Port mirroring on a Catalyst 6513

Posted on 2006-03-30
Medium Priority
Last Modified: 2008-01-09
I am setting up Surf Control within out network and have been told to mirror a port. I setup the mirror using the command: set span source_port destination_port.

The SPAN looks to be fine.

Destination     : Port */**
Admin Source    : Port #/##
Oper Source     : Port #/##
Direction       : transmit/receive
Incoming Packets: disabled
Learning        : enabled
Multicast       : enabled
Filter          : -
Status          : active

 My questions are:

Do the destination port and source port have to be in the same vlan. If yes, does the IP address of the destination port device, have to be the same as that of source port device?

I want Surf Control to have a transparent solution, so the users do not have to worry about username or password, an I do not want user to have to type in a proxy address.
Question by:slugerama
  • 3
  • 2
  • 2
  • +1
LVL 57

Expert Comment

ID: 16339023
Umm, I am not sure what port mirroring and suft control have to do with each other.

Port morring will cause a copy of all packets that are to/from the source port to be sent to the destination port.  This is done transparently.

Surf controll will NOT be able to be used as a proxy if it is connected to the destination off the mirror port.

I do not belevie that surf control can be used as a transparent proxy, you will need to have to update the browser to point to the proxy server.

Typical setup:

  desktop PC <-- switch ---> Proxy <--switch---> Internet Router

what you seem be be wanting

  desktop PC <-- Switch --> Internet
                           |   Transparent copies of data
                       Surf Control
LVL 28

Expert Comment

ID: 16346208
You can use a protocol called WCCP to redirect http traffic to surf control and then have it fed back to the 6513. That is done at Layer 3 though, not in Cat OS, either in the MSFC or using Native code:
LVL 15

Expert Comment

ID: 16356777
The source port will need to be passing the web traffic you wish to monitor.
The Surf Control machine will need network access, so yes, the VLAN of the destination port it plugs into needs to be the same as the source port and the machine should have its own IP address in the network for that VLAN. You also need to allow incoming packets.

You should consider that you're limited to one (two?) SPAN like this and will prevent you from using it for diagnostic purposes.
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.


Author Comment

ID: 16388003

I tried your suggestion of allowing incoming packets:
set span source_port destination_port inpkts enabled

What I noticed after this was a message talking about SPAN LOOPING and that the source port actually became the destination port and the destination port became the source port. I quickly disabled the span and found out that the internet was no longer available for about a minute but then came back online. I was very worried for a while, so I feel I may have been required to do something before enabling incoming packets.

The SPAN is no longer configured on the switch at the moment, so I am bacl to square one. Should I have disabled the SPAN then configured it again with the above command?
LVL 28

Expert Comment

ID: 16393255
If the little picture that giltjr drew is what you want, you really should check out WCCP as I suggested earlier. It does exactly that, allowing Surf control to be transparent.
LVL 57

Expert Comment

ID: 16394348
I done some reading on WCCP and mikebernhardt is 100% correct.  If you want my diagram, then WCCP is the way to go.
LVL 15

Accepted Solution

Frabble earned 1000 total points
ID: 16395607
Apologies slugerama, I thought the SurfControl machine did the monitoring and blocking on the same interface.

Did some further research and found this:

As it says, you use two network cards on the machine. One is used for monitoring your internet bound traffic on the inside and will connect to the destination SPAN port, the other is for access/control and connects to another switch port.
LVL 15

Expert Comment

ID: 16395648
Should have also said the the SPAN configuration is as you have posted above.

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question