Monitoring Cisco Switch Ports: A Comprehensive Guide

Monitoring a port on a Cisco switch can be achieved through port mirroring, also known as a Switch Port Analyzer (SPAN). This process involves collecting network traffic data from a physical interface or VLAN and copying it to another physical port for analysis. By utilising features such as SPAN, users can capture LAN traffic for monitoring and troubleshooting purposes. This enables network administrators to gain valuable insights into network performance and functionality. While setting up port mirroring, it is important to ensure that the destination port is configured correctly and that the Cisco switch model supports the required number of ports for effective monitoring.

Using the Switched Port Analyzer (SPAN)

The Switched Port Analyzer (SPAN) is a switch-specific tool that allows users to copy Ethernet frames passing through switch ports and send them to a specific port for analysis. The switch itself does not analyse these copied frames; instead, it sends them to a designated port where a network analyser can be connected. This network analyser can be a purpose-built hardware appliance or an application running on a host machine.

SPAN is configured by defining a SPAN session, which outlines the rules for "from which ports to copy frames and where to send copied frames". There can be multiple SPAN sessions defined on a switch, and each session can have multiple source ports but only one destination port. The source port is the port from which frames are copied, while the destination port is the one from which copied frames are sent for analysis.

SPAN can be used to monitor traffic on a single port, multiple ports, or an entire VLAN. It is also possible to implement SPAN on a trunk port, which carries multiple VLANs. When monitoring a subset of VLANs on a trunk, you can use VLAN filtering to limit SPAN traffic monitoring to specific VLANs.

It is important to note that a destination SPAN port does not transmit any traffic except what is required for the SPAN session. This is to prevent potential bridging loops in the network. However, you can enable ingress traffic forwarding on the destination port if you need to reach the network analyser through that port.

SPAN has some limitations. For example, a destination port cannot be used as a source port, and it cannot be part of an EtherChannel group. Additionally, SPAN sessions cannot mix ports and VLANs; they must contain either ports or VLANs, but not both.

Overall, SPAN is a useful feature for network administrators to capture and analyse traffic on specific switch ports or VLANs. By copying Ethernet frames to a designated port, SPAN enables the use of external analysers or applications for further examination.

Collecting network traffic from a VLAN

VLAN mirroring is a powerful and easy way to monitor network traffic from a VLAN. Most managed switches will have options for setting up VLAN mirroring. VLAN mirroring allows you to monitor all traffic to and from the servers in your server VLAN.

To collect traffic statistics on a VLAN, you can enable traffic statistics collection on a VLAN or VLANIF interface. Here is a step-by-step guide:

• Run the `system-view` command to enter the system view.
• Run the `vlan vlan-id` command to enter the VLAN view.
• In the VLAN view, run the `statistics enable` command to enable traffic statistics collection in a VLAN.
• By default, traffic statistics collection is disabled in a VLAN.
• If the forwarding mode on specific switches is cut through, the switch cannot collect traffic statistics in a VLAN.
• Traffic statistics collection in a VLAN and traffic statistics collection on a Layer 2 sub-interface are mutually exclusive on the CE6870EI.
• Run the `commit` command to commit the configuration.

You can also configure traffic statistics collection on a VLANIF interface:

• Run the `system-view` command to enter the system view.
• Run the `interface vlanif vlan-id` command to enter the VLANIF interface view.
• Optionally, run the `ipv6 enable` command to enable the IPv6 function on the interface.
• By default, the IPv6 function is disabled on an interface.
• Before enabling IPv6 packet statistics collection on a VLANIF interface, enable the IPv6 function on the interface.
• Enable traffic statistics collection on the VLANIF interface using the ``statistics enable` command for specific switches.
• For CE6870EI switches, run the `statistics [ipv6] enable [inbound | outbound]` command.
• For CE9860EI, CE5855E, CE6856HI, CE6857EI, CE6857E, CE6865EI, and CE8800 series, run the `statistics [ipv4 | ipv6] enable` command.
• By default, traffic statistics collection is disabled on a VLANIF interface.
• Run the `commit` command to commit the configuration.
• Run the `display vlan vlan-id statistics` command in any view to check traffic statistics in a specified VLAN.
• Run the `display interface vlanif [vlan-id]` command in any view to check traffic statistics on a VLANIF interface.

Another method to monitor VLAN traffic is by using the Switched Port Analyzer (SPAN) or port mirroring feature. SPAN allows you to passively capture a copy of traffic from a network switch. When configured, the switch will send a copy of the selected VLAN traffic to a nominated port. This method does not interfere with the communication between clients and servers.

To use SPAN, you can follow these steps:

• Identify the VLANs you want to monitor.
• Configure SPAN on your Cisco switch by selecting the VLANs as the source and specifying a destination port.
• Connect your network traffic analysis tool to the SPAN port.
• You can also use virtual port groups or mirror ports on virtual switches, depending on your network setup.

