Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1165
Views
0
Helpful
10
Replies

monitor port only see Layer 2 traffic

chinpohpang851
Level 1
Level 1

‎04-27-2022 11:27 PM

my source port is a access port with no IP assigned and then i wireshark the dest port I can only see ARP, Broadcast...  I can't see any other traffic passing thru that access port. why? 

Labels:
0 Helpful
10 Replies 10

chinpohpang851
Level 1
Level 1

‎04-28-2022 12:57 AM

can't see any TLS, HTTP, HTTPS or any handshake.

0 Helpful

Elliot Dierksen
VIP
VIP

‎04-28-2022 04:43 AM

It sounds like you haven't configured a SPAN/monitor session in the switch. It would be normal for a regular access port to only see broadcasts or traffic directed to the local MAC address.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎04-28-2022 04:11 PM - edited ‎04-28-2022 04:11 PM

post the config and monitor session information

 

try :

 

monitor session 1 dest int gig0/1 both   (change the interface as per requirement)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

chinpohpang851
Level 1
Level 1

‎04-28-2022 06:16 PM

session1.JPG

 

Gi1/0/1 is just an layer 2 access port to firewall(gateway) but we can't see session traffic on monitoring port Gi1/0/13.

I want to monitor the traffic out/in to the firewall and to see all kinds of traffic.

0 Helpful

paul driver
VIP
VIP

‎04-29-2022 03:29 AM

Hello

Change the destination port to be a trunk and source from the FW access port vlan

 

Example:.
interface int Gi1/13
description span session 1 for gig0/1
switchport mode trunk

switchport trunk allowed vlan x (firewall vlan)


monitor session 1 source vlan vlan x (firewall vlan)
monitor session 1 destination interface Gi1/13


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

chinpohpang851
Level 1
Level 1
In response to paul driver

‎05-04-2022 01:42 AM

I've made the changes accordingly but my monitoring Palo Tap mode interface still not capturing anything.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎04-29-2022 04:40 AM

how does your config look interface and monitor session

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

chinpohpang851
Level 1
Level 1
In response to balaji.bandi

‎05-03-2022 11:25 PM

source int

interface GigabitEthernet1/0/1
description To FW port 4
switchport access vlan 1001
switchport mode access
spanning-tree portfast

 

destination int

interface GigabitEthernet1/0/13
description Palo monitor port
switchport access vlan 1001
switchport mode access
switchport nonegotiate

0 Helpful

chinpohpang851
Level 1
Level 1

‎05-05-2022 07:18 PM

I found another thread https://community.cisco.com/t5/switching/only-seeing-broadcast-traffic-on-cisco-3750-monitoring-port/td-p/3805037/page/2

Same issue as my setup, I only see broadcast traffic.

0 Helpful

chinpohpang851
Level 1
Level 1

‎05-05-2022 07:35 PM

I found some bug of this 3650, my current IOS XE is 3.6.4.E. I think need to upgrade to resolve. version.https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/3e/release_notes/OL3264701.html#pgfId-940845

https://quickview.cloudapps.cisco.com/quickview/bug/CSCvb60207

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card