Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
558
Views
5
Helpful
5
Replies

collecting packet capture from a Cisco routed interface

Go to solution
johneyboy
Level 1
Level 1

‎01-18-2024 12:14 PM

We are trying to setup a monitor session for a routed interface on a Cisco 4431 ISR router.  From all the search result, it seems I can only perform packet capture monitor session on a switch module for a layer 2 interfaces.  Is there any way we can perform similar monitor session for L3 interfaces?  Appreciate for all the constructive feedback in advances.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
M02@rt37
VIP
VIP

‎01-18-2024 12:29 PM

Hello @johneyboy 

You could use ERSPAN on your ISR 4431 to perform remote monitoring of L3 traffic. ERSPAN allows you to capture and forward traffic from a source interface to a destination interface for analysis on a remote device.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

5 Replies 5

Go to solution
M02@rt37
VIP
VIP

‎01-18-2024 12:29 PM

Hello @johneyboy 

You could use ERSPAN on your ISR 4431 to perform remote monitoring of L3 traffic. ERSPAN allows you to capture and forward traffic from a source interface to a destination interface for analysis on a remote device.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Go to solution
David Ruess
VIP
VIP

‎01-18-2024 12:36 PM - edited ‎01-18-2024 12:52 PM

Hello,

 

You should be able to configure monitoring on a L3 interface using Embedded Packet Capture with the below commands:

 

ip access-list extended PACKET_FILTER permit ip host 192.168.12.1 host 192.168.23.3

monitor capture TEST buffer circular limit packets 1000 interface g0/0/0 both

monitor capture buffer TEST filter access-list PACKET_FILTER start

 

This is just an example. You can match and filter on lots of things. You configure this in Privilege EXEC mode. Make sure to use the keyword start when you want to start it. It will stop when it reaches your configured limit or you stop it.

You can verify with the command: sh monitor capture TEST buffer {brief}

 

Hope this helps.

-David

 

 

Go to solution
johneyboy
Level 1
Level 1

‎01-18-2024 04:52 PM

Thank you for everyone's inputs.  Just a little more context about my setup.  The company wants to setup a permanent monitoring tool inside the data center for our edge router which happens to be the ISR 4431.  We have a dedicated server behind the router for this purpose.  I think ERSPAN is the right approach in our case.  

Go to solution
MHM Cisco World
VIP
VIP
In response to johneyboy

‎01-18-2024 08:52 PM

Yes you are correct
after I reply I deep thinking and it true ERSPAN is for real time traffic monitor what I suggest is only for troubleshooting and for short period.
Glad your issue solve and your answer help you here 
have a nice weekend 
MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card