Cisco Port Mirroring (SPAN)

We had a requirement for our Linux based network probe to see all the network traffic for monitoring purposes.
To achieve this I suggested we implement a network mirror port, this essentially copies the network packet information from
ports you specify to a destination port where the packets can be analysed.

Using a Cisco switch this what I did to achieve the network port mirror, in Cisco terms this is called a SPAN or RSPAN using VLANS

CISCO

“A local SPAN session associates a destination port with source ports. You can monitor incoming or outgoing traffic on a series or range of ports and source VLANs. An RSPAN session associates source ports and source VLANs across your network with an RSPAN VLAN. The destination source is the RSPAN VLAN.

Get a list of ports you need Monitored:

monitor session 1 source interface GigabitEthernet1/0/25
monitor session 1 source interface GigabitEthernet1/0/24
monitor session 1 source interface GigabitEthernet1/0/26
monitor session 1 source interface GigabitEthernet1/0/27
monitor session 1 source interface GigabitEthernet1/0/48
monitor session 1 source interface GigabitEthernet2/0/46
monitor session 1 source interface GigabitEthernet2/0/47
monitor session 1 source interface GigabitEthernet2/0/48
monitor session 1 source interface GigabitEthernet2/0/31
monitor session 1 source interface GigabitEthernet2/0/32
monitor session 1 source interface GigabitEthernet2/0/33
monitor session 1 source interface GigabitEthernet5/0/43

Set the Destination port

monitor session 1 destination interface GigabitEthernet6/0/1

 

SWS-STK1#show monitor session 1
Session 1
---------
Type : Local Session
Source Ports :
 Both : Gi1/0/44-48,Gi2/0/21-23,Gi2/0/46-48,Gi5/0/13
Destination Ports : Gi6/0/24
 Encapsulation : Native
 Ingress : Disabled


SWS-STK1#

The Ingress shows disabled by default. This is because it is just used for monitoring traffic, it won’t work as a regular port.
If you want to monitor traffic and use that port to receive regular traffic you need to use the following:

monitor session 1 destination interface GigabitEthernet5/0/43 ingress vlan XXX

To monitor vlan (RSPAN) use the following:

monitor session 1 source remote vlan 200