Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Port Mirror does not pass all data frames

Hi all,

I have cisco catalyst 3750.

I have noticed that when i connect the sniffer - wireshark to the port mirroring instaed of teh original port, i do not see all the packets

for example BPDU , VLANS ..

any suggestions ?

BR,

Yoram

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Port Mirror does not pass all data frames

Hello Yoram,

You need to use the SPAN and define the destination port using the optional encapsulation replicate keywords. This is an excerpt from Cat3560 IOS Configuration Guide (applies to 3750 as well):

The default configuration for local SPAN session ports is to send all  packets untagged. SPAN also does not normally monitor bridge protocol  data unit (BPDU) packets and Layer 2 protocols, such as Cisco Discovery  Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol  (DTP), Spanning Tree Protocol (STP), and Port Aggregation Protocol  (PAgP). However, when you enter the encapsulation replicate keywords when configuring a destination port, these changes occur:

  • Packets  are sent on the destination port with the same encapsulation—untagged,  Inter-Switch Link (ISL), or IEEE 802.1Q—that they had on the source  port.

  • Packets of all types, including BPDU and Layer 2 protocol packets, are monitored.

Therefore, a local SPAN session with encapsulation replicate enabled can  have a mixture of untagged, ISL, and IEEE 802.1Q tagged packets appear  on the destination port.

See http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/swspan.html#wp1204187 for further info.

Best regards,

Peter

2 REPLIES
Cisco Employee

Re: Port Mirror does not pass all data frames

Hello Yoram,

You need to use the SPAN and define the destination port using the optional encapsulation replicate keywords. This is an excerpt from Cat3560 IOS Configuration Guide (applies to 3750 as well):

The default configuration for local SPAN session ports is to send all  packets untagged. SPAN also does not normally monitor bridge protocol  data unit (BPDU) packets and Layer 2 protocols, such as Cisco Discovery  Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol  (DTP), Spanning Tree Protocol (STP), and Port Aggregation Protocol  (PAgP). However, when you enter the encapsulation replicate keywords when configuring a destination port, these changes occur:

  • Packets  are sent on the destination port with the same encapsulation—untagged,  Inter-Switch Link (ISL), or IEEE 802.1Q—that they had on the source  port.

  • Packets of all types, including BPDU and Layer 2 protocol packets, are monitored.

Therefore, a local SPAN session with encapsulation replicate enabled can  have a mixture of untagged, ISL, and IEEE 802.1Q tagged packets appear  on the destination port.

See http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/swspan.html#wp1204187 for further info.

Best regards,

Peter

New Member

Re: Port Mirror does not pass all data frames

Hi Peter,

Thanks a lot, it works

BR,

Yoram

754
Views
0
Helpful
2
Replies
CreatePlease to create content