monitor from VLAN)

Switch(config)#vlan 10

Switch(config-vlan)#name SPAN-TEST

Switch(config-vlan)#

Switch(config-vlan)#EXIT

Switch(config)#monitor session 2 source vlan 10 both

Switch(config)#monitor session 2 destination interface fastEthernet 0/1

Switch(config)#exit

Switch#show monitor session 2

Session 2

---------

Type : Local Session

Description : -

Source VLANs :

Both : 10

Destination Ports : Fa0/1

Encapsulation : Native

Ingress : Disabled

(Generate some traffic using ping from PCs)

Internetworks

Pages

Thursday, 22 June 2023

What is Smurf attack DDoS attack? How to configure Smurf attack?

Tuesday, 13 June 2023

How to configure MAC address flooding attack? How to prevent MAC flooding attack? | cyber security | ethical hacking

Saturday, 10 June 2023

How to configure PAT NAT on ASA Firewall?

Thursday, 25 May 2023

What is Switch Port Analyzer SPAN, RSPAN? How to configure SPAN and RSPAN?

What are SPAN and RSPAN?

What is BGP Allowas-in Feature? How to configure BGP Allowas-in? GNS3