Configure Port Mirrors on Cisco Switches

siteadmin — Tue, 19 Feb 2008 13:31:17 +0000

Switches make network troubleshooting a bit more difficult because not all traffic is sent to every port like in an older network hub. Switching traffic improves speed because bandwidth is reserved only for connections on that port and security is generally better because it takes more than a simple freeware network sniffer like Wireshark to snoop traffic on that segment.

To work around this for troubleshooting and analysis, either a network hardware mirror, most often called a tap, or a mirror (sometimes called a span) on the switch is required. Most business-class switches have this feature and cisco includes it on all of its switches.

Configure a mirror on port 1 like this.

My_Switch(config)#monitor session 1 source interface Fa0/1 both
My_Switch(config)#monitor session 1 destination interface Fa0/10

The both option on the command tells the switch to send both transmit and receive packets to the destination port. Once a switchport is configured as a destination mirror port, the port will not accept traffic. A sniffer cannot transmit data, it can only listen.

Cisco Switches actually allow you create more than one mirror, although the number of allowed mirrors depends on the model of Cisco switch. To create a second mirror, just designate a second mirror session.
My_Switch(config)#monitor session 2 source interface Fa0/2 both
My_Switch(config)#monitor session 2 destination interface Fa0/11

Cisco’s syntax also allows you to specify multiple sources to a single port or a single source to multiple destinations. This is handy when setting up Intrusion Detection Systems that monitor the network.

My_Switch(config)#monitor session 2 source interface Fa0/2 both
My_Switch(config)#monitor session 2 destination interface Fa0/11
My_Switch(config)#monitor session 2 destination interface Fa0/12

In some cases, looking at the traffic for just one port is not good enough or the number of mirrors needed exceeds the number of mirrors that the switch is capable of. In that case, Cisco switches allow you to create a vlan mirror that grabs traffic from the entire vlan or vlans and sends it to a destination port for monitoring.

My_Switch(config)#monitor session 1 source vlan 33 rx
My_Switch(config)# monitor session 1 destination interface Gi1/1

Specifying both in the source command would create duplicate packets as packets go in and out of the vlan, so only specify receive or transmit with the tx or rx options. The both option would look like a network echo from a sniffer perspective.

The Show Monitor command summarizes all of the configured mirrors on the entire switch.

My_Switch>show monitor
Session 1
———
Type : Local Session
Source Ports:
RX Only: None
TX Only: None
Both: Fa0/1
Source VLANs:
RX Only: None
TX Only: None
Both: None
Source RSPAN VLAN: None
Destination Ports: Fa0/10
Encapsulation: Native
Reflector Port: None
Filter VLANs: None
Dest RSPAN VLAN: None

Session 2
———
Type : Local Session
Source Ports:
RX Only: None
TX Only: None
Both: Fa0/2
Source VLANs:
RX Only: None
TX Only: None
Both: None
Source RSPAN VLAN: None
Destination Ports: Fa0/11
Encapsulation: Native
Reflector Port: None
Filter VLANs: None
Dest RSPAN VLAN: None

Mirrors can be disabled two ways:
My_Switch(config)#monitor session 1

This command will only remove session 1.
My_Switch(config)#no monitor

The no monitor command will remove all monitors on the switch.

Similar Posts
Configure SSH in IOS

Configure Port Channels in IOS Port Channels are a quick way to get more bandwidth...
Configure VLAN trunks on Cisco Switches VLAN trunks allow multiple networks to pass over a single...
Working with VLANS on Cisco Switches Historically, creating multiple networks required multiple switches, but VLANs (Virtual...

Related posts brought to you by Yet Another Related Posts Plugin.

RouterNotes.com » troublseshooting

Configure Port Mirrors on Cisco Switches