Span Port - Mirror Certain traffic

Similar Messages

• Cat 3750-Span (Port Mirroring issue)

  Hello team
  I am facing port mirroring issue in my setup. Details of the setup are mentioned below
  Setup--
  Stack of 4 catalyst switches WS-C3750X-48P running software 15.0(1) SE3 .Approximately 12 vlans are configured in this setup and port mirroring is done for all vlans with destination configured as single Gig Ethernet port...The setup works fine from mirroring perspective for 3-4 days and after that machine connected to destination port stops getting data.
  Observations-
  It has been observed that during the issue, the port configured for mirror destination has lot of packet drop/input errors on the port statistics.
  If we configure only TX packet mirroring, it works for 8 -10 days
  If we configure TX & RX packet mirroring, it works for 2-3 days
  Testing done
  Tried clearing counter on destination port but no success (mirroring doesn’t start)
  Tried  shut /no shut for the destination port but no success.
  Tried restarting the machine connected to destination port but no success
  Workaround
  We need to reconfigure the mirroring configuration after removing the mirroring config from the switch. Once the same is done, mirroring starts working.
  Want to understand
  1-is there any HW limitation for the switch (destination port not capable of handling mirroring traffic)
  2-is there any software related issue?
  3-what can be permanent resolution for the same..

  Hello
  We have tried this previously but found same result.
  1- we deleted the monitror session and recreated again with same session number
  2-we deleted the monitor session and created new session (session id diffrent ) with same config..
  in both cases its working for 3-4 days..

• Change Outbound Port for certain traffic

  Hi,
  I am trying to do a specific task and not being able to figure out what I need to do. Essentially, I would like the Cisco IOS router (3945) to change all DNS traffic going outbound, to use port 54 instead of the standard port 53.
  Setup is very simple. One inside Interface and One Outside interface. Internal addressing on the inside with PAT for internet access. I would like that whenever an internal client makes a DNS request. When the router forwards that to the DNS server on the internet, it should send it to port 54 instead of 53.
  Appreciate the help.

  It's based on where you're going to see the traffic from. If you want to translate inside -> outside, you'll use "ip nat inside". Outside would be when you're wanting to translate an outside source to something else internal.
  *Edit*
  It also depends on what interfaces you have labeled as "ip nat outside" and "ip nat inside".
  ip nat outside source list:   
  translates the source of the IP packets that are traveling outside to inside
  translates the destination of the IP packets that are traveling inside to outside
  ip nat inside source list:
  translates the source of IP packets that are traveling inside to outside
  translates the destination of the IP packets that are traveling outside to inside

• Port mirroring in routers

  Hi,
  Port mirroring(SPAN) is possible in Switches, let me know if there is any sorts of feature implemented in Routers...
  Cheers
  Akhtar

  Cisco has added a new feature that supports mirroring traffic on a router called IP traffic export. You need to run IOS version 12.3(4)T or later.
  Check out the link below for configuration guidelines:
  http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455b94.html
  HTH,
  Sundar
  *Please rate all helpful posts.

• Span Port (For Whole Vlan)

  Hi All,
  I have a similar setup to the attached. I want to make sure that I mirror all traffic going through vlan 1. The Server is my device that I will be mirroring all traffic to. How do I ensure that traffic from all switches on VLAN 1 is mirrored to the port the server is plugged into? 
  On the Core switch I currently have the following -
  monitor session 1 source vlan 1
  monitor session 1 destination interface Gi4/0/22  (This is where my server is plugged into)
  But I don't think I'm actually monitoring traffic from the other switches. Is there something else I need to add / configure on my access switching to ensure I'm spanning all VLAN 1 traffic from all switches to my server?
  Thanks

  Are you monitoring on an egress switch like the switch that the default gateway is for all of your users? If so, you should be capturing everything. If not, you'll possibly need to move your capture. This type of capture is local to a switch. The only other way that I know if is to create an RSPAN session on every switch that you want to capture from. You create a special remote span vlan. On the edge switch, monitor for vlan 1 as the source, and the destination is that special vlan. Do that for every switch. On your capture switch, monitor the source of the special vlan and then your destination would be your port. You would capture all traffic at that point..
  HTH,
  John

• SLM2024 port mirroring breaks network connections

  Hi all, I got an SLM2024 that I want to use with my network probe app to analyze packets, I have my network probe PC plugged into the target port and uplink to firewall's trusted port to source port of 2024. Now whenever I enable port mirroring on the 2024, I lose all network connections on the 2024, I searched around here but didn't really find my answer. If anyone's seen this before, any pointers would be great.

