Solved: Re: Port monitoring on a 2901 router for purpose of packet captu

KavehSheikh_2 · ‎07-27-2012

Hello all,

I have always done my port monitoring (SPAN) on Cisco layer 3 switches with no issues. This time I am trying to do this on a Cisco 2901 router:

Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.1(4)M2, RELEASE SOFTWARE (fc1)

System image file is "flash0:c2900-universalk9-mz.SPA.151-4.M2.bin

I need to have the source port gig0/0 and destination port gig0/1. There is something about the gig port enumeration (slot/port#) that makes the command rejected. It is self explanatory:

#sh ip int brie

Interface IP-Address OK? Method Status Protocol

Embedded-Service-Engine0/0 unassigned YES NVRAM administratively down down

GigabitEthernet0/0 xxx.xxx.xxx.xxx YES NVRAM up up

GigabitEthernet0/1 unassigned YES NVRAM up up

Serial0/0/0:0 unassigned YES unset up up

Serial0/0/1:0 unassigned YES unset up up

Serial0/1/0:0 unassigned YES unset up up

Serial0/1/1:0 unassigned YES unset up up

Multilink1 xxx.xxx.xxx.xxx YES NVRAM up up

#conf t

#

monitor session 1 destination interface gigabitEthernet 0/0

% Incomplete command.

#monitor session 1 destination interface gigabitEthernet 0/0?

/ : <0-1>

(config)#monitor session 1 destination interface gigabitEthernet 0/0/?

<4294967295-0> GigabitEthernet interface number

(config)#monitor session 1 destination interface gigabitEthernet 0/0/0?

% Unrecognized command

(config)#monitor session 1 destination interface gigabitEthernet 0/0/1?

% Unrecognized command

Lenexa-MPLS(config)#monitor session 1 destination interface gigabitEthernet 0/0/1 ?

% Unrecognized command

(config)#monitor session 1 destination interface gigabitEthernet 0/0/1

It doesn't matter what slot or port number I use, it is always rejected. The command is rejected for Both destination and source gig interfaces. I tried a wide variety of slot/port numbers. To my best understanding the complete port names are: GigabitEthernet0/0 and GigabitEthernet0/1, so why does it think there has to be another digit after 0/0 or 0/1? Does it have anything to do with the Embedded-Service-Engine0/0 being administratively down?

Any help is appreciated. I cannot find this specific issue beinbg discussed here.

Thank you!

Reza Sharifi · ‎07-27-2012

Hi,

Could not be sure of this behavior, but I think, you may need an HWIC module to support SPAN:

Q. What is Switched Port Analyzer (SPAN)?

A. A SPAN session is an association of a destination interface with a set of source interfaces. You can configure SPAN sessions using parameters that specify the type of network traffic to monitor. SPAN sessions allow you to monitor traffic on one or more interfaces and can send ingress traffic, egress traffic, or both to one or more destination interfaces. SPAN sessions do not interfere with the normal operation of the Cisco EtherSwitch HWIC.

http://www.cisco.com/en/US/prod/collateral/routers/ps5853/prod_qas0900aecd8016c026_ps5854_Products_Q_and_A_Item.html

HTH

View solution in original post

Reza Sharifi · ‎07-27-2012

Hi,

Could not be sure of this behavior, but I think, you may need an HWIC module to support SPAN:

Q. What is Switched Port Analyzer (SPAN)?

A. A SPAN session is an association of a destination interface with a set of source interfaces. You can configure SPAN sessions using parameters that specify the type of network traffic to monitor. SPAN sessions allow you to monitor traffic on one or more interfaces and can send ingress traffic, egress traffic, or both to one or more destination interfaces. SPAN sessions do not interfere with the normal operation of the Cisco EtherSwitch HWIC.

http://www.cisco.com/en/US/prod/collateral/routers/ps5853/prod_qas0900aecd8016c026_ps5854_Products_Q_and_A_Item.html

HTH

Edwin Summers · ‎07-27-2012

I'm not sure if it's available on the 2900-series, but I have used RITE (Router IP Traffic Export) on an 881 to monitor the external interface. It may be a bit more limiting than SPAN, but it did the job for me. You can take a look here (was published before the 2901 was released, so YMMV):

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_rawip.html

If you're using it on a production device, I'd test it first if possible, and monitor effects on your performance.

ERSPAN is supported on the ASR...not sure it's available on the 2901.

Best of luck! -Ed

KavehSheikh_2 · ‎08-03-2012

Thanks - I may give it a try but I doubt this solutioncan provide me the ability to 'see' the traffic in real time. Thanks any way.

I think Reza is correct. The chassis may need a HWIC module. That is a shame, because i really don't need an integrated switch.

Edwin Summers · ‎08-03-2012

Just checked the feature navigator for the platform and IOS you noted above and RITE is supported. If you are looking for something similar to switch SPAN sessions, this should do nicely - one of it's purposes is for exporting traffic for monitoring via an IDS (you will see the traffic in real-time). Not suer if you're looking for more advanced functionality, but give 'er a try.

Happy capturing! -Ed

Port monitoring on a 2901 router for purpose of packet capture