Cisco :: Port Mirroring On Switches?
Oct 31, 2011
I have a Cisco Catalyst 3750X switch, and I have configured port mirroring on it. Traffic from 12 of the 1G ports will be mirrored to both 10G ports, and I have connected both 10G ports to a server that captures the traffic.
Currently, I have one of the 12 1G ports connected to another server that replays a pcap file once at maximum speed (i.e. option -t in tcpreplay). I thought that this setup means I should get twice the number of packets (and rate) from the two 10G ports. However, I noticed that although the original pcap file contains 4288 packets, the number of packets from the two 10G ports varies between 31000 to 34000 packets, which is about 7 to 8 times the original number of packets. Why am I getting more than twice the amount of traffic, and why does the output vary?
View 2 Replies
ADVERTISEMENT
Mar 14, 2013
i was able to configure (via SF200 web interface) a port mirroring from port FE17 to FE7.i have supressed this port mirroring.when i try to reconfigure a port mirroring from port FE17 to FE3. The SF200 web interface crash. the SF200 seems to reboot.
i have updated the SF200 firmware from V1.1.2.0 to V1.1.2.9.44 when i was able to configure (via SF200 web interface) a port mirroring from port FE17 to FE7.But after having suppressed this port mirroring again, i was not able to reconfigure a new port mirroring from port FE1 to FE3 (the SF200 hangs).
i have also tried to return to default factory setting but this does not solve the issue.i am working on SF200-24P
View 2 Replies
View Related
Apr 28, 2013
I have created a mirror to copy all packets from Interface gi1 to interface gi28. I don't see any port 80 traffic, or 443 or any revelant traffic. I see mostly broadcast from other devices. I have a security device that is logging all the copied packets from my firewall for malware/IPS, etc inspection.Right now I have it monitoring vlan 1 in the hope that it would resolve this issue but I see no change.
View 1 Replies
View Related
May 3, 2011
I want to configure port mirroring on SG300 swtich, port monitoring status is "Not Ready" , and i can not monitor the source interface!
View 1 Replies
View Related
Nov 8, 2011
I'm troubleshooting a LAN issue I have, and I wanted to hook up wireshark to record traffic over the course of a couple of hours for later diagnostics. I went into the web administration interface, clicked Administration > Diagnostics > Port and VLAN Mirroring, and added a port mirror from the port I wanted to watch to a port to which I had connected a laptop. I picked the Tx and Rx options, and clicked Apply.I did receive lots of traffic in wireshark, but I noticed immediately that the server on the port I had mirrored was suddenly unavailable on the network -- pings timed out. This lasted until I removed the mirror, then the server was suddenly reachable once again.Does this feature not work the way I had thought it does? What I saw looked more like a forward than what I would call a mirror. The documentation leads me to believe mirroring is intended to be used in just the way I was attempting to use it.
View 1 Replies
View Related
Oct 25, 2012
I have been told there is a limit (8) on the number of source ports that can be mirrored to a given destination port. I can find no specifications or other documentation to corroborate this claim. Any factual data to confirm or refute this claim?
View 7 Replies
View Related
Jan 24, 2013
Recently our company purchased 3 Lynksys SGE2010p, At the moment they work as a stack but as we are implementing UCCX we need to mirror 15 ports but during the provisioning i've noticed that the limit is 8 ports per stack. I'm wondering whether this is a known issue or just a known limitation . I believe that most probably i'll need to move back to stand alone mode so i could configure 8 mirrored ports per switch.
View 2 Replies
View Related
May 2, 2011
If switches on a network doesn't support remote port mirroring and only local port mirroring, What are the options to still capture all the traffic from all switches on 1 single core switch?
View 1 Replies
View Related
Sep 5, 2011
Does the ESW 520 24P Support Mirroring 20 Ports Traffic to 1 Destination Port?
View 3 Replies
View Related
Mar 2, 2011
is ASR 1006 supported span port or port mirroring? Any config about that?
View 2 Replies
View Related
Jan 31, 2011
I have looked up the command sequence for port mirroring and it seems pretty straight forward however in my case the command will not execute.
I have a 851W with 12.4T
If I do: #monitor session 1 source interface fa 4 (wan port)
i get the response invalid input detected however if I do the same command for fa 1, fa ,2 and fa 3 they work
Using the ? shows the valid entries are [0-4] for fastethernet
I just want to monitor WAN traffic with WireShark, particularly DDNS requests, with a spare PC connected to a free lan port.
I would use a hub on the Wan connection but unfortunately I do not have one at the moment.
View 8 Replies
View Related
Sep 14, 2011
I'm trying to setup port mirroring on a Cisco ASA 5510, but when I try to use the switchport monitor command, that command is not recognized.I've selected what interface I want to configure (conf-if), but the switchport command seems to not be part of the IOS.I'm running ASA version 8.2(1)
View 9 Replies
View Related
Oct 21, 2012
I've just installed 2 of these in my workplace on a PLC network.I'm now looking to set one of the ports up as my diagnostic port and would like to be able to mirror any of the other ports to this port.I believe it is called SPAN on Cisco switches.The only reference I can find to it is configuring via Telnet which I haven't got a clue about.On my old Wiedmuller switches it was just a few clicks away.
View 3 Replies
View Related
Mar 1, 2006
Does it have this switch some port mirroring capability (SPAN or other)?
View 2 Replies
View Related
Oct 30, 2012
I am trying to configure a SNORT IDS system running on a physical machine using Linux as the base OS. I have a small lab network setup with 3 VLANs, a 3548 switch and a 2611 router acting as the router on a stick/inter-vlan router. My goal is to setup SNORT as a host-based IDS system. To do that I know I need to use the "port monitor" command on the switch and I have tested this and it works fine only when the snort system and the traffic I want to monitor reside on the same VLAN.My problem is I want to be able to monitor a trunk link betwee the switch and router to see traffic coming from my 3 VLANs which contain servers. My goal is to run attacks on the servers to test SNORT's effectiveness.
Relevant information from my configuration: interface fa 0/1 on switch is the trunk like carry 3 vlans to the router On the switch:
int fa 0/1
switchport mode trunk
int fa 0/5
port monitor fa 0/1
switchport mode access
The switch will not allow me to configure fa 0/5 as a trunk, only can be an access port.So right now, SNORT does not see any traffic other than traffic from my router to the switch. I assume because this is going over the native VLAN (1 in this case) and that is the same VLAN that SNORT box resides on on interface fa 0/5. So I know the span is working to an extent, but traffic from my other VLANs (server to server traffic) does not show on SNORT at all.I have done some research on Cisco.com and see the following seemingly contradicting information:
VLAN Filtering When you monitor a trunk port as a source port, all VLANs active on the trunk are monitored by default. You can use VLAN filtering in order to limit SPAN traffic monitoring on trunk source ports to specific VLANs Then I see, under the section for the 3500 series: A monitor port cannot be a dynamic-access port or a trunk port. However, a static-access port can monitor a VLAN on a trunk, a multi-VLAN, or a dynamic-access port. The VLAN that is monitored is the one that is associated with the static-access port.
My question is, does that mean the 3548 cannot support spanning a trunk link and having all VLANs on that trunk be monitored correctly to the monitoring port? I know the 3548 is old, but it is the only thing right now I have to work with. I could put the SNORT box inline on the network, but that is another mess in itself.
View 6 Replies
View Related
Apr 23, 2013
Are you only able to have two sessions for port mirroring on a Cisco 4510?
View 1 Replies
View Related
May 20, 2013
I have cisco 2651. It contains two FastEthernet interfaces: Fa0/0, Fa0/1.Fa0/1 has an ip address. Fa0/0 hasn't an ip address.I need to create monitor session from source Fa0/1 to destination Fa0/0. Then i want to connect my notebook to Fa0/0 to analyze some traffic from port Fa0/1
View 2 Replies
View Related
Aug 20, 2012
I have 2 switch groups.
2 SGE2010's with VLAN's defined as 10,20 and 30
Vlan 10 is the management VLAN, and it uplinks to our border router.Vlan 20 is the workstation VLAN, and all workstations point to the switch as their default GW? Vlan 30 is the ip phone VLAN, and all phones use this as their gateway.
I would like to put a LAG between said switches, we have some servers on the ip phone switch that need to be accessed by the workstation clients, and the single 100mb link through the router is probably not going to be enough.As I understand it, because the switches have different networks on them, a simple lag will not work. I did create a lag, and assign ip addresses to each side, however in that mode, it doesn't appear I can block vlan 10 from transiting the LAG, and with out that block I will end up with a logical loop, and spanning-tree will block one of the uplinks, or the LAG itself.
View 10 Replies
View Related
May 28, 2011
using task manager in XP it is clear that while browsing data is being uploaded mirroring the data downloaded..ie in a given period if 18mB comes downstream (just surfing) then 11mB goes upstream. The graph in task manager shows that the peaks and troughs of the data upstream and downstream exactly correspond and watching the bytes tick over confirms that data goes out for every data coming in.I assume that this should not happen? I realise ip protocols have some kind of error detection that may require uploading data, but the amount sent seems excessive! From my limited understanding of networking and running wireshark it looks like that when packets come from an ip on the web ( i use the terms web/internet interchangeably ) then packets are sent out to the same ip ... using TCP and HTTP ( I don't really understand them ). The info for one such packet going out is "Continuation or non-HTTP traffic" using the HTTP protocol, which sounds a bit contradictory. I regularly run virus scans and rarely find anything. The cpu regularly maxes out and its usually something to do with firefox ( I've heard of buffer overflows but i assume the problem is a relatively old processor and hardware).The browser is firefox. OS is XP.Coincidentally, the pc was recently rebooting after crashing until I disabled "restart on system failure" which prevented the crashes ( if they were crashes and not just the system reacting to an error ). Again, that is a bit suspicious but maybe not. Spybot, bit defender quickscan,avira, zone alarm, malwarebytes etc haven't flagged anything up.Maybe the router is not configured properly. As with all these things, there will be some simpler things to start with to diagnose this issue (if there is one ) but I don't know what they are.The pc uses wifi to connect. The isp is not the best and the speed is pretty bad for adsl. Every couple of days the router needs rebooting because it stops giving out ip's.
