Suggestion regarding Remote Port Mirroring

md.sakibnaz · ‎06-01-2013

Hi all.

Is there any way to Mirror a CISCO C3750 Switch Port Taffic to a remote Host IP Address?

I know Port Mirror (SPAN/RSPAN) can copy one Interface Packet to another Interface. But I am looking for a way to miror Switch Port Packets to a remote Host (having Public IP Address and running Wirehark). Is it possible?

Awaiting for your suggestion.

Regards.

Sandeep Sharma · ‎06-03-2013

Hi Md
- While using SPAN/RSPAN we have flexibility to mirror the port with direction of traffic flow (source interface)  and capture it on on the local port (in case of local SPAN) or on the remote switch (in case of RSPAN). 
- Whatever is you destination port you need to conect the traffic analyzer tool to capture the packets.

Commands 
=========
SPAN:
Switch(config)# monitor session 1 source interface gigabitethernet1/0/1
Switch(config)# monitor session 1 destination interface gigabitethernet1/0/2
 
RSPAN:
In case of RSPAN first you need to create a vlan 
Switch(config)# vlan 901
Switch(config-vlan)# remote span

Enable the RSPAN 
Switch(config)# monitor session 1 source interface gigabitethernet1/0/1 tx
Switch(config)# monitor session 1 source interface gigabitethernet1/0/2 rx
Switch(config)# monitor session 1 source interface port-channel 2 
Switch(config)# monitor session 1 destination remote vlan 901
 Link for details:
===================
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/swspan.html#wp1200733
 Thanks & Regards
 Sandeep

mfurnival · ‎06-03-2013

I suspect the answer is no to what you are asking. With SPAN you are just mirroring the traffic out to another port. With RSPAN you are just mirroring the traffic to another VLAN (and then theoretically across various switches to a remote destination). But what you are asking is about sending the traffic to a remote IP address. SPAN and RSPAN operate at layer 2 so how would layer 2 traffic be sent to a remote destination? All traffic would need to be encapsulated into IP packets and sent out onto the WAN.

I guess you could do it with a qinq tunnel but do you really want to forward all traffic on one interface out over the WAN? Why not set up a local capture and save the capture file to the remote location?

md.sakibnaz · ‎06-03-2013

Hi Sandeep - Thanks for reply.

Hi Mfurnival - Your understanding is perfect. I want to send the copy of IP Pakcet of Switch Port to a remote IP address.

Let me tell you the scenario which will clearify my need to you all.

I have a VoIP Softswicth at UK PoP which is connected with a CISCO 3750 Switch. But I want to run a Traffic Monitor tool at Bangladesh. The Traffic Monitor tool needs the VoIP Morror Pakcte at the Server NIC Card. Thats why I am looking for a way to send all the Switch Port Pakcets to a Remote Server IP.

Any advise?

Regards.

mfurnival · ‎06-03-2013

My comments are still as above - but are you sure that you really want to do this even if it is possible? You would need end-to-end bandwidth capable of supporting the monitor traffic. Do you have the infrastructure to support this? My recommendation would be be monitor locally and upload the capture file to your remote destination for analysis.

md.sakibnaz · ‎06-03-2013

Hi Mfurnival.

Yes, I relly need to do this. Actually it will not coonsume very much Bandwitdh as this will be only the VoIP Signalliing (SIP and H.323) packets not Media.

There is no way to place a Server Locally (at UK) to set up Traffic Monitoing System.

Please advise me how to mirror packets to report IP address.

Thanks.

Regards.

mfurnival · ‎06-03-2013

This document explains how to create a L2 tunnel to transport the mirrored traffic across your WAN:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/l2pt.html

You have to remember that everything in and out of that interface (broadcasts in that VLAN, multicasts etc.) would be mirrored - there is no way to filter the capture traffic to just see the traffic you are interested in (i.e. SIP and H.323).

md.sakibnaz · ‎06-03-2013

Hi Mfurnival.

Thank you for your reply. I'll check the link. But I am not sure will it be supported on CISCO 3750.

One more query please,

Is there any IOS command for C3750 to check the Number of connected Session against a specific source IP and TCP Port.

For example, I want to see the number of connected session through my CISCO Switch having source IP 7.7.7.7 and TCP Port 5060 (for SIP).

Any idea please?

Regards.

mfurnival · ‎06-03-2013

If you are talking about traffic transitting the switch (i.e. not sourced by or terminated by the switch) then the answer is no - Netflow is not supported on 3750 switches.

mfurnival · ‎06-03-2013

There is actually a feature called ERSPAN (read this article for a good overview of the different SPAN types:

https://supportforums.cisco.com/docs/DOC-32763) which allows you to forward monitored traffic over a layer 3 link. Unfortunately it is not supported on your platform.

I think my other suggestion would necessitate additional equipment.