Mirroring ports on Cisco switches
<yambe:breadcrumb self="Mirroring ports on Cisco switches">Switch configuration notes|Switch configuration notes</yambe:breadcrumb>
Mirroring ports on cisco switches (SPAN)
Creating monitor session
To mirror ports (use SPAN) on Cisco 2950, 4503, etc. switches we can use 'monitor session' command. To create a mirror we can use
config t monitor session 1 source interface Gigabitethernet 1/3 both monitor session 1 destination interface GigabitEthernet 1/11 exit wr show monitor session 1
Here both is used to monitor both incoming and outgoing traffic. We can have multiple interfaces and VLANs and source for same destination port.
If we use show interfaces the status of monitoring interface is shown as up or down with comment monitoring in front of it. Even if the source port is trunk port the packets are passed untagged on destination interface so that we can easily capture them and analyze them. There is also some dot1q encapsulation options on some switches for monitor session destination but I have not explored that yet.
There is also something called RSPAN which can be used to monitor such that source and destination ports are on two different switches with the help of VLAN.
Deleting monitor session
To delete monitor session we can use
config t no monitor session 1
<yambe:breadcrumb self="Mirroring ports on Cisco switches">Switch configuration notes|Switch configuration notes</yambe:breadcrumb>