Cat 3750-Span (Port Mirroring issue)

Hello team
I am facing port mirroring issue in my setup. Details of the setup are mentioned below
Setup--
Stack of 4 catalyst switches WS-C3750X-48P running software 15.0(1) SE3 .Approximately 12 vlans are configured in this setup and port mirroring is done for all vlans with destination configured as single Gig Ethernet port...The setup works fine from mirroring perspective for 3-4 days and after that machine connected to destination port stops getting data.
Observations-
It has been observed that during the issue, the port configured for mirror destination has lot of packet drop/input errors on the port statistics.
If we configure only TX packet mirroring, it works for 8 -10 days
If we configure TX & RX packet mirroring, it works for 2-3 days
Testing done
Tried clearing counter on destination port but no success (mirroring doesn’t start)
Tried  shut /no shut for the destination port but no success.
Tried restarting the machine connected to destination port but no success
Workaround
We need to reconfigure the mirroring configuration after removing the mirroring config from the switch. Once the same is done, mirroring starts working.
Want to understand
1-is there any HW limitation for the switch (destination port not capable of handling mirroring traffic)
2-is there any software related issue?
3-what can be permanent resolution for the same..

Hello
We have tried this previously but found same result.
1- we deleted the monitror session and recreated again with same session number
2-we deleted the monitor session and created new session (session id diffrent ) with same config..
in both cases its working for 3-4 days..

Similar Messages

  • Span Port - Mirror Certain traffic

    Hi All,
    Following example -
    I have my Inbound Internet connection coming into my switch into a Public VLAN. Coming into that Inbound connection is email from the outside world, among other traffic. Is there a way for me to SPAN this port but send only the email traffic to my monitoring device or is it a case of you either see all traffic or none? I wonder also, the traffic is most likely encrypted at this point which means probably can't determine what is what....

    It's based on where you're going to see the traffic from. If you want to translate inside -> outside, you'll use "ip nat inside". Outside would be when you're wanting to translate an outside source to something else internal.
    *Edit*
    It also depends on what interfaces you have labeled as "ip nat outside" and "ip nat inside".
    ip nat outside source list:   
    translates the source of the IP packets that are traveling outside to inside
    translates the destination of the IP packets that are traveling inside to outside
    ip nat inside source list:
    translates the source of IP packets that are traveling inside to outside
    translates the destination of the IP packets that are traveling outside to inside

  • SG300-28 Port Mirroring

    Hello,
    I am wondering if anyone else has issues with port mirrors? I have created a mirror to copy all packets from Interface gi1 to interface gi28. I don't see any port 80 traffic, or 443 or any revelant traffic. I see mostly broadcast from other devices. I have a security device that is logging all the copied packets from my firewall for malware/IPS, etc inspection.
    Right now I have it monitoring vlan 1 in the hope that it would resolve this issue but I see no change. The config is attached for viewing.
    Any thoughs?

    Hi Alan, try to monitor a specific port instead of the whole VLAN.
    -Tom
    Please mark answered for helpful posts

  • Port mirroring in routers

    Hi,
    Port mirroring(SPAN) is possible in Switches, let me know if there is any sorts of feature implemented in Routers...
    Cheers
    Akhtar

    Cisco has added a new feature that supports mirroring traffic on a router called IP traffic export. You need to run IOS version 12.3(4)T or later.
    Check out the link below for configuration guidelines:
    http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455b94.html
    HTH,
    Sundar
    *Please rate all helpful posts.

  • Port mirroring on SG300 questions

    Hi all,
    I'm troubleshooting a LAN issue I have, and I wanted to hook up wireshark to record traffic over the course of a couple of hours for later diagnostics. I went into the web administration interface, clicked Administration > Diagnostics > Port and VLAN Mirroring, and added a port mirror from the port I wanted to watch to a port to which I had connected a laptop. I picked the Tx and Rx options, and clicked Apply.
    I did receive lots of traffic in wireshark, but I noticed immediately that the server on the port I had mirrored was suddenly unavailable on the network -- pings timed out. This lasted until I removed the mirror, then the server was suddenly reachable once again.
    Does this feature not work the way I had thought it does? What I saw looked more like a forward than what I would call a mirror. The documentation leads me to believe mirroring is intended to be used in just the way I was attempting to use it.
    Am I missing something?