  Hi Crash, thanks for the reply, yeah it's a similar setting on that model just with a different layout on the admin page, what I meant on the trusted port part is, I have a netscreen firewall and the trusted port of the firewall goes into the source mirrored port of the slm2024, and my PC is on the target port. And I have those mirrored with a setting for both tx and rx, whenever I enable mirroring it halts traffic from the firewall, and others that are on the 2024 like server/workstns.
  But network probe works and I can see traffic. We had a cisco catalyst before and that had no problems using the span feature.

• Trouble With Port Mirroring (SG200-08)

  Trouble with port mirroring.
  Even though both Tx and Rx is specified, only getting half the conversation.  Ping reply only for instance.  And when pinging from other locations no traffic at all.
  Please help
  SG200-008
  FW Version: 1.0.2.0
  Boot Version D.3.1
  Thanks

  I also have problem with the mirroring of port on my SG200-08.  The firmware is 1.0.6.2.
  I mirror the port g1, to which my router to the Internet is connected, to the port g2 to be able to see the traffic with a Centos system running Bandwidthd connected to the port g2.  The problem is that I only see the traffic coming in (downloads from the Internet) and not the traffic comming out (uploads to the Internet).
  When looking at the SG 200-08 on the web interface at "Status and Statistics/Interface" and looking at the port g2, I see values for the "Transmit Statistics", but all the values are at 0 for the "Received Statisticsc" (see the attached file)
  I confirmed that in "Administration/Diagnostic/Port Mirroring" is set up both Tx and Rx (it does not work either if I have Tx or Rx alone: I do not see the uploda traffic to the Internet). See the attached file.
  This is very annoying as I purchased this SG 200-08 especially for this and it does not do the job porperly.
  Does anybody knows a solution to this?

• Is SPAN port not allowed in Nexus FEX Port ?

  Hi
      Customer want me to defined a SPAN port on N2K, it is a fex port. when I configure I got the following statement from the switch.
  Is there any way to solve the problem?
  n5k-N2K(config-monitor)# destination ?
    interface  Configure interfaces
  n5k-N2K(config-monitor)# destination interface eth102/1/18
  ERROR: Eth102/1/18: Configuration not allowed on fex interface
  N5K VERSION
  Cisco Nexus Operating System (NX-OS) Software
  TAC support: http://www.cisco.com/tac
  Copyright (c) 2002-2009, Cisco Systems, Inc. All rights reserved.
  The copyrights to certain works contained herein are owned by
  other third parties and are used and distributed under license.
  Some parts of this software are covered under the GNU Public
  License. A copy of the license is available at
  http://www.gnu.org/licenses/gpl.html.
  Software
    BIOS:      version 1.2.0
    loader:    version N/A
    kickstart: version 4.0(1a)N2(1)
    system:    version 4.0(1a)N2(1)
    BIOS compile time:       06/19/08
    kickstart image file is: bootflash:/n5000-uk9-kickstart.4.0.1a.N2.1.bin
    kickstart compile time:  2/25/2009 0:00:00 [02/25/2009 08:29:12]
    system image file is:    bootflash:/n5000-uk9.4.0.1a.N2.1.bin
    system compile time:     2/25/2009 0:00:00 [02/25/2009 08:56:57]

    Hi,
  A FEX port cannot be configured as a SPAN destination. Only a switch port can be configured and used as a SPAN destination.
  See link below for more info:
  http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/release/notes/Rel_5_1_3_N2_1/Nexus5000_Release_Notes_5_1_3_N2.html
  HTH

• Add VM to a Port Mirroring Session

  I need every VM added to a given folder in vCenter to be added to an existing distributed switch port mirroring session.  Is this possible using PowerCLI?

