How to Enable Port Mirroring on a Cisco Nexus Switch (SPAN)

Port mirroring is used to send a copy of network packets seen on a network interface of a switch to another network interface on the same switch. This is commonly used for network appliances such as Intrusion Detection Systems (IPS), network debugging, and even real user monitoring.

Cisco Systems method of port mirroring is called Switched Port ANalyzer (SPAN), and this quick tutorial will show how to enable SPAN on a Cisco Nexus series switch.

 Prerequisites

  • Cisco Nexus Series switch
  • Device/Host connected to an interface on switch
  • Device/Host connected to another interface on switch
  • Wireshark for debugging https://www.wireshark.org/

 1. Create Mirror Session

  • Log into the switch and in configure terminal mode, create your monitor session. As shown below, the maximum amount of monitor sessions is 18.
NEXUSSWITCH(config)# monitor session ?
 <1-18>
 all All sessions
NEXUSSWITCH(config)# monitor session 1
NEXUSSWITCH(config-monitor)#
  • Here are the menu options of what you can do for a monitor session.
NEXUSSWITCH(config-monitor)# ?
 description Session description (max 32 characters)
 destination Destination configuration
 filter Filter configuration
 mtu Set the MTU size for SPAN packets
 no Negate a command or set its defaults
 sampling Set the sampling range for SPAN packets
 shut Shut a monitor session
 source Source configuration
 end Go to exec mode
 exit Exit from command interpreter
 pop Pop mode from stack or restore from name
 push Push current mode to stack or save it under name
 where Shows the cli context you are in
  • For a basic monitor session, we will need to set the source and destination. We will mirror port e1/25 both tx and rx (receive and transmit) to port e1/26 and turn on the session with no shut
NEXUSSWITCH(config-monitor)# description "Test Monitor Session"
NEXUSSWITCH(config-monitor)# source interface ethernet 1/25 both
NEXUSSWITCH(config-monitor)# destination interface ethernet 1/26
NEXUSSWITCH(config-monitor)# no shut
  • Check Configuration by doing a show monitor
NEXUSSWITCH(config-monitor)# show monitor session 1
 session 1
---------------
description : "Test Monitor Session"
type : local
state : up
acl-name : acl-name not specified
source intf :
 rx : Eth1/25
 tx : Eth1/25
 both : Eth1/25
source VLANs :
 rx :
destination ports : Eth1/26
Legend: f = forwarding enabled, l = learning enabled
  • Your port mirroring should be complete

2. Test

  • Plug a computer with wireshark and do an interface capture for port ethernet 1/26 and you should be able to see all the traffic that is coming in and out of port ethernet 1/25

Leave a Comment