    Hi Lamint,
    I have a SG300-10P for my test,  I did the same thing you did in my GUI.
    I was mirroring port 7 to port 8 ticking the item to mirror RX and TX
    My PC with wireshark was residing on port 8.
    I started a comtinuous oibg from my  PC on port 7 at IP address 192.168.10.60 to my WAN routers LAN address, 192.168.10.1 .
    As you can see from my screen capture below, my PC on port 8 caprtured both RX and TX packets on port 7.
    Because my wireshark  PC was on port 8, I could not access the management interface of the switch to show you my configuration, so I grabbed the configuration via hyperterminal.
    See screen caopture below ( with some configuration items excluded)..
    I would suggest, if you are having issues to allow the Small Business Support Center to assist you.
    http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
    Hope this helps
    regards Dave

  • Why does my sg 200 keeps changing port mirror destination to g1

    On my sg 200-8 I have 1 port mirror session, with destination set to g4. If I disable, then enable, it changes the port to g1 and g4 is not among the ones I can choose. How do I re-enable it, without having to delete it and create a new one. And why does it keep changing it to g1?

    Thanks Thomas. I think I was looking at it wrong regarding the SG switch saying that access mode ports do not tag traffic. It looks like it's from the viewpoint of how the ingress traffic looks. So, a port in access mode assumes that traffic coming in is untagged. Once that traffic ingresses into the port it is then tagged with the VLAN specified for that port. Does this sound right? It's just confusing how the SG switches describe the access mode ports as the PVID being untagged, when it actually is being tagged after data ingresses into the port.
    By the way, the layer 3 device is an ASA 5510, which is also performing DHCP for the VLAN.
    As you mentioned, I think my core issue is the upstream trunking configuration, which I'm looking into.
    Thanks for your help,
    Logan

  • CS11800 - Can I have a SPAN port for my IDS box?

    I have a network design that calls for a few CS11800s and it's smaller brother. The security team has asked if this content switch has a SPAN port that is availble so we can hang our IDS box off.
    Thanks
    B

    I am not extremely familiar with the CS11xxx series and its configuration options, but I can tell you that from experience with Cisco Catalyst switches and non-Cisco IDS devices a SPAN port is not always the best solution. In some instances I have had to disable packet learning in the SPAN session, and in other cases I have had to forego using SPAN at all and settled for an uplink to a hub that connected the IDS device and my router(s). This is especially true if the IDS device needs to be a member of the same VLAN as the traffic it is monitoring in order to send RST packets back onto the segment.
    I have researched this issue on my own and even opened TAC cases for a solution, but have received solutions ranging from "There's no reason this shouldn't work" to "You can not set up a SPAN session for IDS purposes." My recommendation would be (even though it does decrease performance a bit) to implement the hub solution, regardless of the CS11800 capabilities. This will prove to remove any potential X factors in the SPAN functionality and make your life a lot easier.
    Just my 2 cents. :)

  • SPAN port or Capture?

    We currently have Cat6513 switches installed and our looking into an IDSM-2 module, but for the time being until we can actually purchase them, I would like to install a few snort sensor into the switch to "monitor" a few VLANs.
    I've read where there are only two SPAN ports and to gain some type of correlation to the events, I figure I would need to install a separate snort sensor for each vlan. The problem is the limit of two SPAN ports. I heard that there is a way to utilize a "capture" feature on the 65xx systems.
    Is the appropriate way for this to use the "capture" commands and if so how would I do that?
    Also, I read where the SPAN ports have no performance impact on the switch, but would the "capture" commands?
    I apologize if this is the wrong forum for this but I wasn't sure if this would be more of a switching or IDS question...
    Thanks for any assistance!
    -Jeff

    The solution to that issue of only two span ports is to use VACLS. There is documentation in the Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 5.1.
    http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df92.html#wp1030828
    Refer to Catalyst 6500 Series Switch Command Reference for more information on trunk ports and ACLs.

