slugerama
asked on
Port mirroring on a Catalyst 6513
I am setting up Surf Control within out network and have been told to mirror a port. I setup the mirror using the command: set span source_port destination_port.
The SPAN looks to be fine.
Destination : Port */**
Admin Source : Port #/##
Oper Source : Port #/##
Direction : transmit/receive
Incoming Packets: disabled
Learning : enabled
Multicast : enabled
Filter : -
Status : active
My questions are:
Do the destination port and source port have to be in the same vlan. If yes, does the IP address of the destination port device, have to be the same as that of source port device?
I want Surf Control to have a transparent solution, so the users do not have to worry about username or password, an I do not want user to have to type in a proxy address.
The SPAN looks to be fine.
Destination : Port */**
Admin Source : Port #/##
Oper Source : Port #/##
Direction : transmit/receive
Incoming Packets: disabled
Learning : enabled
Multicast : enabled
Filter : -
Status : active
My questions are:
Do the destination port and source port have to be in the same vlan. If yes, does the IP address of the destination port device, have to be the same as that of source port device?
I want Surf Control to have a transparent solution, so the users do not have to worry about username or password, an I do not want user to have to type in a proxy address.
You can use a protocol called WCCP to redirect http traffic to surf control and then have it fed back to the 6513. That is done at Layer 3 though, not in Cat OS, either in the MSFC or using Native code:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a008020211d.html
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a008020211d.html
The source port will need to be passing the web traffic you wish to monitor.
The Surf Control machine will need network access, so yes, the VLAN of the destination port it plugs into needs to be the same as the source port and the machine should have its own IP address in the network for that VLAN. You also need to allow incoming packets.
You should consider that you're limited to one (two?) SPAN like this and will prevent you from using it for diagnostic purposes.
The Surf Control machine will need network access, so yes, the VLAN of the destination port it plugs into needs to be the same as the source port and the machine should have its own IP address in the network for that VLAN. You also need to allow incoming packets.
You should consider that you're limited to one (two?) SPAN like this and will prevent you from using it for diagnostic purposes.
ASKER
Frabble:
I tried your suggestion of allowing incoming packets:
set span source_port destination_port inpkts enabled
What I noticed after this was a message talking about SPAN LOOPING and that the source port actually became the destination port and the destination port became the source port. I quickly disabled the span and found out that the internet was no longer available for about a minute but then came back online. I was very worried for a while, so I feel I may have been required to do something before enabling incoming packets.
The SPAN is no longer configured on the switch at the moment, so I am bacl to square one. Should I have disabled the SPAN then configured it again with the above command?
I tried your suggestion of allowing incoming packets:
set span source_port destination_port inpkts enabled
What I noticed after this was a message talking about SPAN LOOPING and that the source port actually became the destination port and the destination port became the source port. I quickly disabled the span and found out that the internet was no longer available for about a minute but then came back online. I was very worried for a while, so I feel I may have been required to do something before enabling incoming packets.
The SPAN is no longer configured on the switch at the moment, so I am bacl to square one. Should I have disabled the SPAN then configured it again with the above command?
If the little picture that giltjr drew is what you want, you really should check out WCCP as I suggested earlier. It does exactly that, allowing Surf control to be transparent.
I done some reading on WCCP and mikebernhardt is 100% correct. If you want my diagram, then WCCP is the way to go.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Should have also said the the SPAN configuration is as you have posted above.
Port morring will cause a copy of all packets that are to/from the source port to be sent to the destination port. This is done transparently.
Surf controll will NOT be able to be used as a proxy if it is connected to the destination off the mirror port.
I do not belevie that surf control can be used as a transparent proxy, you will need to have to update the browser to point to the proxy server.
Typical setup:
desktop PC <-- switch ---> Proxy <--switch---> Internet Router
what you seem be be wanting
desktop PC <-- Switch --> Internet
/\
| Transparent copies of data
|
\/
Surf Control