Port Monitor Basic HowTo

About

This document provides a basic port monitor use-case, and how it is configured using the CLI.

For an overview of all available configuration settings for Monitor refer to the configuration guide:

• Monitor Configuration Guide

Introduction

In some situations, it may be necessary to capture or sniff traffic that enters on the switch. Perhaps it is needed for performing some troubleshooting, or some sort of security monitoring/investigation.

Considering a switch only forwards packages to the port where the destination is located at, in order to sniff traffic on a switch, port monitoring needs to be utilized. This is in stark contrast to say a hub, where all traffic is copied to all ports on the device.

    .---------.          .---------.          .---------.
    |         |          |         |          |         |
    |   H1    +----------+   S1    +----------+   H2    |
    |         |     eth1 |         | eth2     |         |
    '---------'          '----+----'          '---------'
                              | eth3
                              |
                              |
                         .----+----.
                         |         |
                         | Sniffer |
                         |         |
                         '---------'

Figure 1: Example network where the switch S1 is configured to monitor/mirror traffic from H1 and H2 to the sniffer device.

In the example above, we have a switch S1. We are interested in all traffic that ingresses and egresses on eth1 towards or from H1. Further, we are also interested in all traffic that egresses on eth2 towards H2. Therefore, we will set up a port monitor on the switch in order to duplicate the traffic we want to the connected sniffer device located on eth3.

Configuration

Configure the switch to monitor ports eth1 and eth2 and duplicate the packages to eth3.

S1:/#> configure
S1:/config/#> monitor 1
S1:/config/monitor-1/#> source port eth1
S1:/config/monitor-1/#> source port eth2 egress
S1:/config/monitor-1/#> destination eth3
S1:/config/monitor-1/#> leave
S1:/#>

With this configuration, any egressing or ingressing on eth1 and egressing traffic on eth2, will be duplicated to eth3. Doing this enables our sniffing device to observe the traffic of interest.

Show monitor configuration

To verify that the monitoring instance have been configured correctly we can check its status in the admin context in the following manner.

Server:/#> show monitor
Instance: 1                                                                    
Source(s)      : eth1 inbound | outbound
               : eth2 outbound
Destination(s) : eth3