I was hoping to streamline this configuration. I have a 2950 that I would like to use for monitoring traffic by placing in-line anywhere.
Here is the catch, I do not know what Vlan it will be plugged into at anytime
I would put a PC with Monitor software on Port 1, Plug the server I would like to monitor on Port 2, then the uplink on Port 3.
The uplink could be Vlan X , where X changes depending on what segment I plug it into. I would rather not have to configure the Vlan on the switch everytime I want to use it. I am also hoping that the mirror config will stay.
My goal is to have this set up so all I need to do is plug it in and put my sniffer on port 1, the item I want to monitor on port 2 and the uplink on port 3.
Like a dumb-hub, which I do not have one.
Switch(config)# monitor session 1 source interface gigabitethernet0/2 - 3
Switch(config)# monitor session 1 destination interface gigabitethernet0/1
What type of port connecting to uplink port3?
What do you mean that you have to change the vlan on that uplink port?
The switch is all copper ports, auto sense 10/100.
For example...I have a server connected to a 3750 on vlan 50.
I want to monitor traffic to/from this server and I do not have access to the 3750.
I disconnect the cable from the servers NIC (which is coming from the 3750) and plug it into port 3 on the 2950.
I plug a new cable from the server NIC into the 2950 port 2
I connect my PC with the sniffer software on port 1.
I mirror the traffic of port 2 to port 1.
Now, how does the switch continue to pass traffic as the port the server was connected to was on Vlan50. Not I put this 2950 in between and have not configured Vlan 50 on it anywhere.
Please correct me if I'm wrong.
You have a server connecting to other switch(C3750). It is in vlan50.
Do you have an uplink connecting between C2960 and C3750? It has to be a trunk port.
If they are connecting with each other via a trunk port.What I can recommend is that you should use RSPAN. You need not move cables.
monitor session 1 source interface
monitor session 1 destination remote vlan 400
monitor session 1 source remote vlan 400
monitor session 1 destination interface
Thank you. Yes that will work. What I am looking for is a situation where I walk into a location and they have a 3750 that has the uplink connected to the rest of the network via its fiber port and trunking enabled. Multiple VLANS are on this 3750, but the port I am interested in, for example is the server connected to port 10 on the 3750.
I want to monitor that port and I dont have the password to the 3750.
I disconnect the cable from port 10 (the other end of this cable plugs into the server I want to monitor)
I plug that cable into my 2950 that I carried to the location. I plug it into port 3 of the 2950. So now port 10 of the 3750 is not going to the server anymore, it is going to the 2950 port 3.
I plug the server into port 2 of the 2950
I plug my analyzer into port 1 of the 2950.
The 2950 was configured to mirror port 2 traffic to port 1, so I should be able to capture packets.
But since the original configuration had port 10 on the 3750 on Vlan 50, how will the 2950 pick up on this without me having to configure it.
If I had a true HUB, I could do this as it is dumb. I put the hub in between the server and the 3750. Then plug my analyzer into any port, and by nature a 10/100 hub will mirror all packets on all ports and I will be able to capture the packets. The hub does not know or care about VLANs so it will just pass the packets untouched.
That is what I am trying to achieve here. A way to break into the line without having to touch any configurations on any of the switches.
I hope this makes sense....
I like the way thotsaphon set it up but I understand your concern over vlans. However, I wonder if you can avoid them. Imagine you were using an older switch that only supported 1 vlan (like a really old 1900 or similar). What I mean to say is why configure the uplink port to be a trunk. Configure the uplink port to access mode with only the vlan of the server plugged into port 3.
Then configure the switch to use the default vlan on all ports.
On the 3750 in your example:
int gig 1/0/48
switchport mode access
switchport access vlan 50
on the 2950 leave all default configs except the mods given by thotsaphon.
You wouldn't be able to ssh or telnet to the 2950 but the monitor should work.
In my mind this way you could even do something less brain intense. Unplug the server connected to the 3750 (it's probably configured on the correct vlan and in access mode) - plug your 2950 w/ monitor station in - plug your server into port 3 of the 2950.
In other words if you can do it this way you don't have do anything on the config side just the physical cabling and you can basically unplug any server on any switch and plug the 2950 in and the server into port 3 and start monitoring.
Excellent. This is what I was concerned about. I do have a few questions (sorry)
The last option is what I am looking for.
For example, I have a DMZ switch, most server ports are Access Mode Vlan 10. Native Vlan is 1, but we disable this Vlan on most of the switches.
If I try the last option, how does the 2950 pass Vlan 10 if it is not configured to do so. If the port on the 3750 is access mode Vlan 10, does it put the packets on that port untagged, ie strips the Vlan ID? Then all packets FROM the server when they hit the 3750 port, get Vlan ID 10 put back on?? (sorry, vlan knowledge a little rusty
What if negotiation of trunking is on the 3750 port?
Thanks in advance!!!!
Well if you set the uplink port on the 2950 to access mode I can't be sure but it seems it should autonegotiate to access mode on the 3750 side.
Of course, I would also question the idea of setting the 3750 port to auto-negotiate trunk vs access but that's a seperate issue.
If it were me I'd find a cheap 2nd switch and any 2 pc's to test all this.
Please rate the information in these posts accordingly.
There are a couple of gotchas with your intended use.
Those are CDP and STP.
If you only intend to monitor access ports, then you really don't care what vlan number the access switch (not your 2950) has associated with the port. That information is totally inside the access switch, and you don't need to think about it.
If you intend to monitor trunks, things get more complicated.
So, the issues:
CDP - If your 2950 is broadcasting CDP messages, then the access switch will likely log errors about VLAN mismatch. Best to keep your switch quiet by disabling CDP on the uplink and downlink ports (or globally!).
STP - If the access switch has configured the port with bpduguard, you could put it into errdisable state by plugging in your 2950. Not good. Disable STP on the switch/vlan/port before plugging it into somebody else's access port.