Hello,

We have several ISP's we use with fiber reaching our data centers, from their the ISP has Cat 6 patch cables going from the transceiver fiber box to our Cisco 3750 switches. We setup port spanning on each separate switch spanning all ports with monitoring port for all network traffic activity using Capsa 7 Enterprise, and you mention what we have will not work.

Please explain why when documents located on Cisco's web site showing how to span ports on any Cisco switch is now not recommended.

We need to monitor the Bandwidth for several networks - please advise the best way to make this work.

Thank you

Well the commands will work and span the ports but the math doesn't work.

fa1/0/1-23 at 100 Mbps each total 2.3 Gbps of potential load. You are spanning them all to a single port fa1/0/24 - another 100 Mbps port. Sure you might seldom (if ever) be running them all at wire speed but what if the sum of any combination is more than 100 Mbps? You can't pass >100 Mbps of source traffic into a single 100 Mbps destination.

Port spanning is designed for mirroring exactly what's passing through the spanned ports. One typically does this for packet level or other forensic analysis of the source ports' traffic.

To monitor bandwidth utilization you can simply query the interface statistics using any snmp management tool (Cisco Prime LMS, SolarWinds Orion NPM, Catci, etc.). Any of those will generate interface utilization graphs. If you want to drill down a level and see source and destination addresses and ports, you need to use an instrumentation technology like Netflow, typically applied on your edge router or firewall. A layer 2 (or access / distribution layer 3) switch does not typically support Netflow since it is not involved in routing traffic or of it is the feature set does not support Netflow as that is a differentiator for higher level (and more costly) L3 switches.

Let me try this another way,

We have no Edge router as the ISP handles this - we only have three or four network cables plugged into each of the several different Cisco 3750 switches that go to several different ISP fiber transceivers, we really have only one Cat 6 network cable going from each Cisco 3750 to the ISP fiber box and will it be possible to Sniff all the traffic coming / going through this interface using port spanning or mirroring on another port.

This would allow us to monitor the bandwidth, the applications/protocols being used on the outside interface of our network using Colasoft Capsa 7 Enterprise.

Thanks

Yes - given the total traffic load doesn't exceed the single 100 Mbps conection you are using.

But you would need two interfaces on the PC running the Capsa software if you want to do anything other than sit right in fron of it to look at it's output. The monitor port it is connected to on the switch is not also the port you would use for that PC to talk to the rest of your network.

I hate to be a pain - can you explain this or confirm I understand what you wrote, we would have two network cards on the laptop running the Capsa software with one configured on the network, with the other network card configured to monitor all the traffic going to our ISP - tell me why can't we have one network card plugged into the Cisco 3750 switch on the monitoring port and have all traffic dump to a log file.

I'm sure you see we haven’t done this before and need step-by-step help so we understand before we take off the training wheels.

Thanks

OK, no problem.

Please see the IOS software configuration guide, for instance, here is the 3750 chapter on setting up SPAN. Up front it states:

"You must dedicate the destination port for SPAN use. Except for traffic that is required for the SPAN or RSPAN session, destination ports do not receive or forward traffic."

Now if all you want to do is sit on front of that PC running your analysis software, that's fine. But the interface connected to that SPAN destination port is dedicated for that. You discovered this when you figured out you could not ping anything else etc. once you were connected to it. As a SPAN destination, the switch is treating that port differently - it will not allow it to simultaneously act as an access or other port type with all the standard features of VLAN assignment etc.

So if you want your analysis PC to also be able to send / receive traffic (for reporting or remote login or whatever), you need to either:

a. have a second network interface connected to a "normal" switch port, or

b. disconnect it from the SPAN destination port and reconnect it to a normal port, or

c. stop the SPAN session and then you can use the port like a normal port.

If you're using it for continuous monitoring, only option a seems to make sense to me. Thus my earlier suggestion.

I understand, what seetings should be on the switch monitor port, can this be in the same Vlan as all the others ports on the switch, should this be a trunk port - I'm not sure what settings should be on this port

I really appreciate the time spent to educate me on the best course of action for sniffing our network traffic.

Thank you

Merry Christmas