Mirroring ports on Cisco switches

From Notes_Wiki
Revision as of 06:00, 18 September 2018 by Saurabh (talk | contribs)

<yambe:breadcrumb self="Mirroring ports on Cisco switches">Switch configuration notes|Switch configuration notes</yambe:breadcrumb>

Mirroring ports on cisco switches (SPAN)

Creating monitor session

To mirror ports (use SPAN) on Cisco 2950, 4503, etc. switches we can use 'monitor session' command. To create a mirror we can use

config t
    monitor session 1 source interface Gigabitethernet 1/3 both
    monitor session 1 destination interface GigabitEthernet 1/11 
    exit
wr
show monitor session 1

Here both is used to monitor both incoming and outgoing traffic. We can have multiple interfaces and VLANs and source for same destination port.

If we use show interfaces the status of monitoring interface is shown as up or down with comment monitoring in front of it. Even if the source port is trunk port the packets are passed untagged on destination interface so that we can easily capture them and analyze them. There is also some dot1q encapsulation options on some switches for monitor session destination but I have not explored that yet.

There is also something called RSPAN which can be used to monitor such that source and destination ports are on two different switches with the help of VLAN.


Deleting monitor session

To delete monitor session we can use

config t
    no monitor session 1


<yambe:breadcrumb self="Mirroring ports on Cisco switches">Switch configuration notes|Switch configuration notes</yambe:breadcrumb>