Configuring Port Monitoring in Cisco Catalyst 4948 (via network optical tap)

SPAN mirrors receive or transmit (or both) traffic on one or more source ports to a destination port for analysis.
A copy of the packets received or sent by the source interfaces are sent to the destination interfacePrerequisites:Need to understand how optical tap works, here’s some interesting information (ctto)
Link:https://community.fs.com/blog/do-you-know-about-optical-tap-test-access-point-cassettes.html

https://en.wikipedia.org/wiki/Network_tap#/media/File:Optical-tap-schema-wiki.gif

Setup:
Cisco Catalyst 4948
2 Routers connected via Optical Tap

Network Diagram:

:
Step 1: Connect physically the links as per above diagram.  Connect UTP cable from switch to PC’s ethernet port
Step 2: Configure 4948 Switch

Cisco 4948 Configuration:
4948#conf t

interface TenGigabitEthernet1/49
description 10GE Conn to Router1 (via optical tap)
switchport access vlan 100
switchport mode access
ip access-group dhcp-traffic in
load-interval 30
udld port disable
no cdp enable
no shutdown

interface TenGigabitEthernet1/50
description 10GE Conn to Switch1 (via optical tap)
switchport access vlan 200
switchport mode access
ip access-group dhcp-traffic in
udld port disable
no cdp enable
no shutdown

interface GigabitEthernet1/47
description GE Connection to RemoteServer
load-interval 30
spanning-tree bpdufilter enable
no shutdown

monitor session 15 source interface Te1/49 – 50
monitor session 15 destination interface Gi1/47
monitor session 15 filter packet-type good rx
monitor session 15 filter ip access-group dhcp-traffic

[Optional]
If want to filter by traffic, e.g DHCP, you can configure an ACL and apply in interface accordingly
 ip access-list extended dhcp-traffic
 permit udp any eq domain any
 permit udp any any eq domain
 permit udp any range bootps bootpc any range bootps bootpc
 deny   ip any any

Step 3: Verify configuration and traffic. Status should be “monitoring”

show monitor session all

4948-Switch#show monitor session all
Session 15
———-
Type                   : Local Session
Source Ports           :
Both               : Te1/49-52
Destination Ports      : Gi1/47
Encapsulation      : Native
Ingress      : Disabled
Learning : Disabled
Filter Pkt Type        :
RX Only       : Good
IP Access-group        : dhcp-traffic

show interface [interface name]

4948-Switch#show int gi1/47
GigabitEthernet1/47 is up, line protocol is down (monitoring)
Hardware is Gigabit Ethernet Port, address is 649e.f3ec.0b6e (bia 649e.f3ec.0b6e)
Description: GE Connection to RemoteServer
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, link type is auto, media type is 10/100/1000-TX
input flow-control is on, output flow-control is on
Auto-MDIX on (operational: on)
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of “show interface” counters never
Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 3059552617
Queueing strategy: fifo
Output queue: 0/40 (size/max)
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec

Step 4: If confirmed have traffic, open any packet analyzer like “Wireshark” or “tcpdump” accordingly.

Cisco

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *