Span Port on the ASA 5505

There are a few ASA features that are specific to the 5505. This small business version of the Cisco firewall works a little different than the higher performance models. The ASA 5505 is basically an 8 port switch with the ASA logic functioning between VLANs. As such, you can do “switch stuff” that you cannot do on other versions. The feature that we are going to talk about today is called span, port monitoring, or port mirroring.

The purpose of “span” is to allow traffic to be sent to sniffer or content filter for further inspection. The use case is most likely troubleshooting, but other monitoring solutions could be used as well. Without configuring a span port, the sniffer or monitoring station would only receive a subset of traffic that it needs to inspect. This traffic would be limited to broadcast, multicast and unknown unicast for the vlan in which the port is configured. In order to capture all traffic to or from a port, the span function would be configured as follows:

ASA(config)# int ethernet 0/0
ASA(config-if)# description Outside Interface
ASA(config-if)# exit
ASA(config)# int ethernet 0/7
ASA(config-if)# description Monitoring Station/Sniffer
ASA(config-if)# switchport monitor ethernet 0/0 both
ASA(config-if)# exit

As is demonstrated above, the ASA 5505 has a straightforward configuration for the span functionality. The challenge is remembering that you have this feature at your disposal. If you are troubleshooting a small or medium business environment and need raw data from the wire, the span function (and Wireshark) is your friend.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in How-To and tagged . Bookmark the permalink.

3 Responses to Span Port on the ASA 5505

  1. Ahh, that can go quite unnoticeable. Thanks! 🙂

  2. K says:

    I know this is old, but do you know if the span port counts as one of your vlans? I know the security plus license only allows for 3 vlans and I want to have a DMZ.

  3. Unknown says:

    For those who stumbled on this post (old), the Security Plus license on an Cisco ASA 5505 allows for 20 VLANs, not 3.

Comments are closed.