newbie vlan question

Discussion in 'Cisco' started by Bert Prefect, Jan 5, 2004.

  1. Bert Prefect

    Bert Prefect Guest

    I have an Intrustion Detection System (IDS) on one on my vlan ports.
    The other ports in the vlan are mirrored to this IDS port so I can see
    the traffic passing thru.

    How do I verify that these ports are actually mirroring to the IDS

    (Catalyst 4507 - Ver. 12.1)
    #sh vlan
    20 VLAN0020 active Fa3/25, Fa3/26,
    Fa3/27, Fa3/28
    Fa3/29, Fa3/30,
    Fa3/31, Fa3/32
    Fa3/33, Fa3/34,
    Fa3/35, Fa3/36
    Fa3/37, Fa3/38,
    Fa3/39, Fa3/40
    Fa3/41, Fa3/42,
    Fa3/43, Fa3/44
    Fa3/45, Fa3/46,
    Fa3/47, Fa3/48
    VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode
    Trans1 Trans2
    ---- ----- ---------- ----- ------ ------ -------- ---- --------
    ------ ------
    20 enet 100020 1500 - - - - - 0

    Bert Prefect, Jan 5, 2004
    1. Advertisements

  2. Bert Prefect

    Mike Guest

    depending up on the code, either sho port mirroring or sho span

    Hope that helps.

    Mike, Jan 6, 2004
    1. Advertisements

  3. Bert Prefect

    Bert Prefect Guest

    Thanks Mike.

    sho span

    A follow up question on this:

    #sho span
    Spanning tree enabled protocol ieee
    Root ID Priority 32788
    Address 000e.387f.a680
    This bridge is the root
    Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

    Bridge ID Priority 32788 (priority 32768 sys-id-ext 20)
    Address 000e.387f.a680
    Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
    Aging Time 300

    Interface Role Sts Cost Prio.Nbr Type
    ---------------- ---- --- --------- --------
    Fa3/25 Desg FWD 19 128.153 P2p
    Fa3/26 Desg FWD 19 128.154 P2p
    Fa3/27 Desg FWD 19 128.155 P2p
    Fa3/28 Desg FWD 19 128.156 P2p
    Fa3/29 Desg FWD 19 128.157 P2p
    Fa3/30 Desg FWD 19 128.158 P2p
    Fa3/31 Desg FWD 19 128.159 P2p
    Fa3/32 Desg FWD 19 128.160 P2p
    Fa3/33 Desg FWD 100 128.161 Shr
    Fa3/34 Desg FWD 19 128.162 P2p
    Fa3/35 Desg FWD 19 128.163 Shr

    #sh span detail
    Sample port config:
    Port 163 (FastEthernet3/35) of VLAN0020 is forwarding
    Port path cost 19, Port priority 128, Port Identifier 128.163.
    Designated root has priority 32788, address 000e.387f.a680
    Designated bridge has priority 32788, address 000e.387f.a680
    Designated port id is 128.163, designated path cost 0
    Timers: message age 0, forward delay 0, hold 0
    Number of transitions to forwarding state: 1
    Link type is shared by default
    BPDU: sent 864126, received 0

    ** I can't seem to find in the config where 3/48 is the designated
    recipient of the port mirrors on VLAN 20

    Bert Prefect, Jan 7, 2004
  4. Bert Prefect

    AnyBody43 Guest


    This will of course confirm that the box is configured for
    mirroring however I suspect that Bert may have had in mind
    whether the box was working "As Advertised" with respect
    to the mirroring.

    This suspicion may be incorrect but I tend to approach these
    things (manufacturers claims) with maximum cynicism. It is an
    interesting question so here are a few thoughts:-

    To prove that mirroring was working beyond doubt would be
    pretty difficult. There are a few approaches that I can think of

    1. Do an audit on the port counters.
    Clear all of the port counters and sum the inbound counters on
    all of the ports in the VLAN and see if that is the same value as
    the outbound counter on the SPAN (mirror dest) port.

    If you were to do this consider whether you might have a large
    number of legitimate discarded frames. These are counted too
    of course but it will add some more work to the exercise.

    This idea will fail if there are (is a) trunk port(s) with
    multiple VLANS.

    Carry out tests by sending known traffic into the VLAN and checking
    that it comes out the SPAN port. In the absence of a fancy tester
    (Smartbits maybe) you will need a bit of imagination to design
    suitable tests. If it passes your tests then you might assume that
    it was working for your real traffic.

    Sample the real traffic and make sure that all of the sampled
    packets reached the SPAN port. If all of the packets that you
    sample get to the SPAN port then with a reasonable sample size
    you could reasonabley assume that all of the real traffic was
    getting to the SPAN port.

    Record the real traffic and compare it with the SPANned
    traffic. This could need a _lot_ of hardware but is in
    principle something that could be done. It all depends
    on how serious you are about verifying the behaviour
    of the equipment. e.g Loads of Sniffers, save to text files,
    write some code to sort them all out and find out if anything
    is missing. Do-able! V hard to do though for all traffic.
    The latter is something that I suppose some paranoid Military
    or Government types might be interested in.

    You should be aware that if the sum of all of the traffic on
    the VLAN exceeds the capacity of the SPAN port then packets
    will be lost. There are output buffers on the ports but these
    will only deal with a short overflow.
    AnyBody43, Jan 9, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.