J G
asked on
Can I SPAN mirror 2 ports at the same time?
Configure Span to mirror 2 ports on 1 port.
I have a cisco 2960, I want to sniff traffic SPAN on 2 ports to the 1 port my laptop is connected to. How can this be done?
I have a cisco 2960, I want to sniff traffic SPAN on 2 ports to the 1 port my laptop is connected to. How can this be done?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It should work, but once again, can be IOS dependant. Just try, or find Cisco's configuration documentation for your IOS.
I had few different configurations forf SPAN depending on device model and IOS version.
Official documentation: Catalyst Switched Port Analyzer (SPAN) Configuration Example
I had few different configurations forf SPAN depending on device model and IOS version.
Official documentation: Catalyst Switched Port Analyzer (SPAN) Configuration Example
ASKER
It looks like I set it up, but the wireshark only captures traffic from 1 of them. Any suggestions how to fix?
when I go to sho monitor session 1
type local session
source ports
both Gi1/015-16
Destination Ports Gi1/0/18
Encapsulation : Native
Ingress : Disabled
when I go to sho monitor session 1
type local session
source ports
both Gi1/015-16
Destination Ports Gi1/0/18
Encapsulation : Native
Ingress : Disabled
As JIC notes above, SPAN is IOS dependent on multi-port sourcing. Though not as efficient you can do one of the following if your hardware doesn't support multi-port SPAN:
1. SPAN the associated VLAN and then filter on MAC or IP in your analyzer
2. Loop the traffic through an intermediary switch and sniff the VLAN from that switch. This will get rid of the excess unicast traffic but you will still see all vlan broadcast traffic. Filter as appropriate.
1. SPAN the associated VLAN and then filter on MAC or IP in your analyzer
2. Loop the traffic through an intermediary switch and sniff the VLAN from that switch. This will get rid of the excess unicast traffic but you will still see all vlan broadcast traffic. Filter as appropriate.
According to output is supposed to work correctly.
both Gi1/015-16 <-- means that traffic is mirrored from both listed ports in both directions (Rx and Tx)
Destination Ports Gi1/0/18 <-- to this destination port
Encapsulation : Native <-- traffic on destination port is not tagged
Ingress : Disabled <-- Destination port can only receive traffic
maybe option is supported on your switch model or license present on device. I really don't know exact root cause, I can only guess
both Gi1/015-16 <-- means that traffic is mirrored from both listed ports in both directions (Rx and Tx)
Destination Ports Gi1/0/18 <-- to this destination port
Encapsulation : Native <-- traffic on destination port is not tagged
Ingress : Disabled <-- Destination port can only receive traffic
maybe option is supported on your switch model or license present on device. I really don't know exact root cause, I can only guess
ASKER
Switch(config)# no monitor session 1
Switch(config)# monitor session 1 source interface fastEthernet0/1
Switch(config)# monitor session 1 source interface fastEthernet0/2
Switch(config)# monitor session 1 destination interface fastEthernet0/3
Switch(config)# end