Re: Monitor all ports of cisco switch

ehudcarmeli · ‎04-03-2022

Hello,

We want to place in our network taps to duplicate the traffic for an analytic device.

The switch will receive the replicate data (15-20 ports), all data that the switch will get already sent from another inline tap, and the traffic destination is not part of the switch network.

Since my Analyzer server has one port, I need to groom all traffic via the switch to one uplink and keep the frame as original, so the analyzer will be able to analyze it.

So my question is how to take all traffic from all ports and bring it to one port.
I think the span-port/mirror port has limitations in the number of ports and I need to use most ports of the switch.

10x

Kasun Bandara · ‎04-03-2022

you can use netflow for tap traffic

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Flavio Miranda · ‎04-03-2022

Not sure if I understood correctly but it seems to me that you could use port span on the switch.

https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/10570-41.html

balaji.bandi · ‎04-03-2022

you want to use TAP, then span the port. (if this is local switch only), if more switched you need RSPAN and SPAN

what model of the switch and IOS code (most of the model should support, there is some Limitation nexus devices)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ehudcarmeli · ‎04-03-2022

Thanks for the feedback, maybe I wasn’t explaining my issue well.

The switch will receive the replicate data (15-20 ports), all data that the switch will get already sent from another inline tap, and the traffic destination is not part of the switch network.

Since my Analyzer server has one port, I need to groom all traffic via the switch to one uplink and keep the frame as original, so the analyzer will be able to analyze it.

So my question is how to take all traffic from all ports and bring it to one port.
I think the span-port/mirror port has limitations in the number of ports and I need to use most ports of the switch.

Seb Rupik · ‎04-08-2022

Hi there,

depending on the switch platform there will be limitations. You can have multiple monitors configured which could probably accommodate all 15-20 source ports (depending on switch platform), however these monitor sessions cannot share the same destination port.

I suppose with 2 switches you could connect them in such a way that they could feed a single destination port. Create enough monitor sessions to cover all your tap inputs, and connect each destination port to another switch. Group these destination ports on the second switch into a monitor session and then configure the destination port to connect to your analyser.

(forgive the paint!!

I'd be stunned if aggregating all of these tap ports does not result in output drops on the switches!

cheers,

Seb.

ehudcarmeli · ‎04-08-2022

Hello and thanks for your answer.
This is the exact type of solution I am looking for.
My concern is for the second switch which is meant to aggregate the
traffic, and basically, there is no dest mac|ip associated with the
original monitored traffic.
I need that all traffic will be aggregated to the uplink will be without
any change in the frame structure, I wonder if the internal bridge will
block the traffic or will be transparent so no data will be lost.
The aggregate port must represent the original traffic with no changed. How
shall this be handled?
Thanks a lot! Ehud

Seb Rupik · ‎04-08-2022

Hi Ehud,

SPAN will take frames ingressing and egressing the source ports and simply send them out of the destination port. It does not change the frame at all.

I'd imagine you would need to configure the source ports on the 'top' switch to be switchport trunk allowed vlan all to ensure it doesn't drop the frames as they ingress the ports.

This is not something I have seen setup before in this fashion, but it should work in theory. Let us know!!

cheers,

Seb.