Using Cisco switches to filter SPAN traffic

Owned by Kiss, Mate
Mar 03, 2023
2 min read

Overview

Using passive recording scenarios (when traffic is delivered to the Verba recording servers through monitoring or SPAN ports) large amounts of traffic could overload the recording servers. In a typical IP telephony environment, this problem can be handled easily by monitoring only the voice VLANs, which should only contain voice traffic.

This technique, however, can not be used in all situations. If a dedicated voice VLAN is not available in the network architecture, or if the voice and video traffic is mixed with other kinds of traffic (e.g. when using softphones installed on desktop PCs), the best solution is to filter the SPAN traffic. SPAN traffic filtering is available only on selected Cisco switches.

Cisco's Flow-based SPAN allows filtering 

Here is the Cisco definition of the feature that allows SPAN traffic filtering:

Flow-Based Switch Port Analyzer (FSPAN) - SPAN provides a mechanism to capture data appearing on specified ports or VLANs, mirroring it on destination ports. It is very useful for security monitoring and traffic management. However, sometimes the amount of traffic captured with SPAN can be too large and difficult to analyze. Flow based SPAN provides a mechanism to capture only required (interesting) data between endhosts, by using specified filters. The filters are defined in terms of access-lists that limit IPv4, IPv6 or IPv4 + IPv6, or non IP traffic (MAC) between specified source and destination addresses.

You can use the Cisco Feature Navigator to find which products support it (e.g. type "Flow-based" to find it).

E.g. the Cisco 3560-X and Cisco 3750-X Series switches all support FSPAN.

Sample configuration for Cisco or SIP passive recording

If your RTP port range is 16384-32767 (standard on Cisco gateways) you could use the followings to filter out the majority of none-voice traffic. 

extended IP access list verbafilter
  10 permit udp any any range 16384 32767
  20 permit udp any range 16384 32767 any
  30 permit ip any <ip-pbx> 
  40 permit ip <ip-pbx> any

Where the <ip-pbx> part shall be replaced with the IP address of your IP PBX, e.g. Cisco UCM. In your SPAN traffic you should mostly see SIP, Cisco SCCP and RTP packets.

Sample configuration for Microsoft Lync passive recording

In Microsorft Lync passive recording, signalling is coming to the recorders directly from the Lync Front End servers, therefore you will only need to allow RTP traffic in your filter. You can configure Lync to use a narrow UDP range for RTP traffic, e.g. 18000-18040. This will effectively filter-out most non-RTP traffic from the monitor port.

extended IP access list verbafilter
  10 permit udp any any range 18000 18040
  20 permit udp any range 18000 18040 any

After this, you should mostly see UDP packets (which are encrypted RTP packets) in your SPAN traffic.