  • SPAN Port Monitoring Setup

    We have three Cicso Catalyst 3750 switches that are stacked.  The primary switch has a VLAN ( # 99 ) setup on it. The VLAN has our incoming internet connection. The LAN ports from the two redundant firewalls are routed back to the primary switch ( non VLAN ). The WAN ports on the firewalls are connected to the VLAN. There are three unused ports ( 46, 47 & 48 ) available on the VLAN. There are also a couple of available ports ( 36 & 38 ) on the primary switch that are not in the VLAN.
    We want to connect a hardware device to one of the ports on the switch that monitors network traffic. Need to connect two ports on the hardware device. One for LAN/WAN traffic, and one for the SPAN port.
    Question:
    Which port would you setup as the LAN port ? 
    Which port would you setup as the SPAN port ?
    What commands would we run to set this up ?
    Thanks

    I would suggest moving this post here: https://supportforums.cisco.com/community/6016/lan-switching-and-routing
    3750 isn't considered a small business switch.

  • Catalyst Express 500 port mirroring capabilities

    Does it have this switch some port mirroring capability (SPAN or other)?

    See...
    http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#Cat500

  • SLM2024 port mirroring breaks network connections

    Hi all, I got an SLM2024 that I want to use with my network probe app to analyze packets, I have my network probe PC plugged into the target port and uplink to firewall's trusted port to source port of 2024. Now whenever I enable port mirroring on the 2024, I lose all network connections on the 2024, I searched around here but didn't really find my answer. If anyone's seen this before, any pointers would be great.

    Hi Crash, thanks for the reply, yeah it's a similar setting on that model just with a different layout on the admin page, what I meant on the trusted port part is, I have a netscreen firewall and the trusted port of the firewall goes into the source mirrored port of the slm2024, and my PC is on the target port. And I have those mirrored with a setting for both tx and rx, whenever I enable mirroring it halts traffic from the firewall, and others that are on the 2024 like server/workstns.
    But network probe works and I can see traffic. We had a cisco catalyst before and that had no problems using the span feature.

  • SF200 port mirroring function

    Hello,
    i was able to configure (via SF200 web interface) a port mirroring from port FE17 to FE7.
    i have supressed this port mirroring.
    when i try to reconfigure a port mirroring from port FE17 to FE3. The SF200 web interface crash. the SF200 seems to reboot.
    i have updated the SF200 firmware from V1.1.2.0 to V1.1.2.9.44
    when i was able to configure (via SF200 web interface) a port mirroring from port FE17 to FE7.
    But  after having suppressed this port mirroring again, i was not able to  reconfigure a new port mirroring from port FE1 to FE3 (the SF200 hangs).
    i have also tried to return to default factory setting but this does not solve the issue.
    i am working on SF200-24P
    Thanks for helping !
    Regards,
    Christophe

    Hi Chris, are you connecting the computer to the source port or destination port? When you run the port monitor, the port receiving information (destination) will not function and drop all connectivity).
    With that said, when you modified the port mirror, can you move the computer to a completely unrelated port such as fe10 and get connectivity?
    Or, if the monitor port is an uplink to such a device as a router, can you move that port connection to something entirely unrelated like port 20 to see if you gain connectivity?
    -Tom
    Please mark answered for helpful posts

  • ASR1001 Port Mirroring

    Hi
    anyone can help me how to do the port mirroring on ASR1001 router?

