In this guide, you will learn how to configure port mirroring on a Cisco switch.
Port mirroring is also referred to as a Switch Port Analyzer (SPAN) port, and the two are interchangeable. I will use both throughout this article, just remember they mean the same thing.
Port mirroring is a way to collect network traffic from a physical interface or from VLANs. In basic terms port mirroring takes packets from a source (physical interface or VLAN) and copies them to another physical port. Port mirroring is typically used for monitoring and troubleshooting the network.
I’ll provide an example configuration for mirroring a single physical interface and for VLANs.
Let’s get started.
Network Diagram
In the diagram below, I have a server that is connected to port gi0/1 (source port). I want to mirror this port and send a copy of the packets to port gi0/8 (destination port). On the destination port, I’ll be using Wireshark to analyze the copied packets.
Steps to Configure Port Mirroring
These commands will work for both Catalyst and Nexus switches.
Before configuring a SPAN port, it’s a good idea to see if any already exist on your switch by using the command below.
show monitor session all
Step 1: Configure Source SPAN Port
To mirror port gi0/1 I’ll use the command below.
monitor session 1 source interface gi0/1
Here is a screenshot from my switch.
Step 2: Configure Destination SPAN Port
I want to send a copy of all traffic from port gi0/1 to port gi0/8.
monitor session 1 destination interface gi0/8
Here is a screenshot from my switch.
That is it! Pretty easy right?
To review the settings use the “show monitor session all” command. You can also view a single session by specifying the session number such as “show monitor session 1”.
Example 2: Configure Port Mirror for VLANs
In this example, I’ll enable port mirroring for VLAN 100. You can specify single or multiple VLANs.
Since I’m already using session 1 I’ll create a new session.
monitor session 2 source vlan 100
If you want to monitor multiple VLANs you can specify a range, like below.
monitor session 2 source VLAN 1 - 100
Since port gi0/8 is already used in session 1, I’ll configure a new destination port.
monitor session 2 destination interface gi0/7
Now I have two port SPANs configured. I can view them both with the show monitor session all command.
Nice work. If you followed along you should now be able to configure a SPAN port on a Cisco switch or router.
Now I will open Wireshark on my computer, select the interface that is connected to port Gi0/8 and I’ll see all of the traffic sent and received from port Gi0/1.
In this example, I’m sending pings from the server (connected to port Gi0/1) to another computer on the network. You can see in the screenshot below I’m getting copies of this traffic and I’m able to analyze it with Wireshark.
To remove a SPAN session use the command “no monitor session” and the session number. For example, I’ll remove session 1
no monitor session 1
When I show all the sessions you can see session 1 is gone.
Resources
- Configure SPAN and RSPAN – Cisco documentation for a 2960-x
More Cisco Tutorials