shankshank
asked on
Port mirroring
I have one main switch, and 4 other switches which are connected on a LAG.
I want to be able to monitor all of these switches with my software. Right now my main switch has a port mirror port setup plugged into a nic of a server. That port mirror is mirroring many ports. The problem is i cannot mirror the LAG connections hence i can't get data for those 4 siwtches.
Can I setup a port monitor on the 4 switches, then plug those 4 port monitors into a dummy switch, which is in turn plugged into a nic to my server/ or will that cause problems with traffic boucning or like a loop?
so SWITCH 1 ---> DUMMY SWITCH <--- SWITCH 2
|
|
V
NIC on server
I want to be able to monitor all of these switches with my software. Right now my main switch has a port mirror port setup plugged into a nic of a server. That port mirror is mirroring many ports. The problem is i cannot mirror the LAG connections hence i can't get data for those 4 siwtches.
Can I setup a port monitor on the 4 switches, then plug those 4 port monitors into a dummy switch, which is in turn plugged into a nic to my server/ or will that cause problems with traffic boucning or like a loop?
so SWITCH 1 ---> DUMMY SWITCH <--- SWITCH 2
|
|
V
NIC on server
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sorry, I don't use Cisco gear, so I was not familiar with the term. I assume you are also using Cisco switches? You may need to look into the switch specs to see what it does with monitor traffic if there is more than it can handle. Like a lot of things, monitoring is a trade off of differing goals.
If you want to monitor primarily web traffic, just monitor the port going to the ASA.
If you want to monitor all traffic happening on your network, you have a problem. If I understand correctly you have multiple duplex gigabit connections between switches. You want to send this traffic to a server through a simplex gigabit connection. As you are seeing there is more traffic than the switch or your server can process and the packets are dropped.
Using the mirror port on my HP switches has been adequate for my needs, but I am monitoring 100mb ports mirrored to a gig port so the traffic volume was not an issue.
A network tap (I have not used one) on the uplinks splits the traffic into a seperate send and receive stream allowing a monitoring device to see the full traffic.
With my HP switches I can see graphically how much traffic is on each port. If you can do something similar with your switch, how much traffic are you seeing on the monitor port?
If you want to monitor primarily web traffic, just monitor the port going to the ASA.
If you want to monitor all traffic happening on your network, you have a problem. If I understand correctly you have multiple duplex gigabit connections between switches. You want to send this traffic to a server through a simplex gigabit connection. As you are seeing there is more traffic than the switch or your server can process and the packets are dropped.
Using the mirror port on my HP switches has been adequate for my needs, but I am monitoring 100mb ports mirrored to a gig port so the traffic volume was not an issue.
A network tap (I have not used one) on the uplinks splits the traffic into a seperate send and receive stream allowing a monitoring device to see the full traffic.
With my HP switches I can see graphically how much traffic is on each port. If you can do something similar with your switch, how much traffic are you seeing on the monitor port?
ASKER
Well I just setup the port with the ASA5505 to mirror, and I am not seeing like detailed web traffic etc..
The LAG term was with the dell switch.
The LAG term was with the dell switch.
Are you seeing any traffic from other machines? Or are you only seeing broadcast and traffic to and from this particular server. Some nics did not support a promiscuos mode and would drop other traffic. Some monitor programs only work with specific brands or model NIC's.
This question may pertain
https://www.experts-exchange.com/questions/23403785/Switch-Port-Mirror-Limitations-on-Monitoring-PC-using-Wireshark.html
From http://supportapj.dell.com/support/edocs/network/pc33xx/en/33xxrnot.pdf
LAG ports can not be mirrored.
In cases where both source and destination ports are Gigabit ports, some of the packets may be dropped due to the stacking management traffic.
Another post indicated that VLAN traffic will not mirror on Dell switches.
I have found some switches need to be reset before they will mirror. I could not confirm this for Dell.
Have you checked for any patches or firmware updates to the switch?
I did find http://www.miarec.com/knowledge/how-configure-port-mirroring-dell-powerconnect-2700-series which indicates a change to managed mode is required. I doubt this applies to your situation.
This question may pertain
https://www.experts-exchange.com/questions/23403785/Switch-Port-Mirror-Limitations-on-Monitoring-PC-using-Wireshark.html
From http://supportapj.dell.com/support/edocs/network/pc33xx/en/33xxrnot.pdf
LAG ports can not be mirrored.
In cases where both source and destination ports are Gigabit ports, some of the packets may be dropped due to the stacking management traffic.
Another post indicated that VLAN traffic will not mirror on Dell switches.
I have found some switches need to be reset before they will mirror. I could not confirm this for Dell.
Have you checked for any patches or firmware updates to the switch?
I did find http://www.miarec.com/knowledge/how-configure-port-mirroring-dell-powerconnect-2700-series which indicates a change to managed mode is required. I doubt this applies to your situation.
ASKER
so right now I have my ASA5505 device and a few other servers setup to port mirror on one port. The machine on that mirror port is running NTOP. I'm not seeing the data I want to see though. I mean i see some, but it seems liek there should be FAR more communication on the port with the ASA