    Hi Zeeshanraza,
    From this Cisco documentation: Configuring ERSPAN
    "The monitor session span-session-number type local command is not supported on Cisco ASR 1000 Series Routers."
    Alternatively you can try using ERSPAN as Local SPAN
    Example: Configuring an ERSPAN as a Local SPAN
    The following example shows how to configure an ERSPAN as a local SPAN.
    monitor session 10 type erspan-source
    source interface GigabitEthernet0/0/0
    destination
    erspan-id 10
    ip address 10.10.10.1
    origin ip address 10.10.10.1
    monitor session 20 type erspan-destination
    destination interface GigabitEthernet0/0/1
    source
    erspan-id 10
    ip address 10.10.0.1
    Regards,
    Hendro

  • CoS/DSCP to queue mapping in Cat 3750

    Hi..
    Cat 3750 supports mapping of CoS to queue as well as mapping DSCP to queue.
    WOuld like to understand which one will the switch use when actually placing packets in the queue..
    thanks
    Eng Wee

    My apologies, that was not a very good explanation :-)
    Here is what really happens:
    - when a frame is received on a port, the switch maps the CoS or DSCP in the packet to a QoS label to distinguish one kind of traffic from another. If the port is set to trust CoS, the CoS value is used to generate the QoS label. If the port is set to trust DSCP, the DSCP value is used to generate the QoS label.
    - The QoS label that is generated identifies all future QoS actions to be performed on this packet.
    - when the packet is switched to the egress interface, an output queue is selected based on the QoS label. If the QoS label was based on DSCP, the DSCP-to-queue mapping is used. If the QoS label was based on CoS, the CoS-to-queue mapping is used.
    Hope that helps - pls rate the post if it does.
    Paresh

  • Home Hub 3 Port Forwarding Issue - Question to BT

    Question to BT
    Hello i have recently joined BT Infinity and have hit the issue of the Port Forwarding not working. My HH3 is on the following version of software. Will this version automatically upgrade to the latest version of firmware and will this fix my port forwarding issue?
    As i work in IT (Cisco Network Eng) i need to be able to access several devices/services at home and this is a real pain for me. If you think that this could drag on as some posts have indicated could you please let me know and i will either get a draytek or throw in a cisco 1841.
    Thank you
    Dean.
    Current firmware:
    V100R001C01B031SP09_L_B
    Last updated:
    Unknown

    requiem wrote:
    Question to BT
    Hello i have recently joined BT Infinity and have hit the issue of the Port Forwarding not working. My HH3 is on the following version of software. Will this version automatically upgrade to the latest version of firmware and will this fix my port forwarding issue?.........
    Thank you
    Dean.
    Current firmware:
    V100R001C01B031SP09_L_B
    Last updated:
    Unknown
    Hi Dean
    By the look of it you've got the type B version of the HH3 with current firmware.
    From http://bt.custhelp.com/app/answers/detail/a_id/13073
    The latest versions of the firmware are:
    BT Home Hub 3 – Software version 4.7.5.1.83.8.57.1.3 (Type A) or V100R001C01B031SP09_L_B
    Please Click On any Text in Blue as that automatically links to information.
    PC (NDEGR)

Maybe you are looking for

  • Can't select any value in radio to query report.

    Dear Support, About BI-BASE-B version is 1000.7.40.2.20.20130621014800 in portal,when we select value in radio to query report which lend to white screen,so i think that may be issue.But if i set manual value to query report,it is fine.So Connection

  • Reinstall CSuite product which is not working after trasferring files from an old Mac to a new one?

    I recently got MacBookPro, and transferred my old laptop files (including apps) to the new one. After trying to open Dreamweaver, I got an error massage. Sent it to, and closed the app thereafter. Than I tried to open the DW again but got a massage a

  • Icons missing on some files

    Hi everyone, I recently did a complete fresh install of Leopard on my Mac Pro. One strange thing I have noticed is that some files do not show any preview or icon associated with the file or application. Instead there is a simple dotted outline of a

  • Connecting laptop (XP) to Yoigo with 6310i (open)

    From a Bluetooth DUN icon I can get the phone to start to access the network. In 'Navegador' mode (wap browsing, I think, this is a Spanish service) it works fine, so I have money on the SIM card and can connect via my phone without Bluetooth. So Blu

  • How to detect duplicate for custom object 1

    Hi expert, are there any fields in custom object can detect duplicates If These Fields Match? we thought it should be "Name" but it's not. Thanks, sab.