  The following will add the VM ($vmName) to a specific port mirroring session ($mirrorSessionName) on a distributed switch ($dvSwName).
  You can define the traffic direction(s) for which the VM needs to be added with the variables $Ingress and $Egress.
  Note that there isn't any error checking in the script.
  For example if the mirror session does not exist, the script will fail without an informative messages.
  To repeat this script for all VMs in a specific folder should be not too difficult, I assume ?
  $dvSwName = 'dvSw1'
  $mirrorSessionName = 'Test'
  $vmName = 'VM2'
  $Ingress = $false
  $Egress = $true
  $dvSw = Get-VDSwitch -Name $dvSwName
  $vm = Get-VM -Name $vmName
  $vmNic = $vm.ExtensionData.Config.Hardware.Device |
      where{$_.Backing -is [VMware.Vim.VirtualEthernetCardDistributedVirtualPortBackingInfo]}
  $spec = New-Object VMware.Vim.VMwareDVSConfigSpec
  foreach($mirrorSession in $dvSw.ExtensionData.Config.VspanSession){
      if($mirrorSession.Name -eq $mirrorSessionName){
          $vspan = New-Object VMware.Vim.VMwareDVSVspanConfigSpec
          $vspan.Operation = [VMware.Vim.ConfigSpecOperation]::edit
          $vmInRc = $mirrorSession.SourcePortReceived | where{$_.PortKey -contains $vmNic.Backing.Port.PortKey}
          if($Ingress -and !$vmInRc){
              $mirrorSession.SourcePortReceived.PortKey += $vmNic.Backing.Port.PortKey
          $vmInTx = $mirrorSession.SourcePortTRansmitted | where{$_.PortKey -contains $vmNic.Backing.Port.PortKey}
          if($Egress -and !$vmInTx){
              $mirrorSession.SourcePortTransmitted.PortKey += $vmNic.Backing.Port.PortKey
          $vspan.vspanSession = $mirrorSession
          $spec.vspanConfigSpec += $vspan
  $spec.ConfigVersion = $dvSw.ExtensionData.Config.ConfigVersion
  $dvSw.ExtensionData.ReconfigureDvs($spec)

