Welcome Guest!
twitter facebook rss

,

How to mirror network traffic in cisco ?

Problem:

How to mirror network traffic in cisco ?



Solution:



Usually when we admin a network, we need to know what are the protocols used more frequently, and why not, discover if someone are using improper P2P software; so we can use SPAN.

The Switched Port Analyzer (SPAN) feature, which is sometimes called port mirroring or port monitoring, selects network traffic for analysis by a network analyzer. For example, if you want to capture Ethernet traffic that is sent between host A and host B, you must implement SPAN feature.

In this diagram, the sniffer is attached to a port (destination SPAN port) that is configured to receive a copy of every packet sent between host A and host B (source SPAN port). This port is called a SPAN port.

A source port, also called a monitored port, is a switched or routed port that you monitor for network traffic analysis. In a single local SPAN session or RSPAN source session, you can monitor source port traffic, such as received (Rx), transmitted (Tx), or bidirectional (both). The switch supports any number of source ports (up to the maximum number of available ports on the switch) and any number of source VLANs.

A source port has these characteristics:

It can be any port type, such as EtherChannel, Fast Ethernet, Gigabit Ethernet, and so forth.
It can be monitored in multiple SPAN sessions.
It cannot be a destination port.
Each source port can be configured with a direction (ingress, egress, or both) to monitor. For EtherChannel sources, the monitored direction applies to all physical ports in the group.
Source ports can be in the same or different VLANs.
For VLAN SPAN sources, all active ports in the source VLAN are included as source ports.

Each local SPAN session or RSPAN destination session must have a destination port (also called a monitoring port) that receives a copy of traffic from the source ports and VLANs.

A destination port has these characteristics:

A destination port must reside on the same switch as the source port (for a local SPAN session).
A destination port can be any Ethernet physical port.
A destination port can participate in only one SPAN session at a time. A destination port in one SPAN session cannot be a destination port for a second SPAN session.
A destination port cannot be a source port.
A destination port cannot be an EtherChannel group.
A destination port can be a physical port that is assigned to an EtherChannel group, even if the EtherChannel group has been specified as a SPAN source. The port is removed from the group while it is configured as a SPAN destination port.
The port does not transmit any traffic except that traffic required for the SPAN session unless learning is enabled. If learning is enabled, the port also transmits traffic directed to hosts that have been learned on the destination port.
The state of the destination port is up/down by design. The interface shows the port in this state in order to make it evident that the port is currently not usable as a production port.
If ingress traffic forwarding is enabled for a network security device. The destination port forwards traffic at Layer 2.
A destination port does not participate in spanning tree while the SPAN session is active.
When it is a destination port, it does not participate in any of the Layer 2 protocols (STP, VTP, CDP, DTP, PagP).
A destination port that belongs to a source VLAN of any SPAN session is excluded from the source list and is not monitored.
A destination port receives copies of sent and received traffic for all monitored source ports. If a destination port is oversubscribed, it can become congested. This congestion can affect traffic forwarding on one or more of the source ports.

For example, if I want monitor traffic from/to fastethernet 0/1 (source port) using fastethernet0/3 (destination port) on my Catalyst 2950, the configuration is:

SW2950#configure terminal
SW2950(config)#
SW2950(config)#monitor session 1 source interface fastethernet 0/1
SW2950(config)#monitor session 1 destination interface fastethernet 0/3
SW2950(config)#

SW2950#show monitor session 1
Session 1
---------
Source Ports:
  RX Only:  None
  TX Only:  None
  Both:  Fa0/1
Destination Ports: Fa0/3
SW2950#

This configuration works also for the Catalyst 2940, 2955, 2960, 2970, 3550, 3560, 3560-E, 3750 and 3750-E Series Switches. Instead if I use a Catalyst 2900XL/3500XL the configuration is quite different:

SW2900XL(config)#interface fastethernet 0/3
SW2900XL(config-if)#port monitor fastethernet 0/1

Sometimes source ports are not located on the same switch as the destination port; in these situations is needed use an advanced SPAN feature: RSPAN or ERSPAN.

Remote SPAN (RSPAN) allows you to monitor source ports that are spread all over a switched network, not only locally on a switch with SPAN. The functionality works exactly as a regular SPAN session. The traffic that is monitored by SPAN is not directly copied to the destination port, but flooded into a special RSPAN VLAN. The destination port can then be located anywhere in this RSPAN VLAN. There can even be several destination ports.

RSPAN session cannot cross any Layer 3 device as RSPAN is a LAN (Layer 2) feature. In order to monitor traffic across a WAN or different networks, use Encapsulated Remote SwitchPort Analyser (ERSPAN).

The ERSPAN feature supports source ports, source VLANs, and destination ports on different switches, which provides remote monitoring of multiple switches across your network.

ERSPAN consists of an ERSPAN source session, routable ERSPAN GRE-encapsulated traffic, and an ERSPAN destination session. You separately configure ERSPAN source sessions and destination sessions on different switches.

0 comments

Readers Comments

Latest Posts

Sponsored By

Featured Video

Our Sponsors

Our Sponsors

Visit Nepal Info and Guide