Port mirroring is used to send a copy of network packets seen on a network interface of a switch to another network interface on the same switch. This is commonly used for network appliances such as Intrusion Detection Systems (IPS), network debugging, and even real user monitoring.
Cisco Systems method of port mirroring is called Switched Port ANalyzer (SPAN), and this quick tutorial will show how to enable SPAN on a Cisco Nexus series switch.
- Cisco Nexus Series switch
- Device/Host connected to an interface on switch
- Device/Host connected to another interface on switch
- Wireshark for debugging https://www.wireshark.org/
1. Create Mirror Session
- Log into the switch and in configure terminal mode, create your monitor session. As shown below, the maximum amount of monitor sessions is 18.
NEXUSSWITCH(config)# monitor session ? <1-18> all All sessions NEXUSSWITCH(config)# monitor session 1 NEXUSSWITCH(config-monitor)#
- Here are the menu options of what you can do for a monitor session.
NEXUSSWITCH(config-monitor)# ? description Session description (max 32 characters) destination Destination configuration filter Filter configuration mtu Set the MTU size for SPAN packets no Negate a command or set its defaults sampling Set the sampling range for SPAN packets shut Shut a monitor session source Source configuration end Go to exec mode exit Exit from command interpreter pop Pop mode from stack or restore from name push Push current mode to stack or save it under name where Shows the cli context you are in
- For a basic monitor session, we will need to set the source and destination. We will mirror port e1/25 both tx and rx (receive and transmit) to port e1/26 and turn on the session with no shut
NEXUSSWITCH(config-monitor)# description "Test Monitor Session" NEXUSSWITCH(config-monitor)# source interface ethernet 1/25 both NEXUSSWITCH(config-monitor)# destination interface ethernet 1/26 NEXUSSWITCH(config-monitor)# no shut
- Check Configuration by doing a show monitor
NEXUSSWITCH(config-monitor)# show monitor session 1 session 1 --------------- description : "Test Monitor Session" type : local state : up acl-name : acl-name not specified source intf : rx : Eth1/25 tx : Eth1/25 both : Eth1/25 source VLANs : rx : destination ports : Eth1/26Legend: f = forwarding enabled, l = learning enabled
- Your port mirroring should be complete
- Plug a computer with wireshark and do an interface capture for port ethernet 1/26 and you should be able to see all the traffic that is coming in and out of port ethernet 1/25