Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3376
Views
0
Helpful
5
Replies

Switch SF300 - Port Mirroring

mohammed hashim
Level 1
Level 1

‎08-04-2018 04:59 AM - edited ‎03-08-2019 03:49 PM

Hi,

 

I have Cisco Switch SF300-48PP

 

I have only one Vlan (Vlan 1) and all ports in this Vlan

 

 

2018_08_04_15_57_29_MTPuTTY_Multi_Tabbed_PuTTY_.jpg 

 

I configured Port Mirroring, but did not work as expected, I dont see any traffic (except ARP and local Multicast).

 

interface gigabitethernet2
port monitor vlan 1

 

 

2018_08_04_15_55_17_SF300_48PP_48_Port_10_100_PoE_Managed_Switch.jpg

 

Packet sniffer machine is connected to GE2,

 

what can I do to fix this issue?

 

thanks,

Labels:
0 Helpful
5 Replies 5

Georg Pauwen
VIP
VIP

‎08-04-2018 05:17 AM

Hello,

 

try and use the GUI (page 89 --> Step 1 of the attached guide).

 

Also make sure you are running the latest firmware (1.4.9.04)...

 

https://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/sf30x_sg30x/administration_guide/78-19308-01.pdf

0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni

‎08-05-2018 12:43 AM

Hi,

As per attached configuration, there is no "Type" of traffic selected in the configuration.

 

"Type" —Select whether incoming, outgoing, or both types of traffic are
mirrored to the analyzer port.

 

Regards,

Deepak Kumar

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

pieterh
VIP
VIP

‎08-06-2018 01:05 AM

"can you relate the captured data to any of the connected ports?

are there any access-lists active ?

 

provide more detail about the monitor config

"show monitor session all"

"suw running-config interface vlan1"

0 Helpful

mohammed hashim
Level 1
Level 1
In response to pieterh

‎08-08-2018 08:14 AM

Thank you guys for your response,

 

the IOS in of this switch SF300 is mini, it is different from normal Cisco Catalyst Switches IOS

 

2018_08_08_19_03_25_MTPuTTY_Multi_Tabbed_PuTTY_.jpg

 

I have upgraded the firmware to the latest version

 

I also observed the issue is no related to the switch, because when I captured my laptop directly to the switch and run Wireshark, I got the capture correctly.

 

but the issue seems in the vSwitch, as the packet sniffer I have is a VM connected through vSwitch to the SPAN port.

2018_08_08_19_06_14_192.168.1.9_vSphere_Client.jpg

 

 

 

I have made the vSwitch work as "Promiscuous Mode", but it did not solve the issue !!!

 

2018_08_08_19_09_04_vSwitch1_Properties.jpg

 

2018_08_08_19_09_28_vSwitch1_Properties.jpg

 

 

If you have faced and solved this issue before, please help me on it, otherwise I need to ask VMware community,

 

I apologize as this was not in the input of my first post.

0 Helpful

pieterh
VIP
VIP
In response to mohammed hashim

‎08-09-2018 12:02 AM

I don't really see why you want this setup. 

Cisco uses RSPAN that does what you describe to capture on one switch and send date to a port on another switch.

 

but I suggest the problem lies in VLAN "tagging" the switch span port may or may not send the packets with the original vlan tag (vlan1)!

where the vswitch port may or may not accept tagged or untagged packets.

 

1) try configuring the vmnic3 port as trunk to accept both tagged and untagged packets for vlan 1

2) configure the VM to not using the vswitch, but directly to another (free) vmnic

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card