Port Mirroring

Sample Port Mirroring:

Host(Config)monitor session 1 source fa0/2
Host(Config)monitor session 1 destination fa0/1

Another example for Catalyst switches 2900XL/3500XL:

This example creates two concurrent SPAN sessions.
  • Port Fast Ethernet 0/1 (Fa0/1) monitors traffic that ports Fa0/2 and Fa0/5 send and receive. Port Fa0/1 also monitors traffic to and from the management interface VLAN 1.
  • Port Fa0/4 monitors ports Fa0/3 and Fa0/6.
Ports Fa0/3, Fa0/4, and Fa0/6 are all configured in VLAN 2. Other ports and the management interface are configured in the default VLAN 1.

 !--- Output suppressed.!interface FastEthernet0/1
port monitor FastEthernet0/2
 port monitor FastEthernet0/5
 port monitor VLAN1
interface FastEthernet0/2
interface FastEthernet0/3
switchport access vlan 2
interface FastEthernet0/4
 port monitor FastEthernet0/3
 port monitor FastEthernet0/6
 switchport access vlan 2
interface FastEthernet0/5
interface FastEthernet0/6
 switchport access vlan 2
!--- Output suppressed.
interface VLAN1
 ip address
 no ip directed-broadcast
 no ip route-cache
!--- Output suppressed.

 Configuration Steps Explanation

In order to configure port Fa0/1 as a destination port, the source ports Fa0/2 and Fa0/5, and the management interface (VLAN 1), select the interface Fa0/1 in the configuration mode:

    Switch(config)#interface fastethernet 0/1

Enter the list of ports to be monitored:

    Switch(config-if)#port monitor fastethernet 0/2
    Switch(config-if)#port monitor fastethernet 0/5

With this command, every packet that these two ports receive or transmit is also copied to port Fa0/1. Issue a variation of the port monitor command in order to configure the monitoring for the administrative interface:

    Switch(config-if)#port monitor vlan 1

Note: This command does not mean that port Fa0/1 monitors the entire VLAN 1. The vlan 1 keyword simply refers to the administrative interface of the switch.

This example command illustrates that the monitor of a port in a different VLAN is impossible:

    Switch(config-if)#port monitor fastethernet 0/3
    FastEthernet0/1 and FastEthernet0/3 are in different vlan

In order to finish the configuration, configure another session. This time, use Fa0/4 as a destination SPAN port:

    Switch(config-if)#interface fastethernet 0/4
    Switch(config-if)#port monitor fastethernet 0/3
    Switch(config-if)#port monitor fastethernet 0/6

Issue a show running command, or use the show port monitor command in order to check the configuration:

    Switch#show port monitor
     Monitor Port Port Being Monitored
    --------------------- ---------------------
    FastEthernet0/1 VLAN1
    FastEthernet0/1 FastEthernet0/2
    FastEthernet0/1 FastEthernet0/5
    FastEthernet0/4 FastEthernet0/3
    FastEthernet0/4 FastEthernet0/6

Note: The Catalyst 2900XL and 3500XL do not support SPAN in the Rx direction only (Rx SPAN or ingress SPAN) or in the Tx direction only (Tx SPAN or egress SPAN). All SPAN ports are designed to capture both Rx and Tx traffic.

Popular Posts