• Port mirroring with ALOT of Drops Tx on a 5406zl

  Hi everybody.
  My first post here and I'm convinced that the questions I have will be easily answered by several of the true experts that reside here in the forum.
  Question #1.
  I've set up port mirroring this way on my HP procurve J8697A Switch 5406zl (Software revision K.15.12.0015)
  sw-dh-1(config)# show monitor 1
  Network Monitoring
     Session: 4    Session Name:
        Mirror Destination:  B13   (Port)
        Monitoring Sources  Direction Truncation Mirror Policy
        Port: F1            Both       No         -
        Port: F2            Both       No         -
        Port: F3            Both       No         -
        sw-dh-1# show monitor 2
  Network Monitoring
     Session: 3    Session Name:
        Mirror Destination:  A6    (Port)
        Monitoring Sources  Direction Truncation Mirror Policy
        Port: A7            Both       No         -
        Port: B6            Both       No         -
        Port: B10           Both       No         -
        Port: Trk5          Both       No         -
        Port: Trk9          Both       No         -
        Port: Trk11         Both       No         -
  See output of "show interface" below. I'm worried about "Drop Tx". What does that mean exactly? Are mirrored packets dropped or does this mean that the ordinary traffic on the monitoring ports are also affected? If yes, how? Data loss, resending packets, loss of speed, high CPU load on the switch?
  sw-dh-1# show interfaces B13
   Status and Counters - Port Counters for port B13
    Name  : <removed>
    MAC Address      : xxxxxx-xxxxx
    Link Status      : Up
    Totals (Since boot or last clear) :
     Bytes Rx        : 576                Bytes Tx        : 4,252,895,128
     Unicast Rx      : 0                  Unicast Tx      : 3,440,299,294
     Bcast/Mcast Rx  : 9                  Bcast/Mcast Tx  : 412,639,331
    Errors (Since boot or last clear) :
     FCS Rx          : 0                  Drops Tx        : 29,441,235
     Alignment Rx    : 0                  Collisions Tx   : 0
     Runts Rx        : 0                  Late Colln Tx   : 0
     Giants Rx       : 0                  Excessive Colln : 0
     Total Rx Errors : 0                  Deferred Tx     : 0
    Others (Since boot or last clear) :
     Discard Rx      : 0                  Out Queue Len   : 0
     Unknown Protos  : 0
    Rates (5 minute weighted average) :
     Total Rx  (bps) : 0                  Total Tx  (bps) : 5,002,088
     Unicast Rx (Pkts/sec) : 0            Unicast Tx (Pkts/sec) : 0
     B/Mcast Rx (Pkts/sec) : 0            B/Mcast Tx (Pkts/sec) : 6
     Utilization Rx  :     0 %            Utilization Tx  : 0.50 %
  sw-dh-1# show interfaces A6
   Status and Counters - Port Counters for port A6
    Name  : <removed>
    MAC Address      : xxxxx-xxxxx
    Link Status      : Up
    Totals (Since boot or last clear) :
     Bytes Rx        : 960                Bytes Tx        : 1,442,037,177
     Unicast Rx      : 0                  Unicast Tx      : 1,988,961,810
     Bcast/Mcast Rx  : 15                 Bcast/Mcast Tx  : 339,915,002
    Errors (Since boot or last clear) :
     FCS Rx          : 0                  Drops Tx        : 1,647,165,303
     Alignment Rx    : 0                  Collisions Tx   : 0
     Runts Rx        : 0                  Late Colln Tx   : 0
     Giants Rx       : 0                  Excessive Colln : 0
     Total Rx Errors : 0                  Deferred Tx     : 0
    Others (Since boot or last clear) :
     Discard Rx      : 0                  Out Queue Len   : 0
     Unknown Protos  : 0
    Rates (5 minute weighted average) :
     Total Rx  (bps) : 0                  Total Tx  (bps) : 5,000,000
     Unicast Rx (Pkts/sec) : 0            Unicast Tx (Pkts/sec) : 0
     B/Mcast Rx (Pkts/sec) : 0            B/Mcast Tx (Pkts/sec) : 0
     Utilization Rx  :     0 %            Utilization Tx  : 0.50 %
  Utilzation and total last 5 minutes is off since I turned the mirroring off when I saw the drops. Utilization when port mirroring was on was 20-35%.   
  Question #2:
  Is it better if I mirror out all traffic to the 10GB port instead? Assuming that it is possible to do port mirroring to the 10GB port?
  best regards,
  Dean Y

  You don;t indicate which router you have, but that doesn;t really matter.Neither the Actiontec MI424-WR or the Quantum G1100 have port mirroring.  You need qan old fashioned hub, or a managed switch that supports it. 

• SG300-28 Port Mirroring

  Hello,
  I am wondering if anyone else has issues with port mirrors? I have created a mirror to copy all packets from Interface gi1 to interface gi28. I don't see any port 80 traffic, or 443 or any revelant traffic. I see mostly broadcast from other devices. I have a security device that is logging all the copied packets from my firewall for malware/IPS, etc inspection.
  Right now I have it monitoring vlan 1 in the hope that it would resolve this issue but I see no change. The config is attached for viewing.
  Any thoughs?

  Hi Alan, try to monitor a specific port instead of the whole VLAN.
  -Tom
  Please mark answered for helpful posts

• Port mirroring on SG300 questions

  Hi all,
  I'm troubleshooting a LAN issue I have, and I wanted to hook up wireshark to record traffic over the course of a couple of hours for later diagnostics. I went into the web administration interface, clicked Administration > Diagnostics > Port and VLAN Mirroring, and added a port mirror from the port I wanted to watch to a port to which I had connected a laptop. I picked the Tx and Rx options, and clicked Apply.
  I did receive lots of traffic in wireshark, but I noticed immediately that the server on the port I had mirrored was suddenly unavailable on the network -- pings timed out. This lasted until I removed the mirror, then the server was suddenly reachable once again.
  Does this feature not work the way I had thought it does? What I saw looked more like a forward than what I would call a mirror. The documentation leads me to believe mirroring is intended to be used in just the way I was attempting to use it.
  Am I missing something?

