Tuesday, March 1, 2011

Traffic monitoring (port mirroring) on Cisco Catalyst 4500 series

Earlier today I was tasked with discovering who (in our network) was causing traffic spikes on our internet connection.  We have two load-balanced firewalls attached to our Cisco Catalyst 4507 core switch.  Here is what I had to do in order to monitor the traffic flow.  I'm going to assume you already have some packet capture software, like WireShark.

First of all, you need to know what ports you want to monitor (mirror).  For me it happened to be both of the ports attached to the two load-balanced firewalls.  So, I need both of the ports mirrored to a single monitoring port that my laptop is hooked up to.

Here's how:



4507#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.

4507(config)#monitor session 1 source interface g2/40
4507(config)#monitor session 1 source interface g2/42

The two monitor commands above tell the switch which ports I want to capture traffic on.  These are my two firewall ports.  Now, I need to tell it where to mirror the traffic:

4507(config)#monitor session 1 destination interface g2/9

If you are running these commands from a device attached to port g2/9, you will immediately lose connection with the switch, because the port is no longer accepting traffic from your device and is just sending out everything from the two source ports.  If you run your packet capture software it should go crazy with traffic, and you can start tracking down your bandwidth hog.

We can verify that the monitoring (mirroring) is set up correctly with this command (drop the "do" if you aren't  in configuration mode):

4507(config)#do show monitor
Session 1
---------
Type                   : Local Session
Source Ports           :
    Both               : Gi2/40,Gi2/42
Destination Ports      : Gi2/9
    Encapsulation      : Native
          Ingress      : Disabled
         Learning : Disabled
Filter Pkt Type        :
    RX Only       : Good

When you're done, don't forget to run the following command to remove your monitoring session:

SCH0C1(config)#no monitor session 1

That's all there is to it!

10 comments:

  1. Thank You, it is working, but could you help, which tool can handle such traffic, and showing better results

    ReplyDelete
  2. We develop a product called LANGuardian which can plug into a SPAN\monitor port and handle traffic like this. Just do a Google for NetFort LANGuardian and you can also download a free trial

    Darragh

    ReplyDelete
  3. CCTV is the condensing for Closed Circuit Television. CCTV cameras are utilized to screen a specific region where they are introduced.wireless security camera system reviews

    ReplyDelete
  4. Suppose that two or three needs to watch out for the caretaker amid the day when they are grinding away. http://www.wittyspy.com/

    ReplyDelete
  5. A few models enable you to see your video from any PC on the planet with an Internet association. Eric

    ReplyDelete
  6. In any case, before you surge out and buy a cool-looking web IP spy camera, there are sure things that you need to do first. strikingly.com

    ReplyDelete
  7. Along these lines, rather than pixels, we talk as far as TV lines. We comprehend that higher the pixels, better the picture quality we get. hikvision cctv kits ireland

    ReplyDelete
  8. Thank you so much for sharing such an intresting blog with us.

    ReplyDelete
  9. Stainless Steel Magnets - titanium arts
    Ironing the communitykhabar Stainless 바카라 사이트 Steel Magnets (4-Pack). Made in Germany. The Titanium kadangpintar Arts Stainless Steel novcasino Magnets are an alloy made of steel in stainless steel titanium metal trim

    ReplyDelete