By following these methods, you can effectively collect network traffic from a VLAN on a Cisco switch.

Troubleshooting with port mirroring

To set up port mirroring on a Cisco switch, follow these steps:

• Create a VLAN and add both the source port and destination port to that VLAN if they aren't already connected.
• Configure IP addresses for both ports so they can communicate with each other over the VLAN.
• Access the switch dashboard and navigate to Switch > Monitor > Switch Ports.
• Select one or more ports to be mirrored. Note that multiple source ports can be mirrored to a single destination port.
• Specify the destination mirror port, which will be used to capture traffic on the source ports. Both ports must be on the same switch or within the same switch stack.
• Click "Create Port Mirror".
• Connect a workstation to your destination port. Ensure that DHCP is enabled on the host and check that it receives an IP address.

Once port mirroring is enabled, you can use a utility like Wireshark to capture and analyze packets. Wireshark is a free and open-source packet analyzer that can aid in network troubleshooting and diagnosis.

It's important to note that port mirroring may require additional hardware or software, such as network taps or additional switches, depending on the specific requirements and scale of the network. Additionally, mirroring ports can impact switch performance and network traffic, so it's crucial to plan and test thoroughly before implementing in a production environment.

Using Wireshark to analyse copied packets

Wireshark is a powerful tool for capturing and analysing network traffic data. It can be used to monitor a port on a Cisco switch and analyse copied packets. Here's a step-by-step guide on how to use Wireshark to analyse copied packets:

Step 1: Install and Set Up Wireshark

Download and install Wireshark on your computer. Wireshark is a free and open-source packet analyser that can be downloaded from its official website. Once installed, launch Wireshark and familiarise yourself with its interface.

Step 2: Configure the Cisco Switch

To monitor a specific port on the Cisco switch, you can use features such as Switched Port Analyzer (SPAN). This feature allows you to mirror traffic from one or more ports to another port for analysis. Set up SPAN on the Cisco switch by following the official Cisco documentation and selecting the port(s) you want to monitor.

Step 3: Start Packet Capture

On the Cisco switch, start the packet capture on the desired port(s). This will copy all incoming and outgoing traffic on the selected port(s). You can choose to store the captured packets locally on the switch or stream them directly to Wireshark in real time.

Step 4: Stream Captured Packets to Wireshark

If you choose to stream the captured packets to Wireshark in real time, follow these steps:

• On the Cisco switch, navigate to "Troubleshoot > Packet Capture".
• Select "Stream to a Remote Host" as the packet capture method.
• Specify the remote capture port, typically port 2002, or a custom port number.
• Choose the packet capture mode: "All Wireless Traffic" or "Traffic to/from this AP".
• Configure any additional filters, such as "Ignore Beacons" or "Filter on Client".
• Click "Apply" to save the settings and then click the "Start Capture" button.

Step 5: Analyse Copied Packets in Wireshark

• On your computer, open Wireshark.
• Go to "Capture > Options" and click "Manage Interfaces".
• In the "Remote Interfaces" section, click the plus icon to add a new interface.
• Enter the IP address of the Cisco switch and the port number configured for remote capture.
• Choose the authentication method and provide any required credentials. Click "OK".
• Select the interface you want to monitor and click "Start" to begin viewing the captured packets in Wireshark.
• Use Wireshark's filtering and analysis tools to examine the copied packets and extract meaningful information.

By following these steps, you can effectively use Wireshark to analyse copied packets from a Cisco switch, gaining valuable insights into network traffic and facilitating troubleshooting and performance optimisation.

Configuring a SPAN port

To set up a SPAN port, you will need to follow these general steps:

• Log in to your Cisco switch and access the command-line interface (CLI).
• Create a monitoring session by assigning a session ID.
• Specify the source interface(s) or VLAN(s) you want to monitor. You can monitor specific ports, multiple ports, or an entire VLAN.
• Define the destination interface where you want to send the copied traffic. This is usually the port where your network analyser or capturing device is connected.

Monitor session 1 source interface te2/1/4

Monitor session 1 destination interface gi2/6/10

In this example, "te2/1/4" is the source port, and "gi2/6/10" is the destination port. You can use the "show monitor" command to view information about your monitoring session.

Note that the source port can be either an access port or a trunk port. If it is a trunk port, the dot1q tags on frames will also be copied to the destination port. Ensure that your capturing device is configured to handle these tags correctly.

Additionally, you can configure SPAN to monitor traffic from multiple switches by using Remote SPAN (RSPAN). RSPAN requires you to set up a dedicated RSPAN VLAN to carry the monitored traffic between switches.

Remember that SPAN can impact switch performance, especially if the destination port becomes congested. Refer to Cisco's documentation for detailed information on SPAN features, restrictions, and performance considerations.

Frequently asked questions