Option1: If the current line cards installed support your PC/laptop’s 1GE UTP port, then you can install SFP-1000BaseT(SFP-T) transceiver directly to be used as the observing port.
Fig.1
interface <interface name>
port-mirroring inbound
port-mirroring outbound
port-mirroring to observe-index 1<1-255>
interface <interface name>
port-observing observe-index <1-255>
Sample Configuration:
Objective:
To further do analysis on all traffic going to the Web server by port mirroring the interface going to the server.
Port to mirror: Gi2/0/0
Port to observe:Gi1/0/0
<HW-Router>sys
Enter system view, return user view with return command.
[~HW-Router]
interface GigabitEthernet2/0/0
port-mirroring inbound
port-mirroring outbound
port-mirroring to observe-index 88
interface GigabitEthernet1/0/0
port-observing observe-index 88
Verification:
display port-mirroring interface <interface name>
display port-observing interface <interface name>
display port-observing observe-index <1-255>
Option2: If the linecard only supports 10GE/100GE and it does not support SFP-1000BaseT transceiver to be used as the observing port, then you can use a third-party device like 10GE/100GE capable switch
Fig.2
Tested on Cisco Nexus 9000 switch
N9K configuration:
interface <interface name>
switchport
interface <interface name>
switchport
switchport monitor
monitor session <id>
source interface <interface name> <in/out/both>
source vlan <id> <in/out/both>
destination interface <interface name>
Sample Configuration:
10GESW#configure t
interface Ethernet1/1
description Link to Huawei Router
no cdp enable
switchport
no shutdown
interface Ethernet1/3
description Link to Laptop
no cdp enable
switchport
switchport monitor
no shutdown
monitor session 1
source interface Ethernet1/1 both
source vlan 1 both
destination interface Ethernet1/3
no shutdown
Verification:
show monitor
show monitor session <id>
Sample Output:
10GESW# show monitor
Session State Reason Description
——- ———– ———————- ——————————–
1 up The session is up
10GESW# show monitor session 1
session 1
—————
type : local
state : up
acl-name : acl-name not specified
source intf :
rx : Eth1/1
tx : Eth1/1
both : Eth1/1
source VLANs :
rx : 1
tx : 1
both : 1
filter VLANs : filter not specified
source fwd drops :
destination ports : Eth1/3
show interface <interface name>
This is to compare that the monitored port has traffic and rate should be almost the same for both ports
10GESW# show int ethernet 1/1 | i rate
30 seconds input rate 31266736 bits/sec, 12238 packets/sec
30 seconds output rate 248 bits/sec, 0 packets/sec
input rate 34.51 Mbps, 12.67 Kpps; output rate 19.08 Kbps, 12 pps
10GESW# show int ethernet 1/3 | i rate
30 seconds input rate 512 bits/sec, 0 packets/sec
30 seconds output rate 60291232 bits/sec, 25186 packets/sec
input rate 19.10 Kbps, 12.3 pps; output rate 34.94 Mbps, 12.70 Kpps
Huawei Router Configuration:
interface <interface name>
port-mirroring inbound
port-mirroring outbound
port-mirroring to observe-index 1<1-255>
interface <interface name>
port-observing observe-index <1-255>
Sample Configuration:
Objective:
To further do analysis on all traffic going to the Web server by port mirroring the interface going to the server.
Port to mirror: Gi2/0/0
Port to observe:Gi1/0/1
<HW-Router>sys
Enter system view, return user view with return command.
[~HW-Router]
interface GigabitEthernet2/0/0
port-mirroring inbound
port-mirroring outbound
port-mirroring to observe-index 88
interface GigabitEthernet1/0/1
port-observing observe-index 88
Verification:
display port-mirroring interface <interface name>
display port-observing interface <interface name>
display port-observing observe-index <1-255>
Note: PC/Laptop to use packet capturing software like Wireshark to capture traffic of the ethernet port.
There are few more options to do port mirroring, which will not covered in details:
– using passive hardware like optical tap
– using active media converter (convert fiber to UTP) in case switch is not available
Be First to Comment