  Hi Lamint,
  I have a SG300-10P for my test,  I did the same thing you did in my GUI.
  I was mirroring port 7 to port 8 ticking the item to mirror RX and TX
  My PC with wireshark was residing on port 8.
  I started a comtinuous oibg from my  PC on port 7 at IP address 192.168.10.60 to my WAN routers LAN address, 192.168.10.1 .
  As you can see from my screen capture below, my PC on port 8 caprtured both RX and TX packets on port 7.
  Because my wireshark  PC was on port 8, I could not access the management interface of the switch to show you my configuration, so I grabbed the configuration via hyperterminal.
  See screen caopture below ( with some configuration items excluded)..
  I would suggest, if you are having issues to allow the Small Business Support Center to assist you.
  http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
  Hope this helps
  regards Dave

• Why does my sg 200 keeps changing port mirror destination to g1

  On my sg 200-8 I have 1 port mirror session, with destination set to g4. If I disable, then enable, it changes the port to g1 and g4 is not among the ones I can choose. How do I re-enable it, without having to delete it and create a new one. And why does it keep changing it to g1?

  Thanks Thomas. I think I was looking at it wrong regarding the SG switch saying that access mode ports do not tag traffic. It looks like it's from the viewpoint of how the ingress traffic looks. So, a port in access mode assumes that traffic coming in is untagged. Once that traffic ingresses into the port it is then tagged with the VLAN specified for that port. Does this sound right? It's just confusing how the SG switches describe the access mode ports as the PVID being untagged, when it actually is being tagged after data ingresses into the port.
  By the way, the layer 3 device is an ASA 5510, which is also performing DHCP for the VLAN.
  As you mentioned, I think my core issue is the upstream trunking configuration, which I'm looking into.
  Thanks for your help,
  Logan

• Port mirroring on A90-9100EM​15-10

  Hey all - 
      I have the A90-9100EM15-10 FiOS router and I'd like to setup port mirroring from the router if it has the capability (I know, I know...this is typically done from a switch).  Anyway, rather than purchase a managed switch or build a linux-based "switch" and place it inline, I'd be content with the ability to passively monitor traffic.  I prefer to monitor traffic both directions but outgoing would suffice. 
      Does anyone know if my model FiOS router has such a capability?
  Cheers,
  Eneg

  The 9100EM does not support port mirroring.
  You might want to find a hub and use that to mirror the traffic.
  http://shop.ebay.com/?_from=R40&_trksid=p5197.m570​.l1313&_nkw=ethernet+hub&_sacat=See-All-Categories
  Be careful though, many of those listed claim to be hubs are not and are in fact switches.

• CS11800 - Can I have a SPAN port for my IDS box?

  I have a network design that calls for a few CS11800s and it's smaller brother. The security team has asked if this content switch has a SPAN port that is availble so we can hang our IDS box off.
  Thanks
  B

  I am not extremely familiar with the CS11xxx series and its configuration options, but I can tell you that from experience with Cisco Catalyst switches and non-Cisco IDS devices a SPAN port is not always the best solution. In some instances I have had to disable packet learning in the SPAN session, and in other cases I have had to forego using SPAN at all and settled for an uplink to a hub that connected the IDS device and my router(s). This is especially true if the IDS device needs to be a member of the same VLAN as the traffic it is monitoring in order to send RST packets back onto the segment.
  I have researched this issue on my own and even opened TAC cases for a solution, but have received solutions ranging from "There's no reason this shouldn't work" to "You can not set up a SPAN session for IDS purposes." My recommendation would be (even though it does decrease performance a bit) to implement the hub solution, regardless of the CS11800 capabilities. This will prove to remove any potential X factors in the SPAN functionality and make your life a lot easier.
  Just my 2 cents. :)