Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

L4 Traffic Mon

Does the traffic monitor support Cisco ports in spanned mode? We're trying to get it set up here, but not getting a lot of traffic picked up..

Community Member

Re: L4 Traffic Mon


There are two ways of doing L4 monitoring..

Simplex - single interface for both in and out - interface is T1

Duplex - 2 interfaces involved T1 - in and T2 - out..

Normally a mirror port is configured where the t1 and t2 were connected..

to mirror and sniff traffic in and out of the network... or firewall...


Community Member

Re: L4 Traffic Mon


You have the correct idea, but your terms are switched:

Duplex tap = both directions of traffic on a single interface.
Simplex tap = using T1 for outbound and T2 for inbound traffic.

An example of the Cisco syntax for duplex L4TM is:

In and out traffic from fa1/1:
(config)# monitor session 1 source interface fa1/1 both

Spanned to the WSA T1 interface:
(config)# monitor session 1 destination interface fa1/39

Community Member

Re: L4 Traffic Mon

Another small tidbit:

In duplex tap mode, the WSA can actually accept two bi-directional spans: One sent to T1, the other sent to T2.

Undocumented feature :wink:

Community Member

Re: L4 Traffic Mon


Another thought came up. I wanted to make sure that you are aware the the L4TM will only log bad traffic. So you won't see all the traffic in the trafmon logs, like you would in the access logs.

If you are trying to verify that the L4TM is working, I recommend telnetting from your client to www DOT ieplugin DOT com.

Please do NOT go there with your browser - it is a malware propagation site.

If the span is working properly, the WSA should see this traffic and log it in the trafmon logs.

Community Member

Re: L4 Traffic Mon

Thanks for the info! I'll try and give it another go today, if not next week..

CreatePlease to create content