View 6 Replies
View Related
Oct 13, 2011
I have 2 X E4200 router, one is directly connected to the internet and the other is in the bridge mode connected to the first router. I have apple TV connected directly with the bridge router on one of the Ethernet port.I notice that when you start apple Airplay mirroring on the iPad2 both the routers will hangs with no reason and the only way to fix it is to reboot the routers. I have reset both the routers to factory default twice they both are running firmware 1.0.03 build 14 .
View 9 Replies
View Related
Mar 2, 2013
I want to record all activity on my WAG320N either by continuously downloading the log or by promiscuously mirroring all traffic to a nominated computer for analysis.
View 3 Replies
View Related
Mar 5, 2013
I have a problem when doing Apple Airplay mirroring from my iphone5. Every time it kmocks the wifi signal off so I need to reboot the router. This is only happening on the iphone 5, and not other apple devices using mirroring. Our ipad 3 mirrors perfectly without affecting the wifi. There isn't any specific settings on the iphone 5 for airplay apart from setting it on and off.
View 2 Replies
View Related
Jan 25, 2012
I just bought 4 units of Cisco ESW-520 24Ports switches. I did some testing and found out for PORTS 1 and 12 is in "Suspended" mode and thus not able to use.This not happened to 1 but all 4 switches. Why is this so? How to disable the ports from going into "suspended" mode automatically ? I wouldn't want the ports to be in "Suspension" mode when it goes live and thus block the desktops from having internet access.
View 2 Replies
View Related
Feb 24, 2013
I connect to switch Access Point, configure port on switch which vlan work on this port. But after reboot AP my config for this port delete and have other config where vlan 1 untagged, and allow all other vlan. But in my cinfig allow 3vlan: untagged 100, and tagged 113, 999.
View 1 Replies
View Related
Jul 11, 2011
I have a SG-300-52 port switch configured Layer 3 with mutiple VLANs. I have run out of ports. What is the best way (or easiest) to bring up a second SG-300-52 port switch with the same VLAN configuration?
View 1 Replies
View Related
Jul 2, 2012
I have applied port security in one cisco switch and i have enabled port security in one port.I have applied port security as sticky and applied "restrict" on violation of the portsecurity.Now i have connected a PC to that switch port. Later i have connected another PC. The packets got dropped. But when i connected the original PC again, the packets flow started again.So, i have a doubt. Will the packet flow get establish, when the original PC is connected again to a port which is applied with port security violation "Restrict"?
View 2 Replies
View Related
Jan 31, 2013
how can i view the port G27 and G28 in GUI? As based on the GUI Adminstrator - > Port Management - > Port Setting i only can view from port G1 to G26. Or it will only appear when the port is active for stacking.
View 3 Replies
View Related
Nov 7, 2011
I want to setup BB to monitor snmptraps with failure. The BB log shows can't connect to all switch ports 161, and I even can't telnet to XXX_17f 161 for example. My switches are Cisco C3550, C2950, ASA etc.
Mon Nov 7 15:43:03 2011 bbnet Can't connect to server XXX_17f on port 161
Mon Nov 7 15:43:03 2011 bbnet Can't connect to server XXX_9f on port 161
Mon Nov 7 15:43:03 2011 bbnet Can't connect to server XXX on port 161
View 1 Replies
View Related
Dec 12, 2011
Is there a way to set static ip addresses to each port on at sf 300-08?
View 1 Replies
View Related
Jan 7, 2013
I'm used to using full blown cisco IOS/CLi and I'm new to the SG 300 switches. How you can default a port config? The 'default int ##' command doesn't exist on the CLi and I can't find anywhere in the web gui for this.Finding it very frustrating having to go into each port and get rid of all the commands.I can't default the switch as its live and was to reconfigure most of the ports which are now unused.
View 2 Replies
View Related
Jan 23, 2012
I used LACP on port 49 and 50.After upgrade firmware from 1.0.0.19 to 1.1.2.0 my LAG1 stay down...all port member stay down, port link is up but LAG stay down...I testtu delete and reconfigure LAG1 but nothing work...
View 3 Replies
View Related
Jan 15, 2013
I have 3 x SG500-52P switches stacked. Vlan 1 is data and Vlan 3 is voice Port to Vlan membership is 1UP and 3T Port security is disabled
The issue I have is that I can have either a phone or a PC plugged into a port but not both. If I plug in both then the phone works and the PC gets an IP address (Broadcast traffic) but PC cannot browse the network.
View 9 Replies
View Related
Oct 16, 2011
We just purchased 8 managed switches POE to swap out our existing in preparation for our new phone system. We installed them all after configuring with static IP. Deployed... and all but two work fine. Any tips for troubleshooting why two of them do not work? There are a couple other switches in the building. Could it be that a switch "upstream" from the two non-functioning switches is causing an issue? If so, how do I find out? When we put back the two "dumb" switches all was fine.
View 1 Replies
View Related
