Posts Tagged ‘switches’

Port Mirroring on Cisco – Monitoring the network

Thursday, May 14th, 2009

“We just bought a new IPS/IDS, just put it between us and our transit provider!”. Sounds slick, huh? This request seems easy, but do you really know if it will function like expected and not jam all network traffic?

Try it out on a mirrored (SPAN) port first! With a SPAN you can get a copy of all traffic from/to a port output on a second port, without interacting with traffic. This can be very helpful if you want to test out some new equipment for Intrusion detection and/or prevention. Snort is an open source alternative for monitoring network traffic for obscurity and irregularities.

To configure a SPAN on 2940, 2950, 2955, 2960, 2970, 3550, 3560 and 3750 switches

Switch#conf t
Switch(config)#monitor session 1 source interface Fa0/18
Switch(config)#monitor session 1 destination interface Fa0/2

With the configuration above you will copy all traffic from FastEthernet 0/18 and output it to FastEthernet 0/2
The Cisco Catalyst 2950 is incapable to monitor vlans, but this is possible on for example the Cisco 3750.

To verify a SPAN session

Switch#sh monitor session 1
Session 1
Source Ports:
RX Only: None
TX Only: None
Both: Fa0/18
Destination Ports: Fa0/2

I hope this maybe encourages you to test out some applications or equipment that you’ve been wanting to try but haven’t had the guts to!

Configuring errdisable behaviour

Thursday, February 19th, 2009

When was the first time you learned that errdisable exists? Here is a short introduction!

I learned this the hard way, I had a network setup in a lab when I had a port shutdown and never come up again… You can say I am glad I learned about it before that happened in the field, but do you know what it is and how you can configure it?

What is errdisable?
Errdisable is a mechanism in Cisco equipment that will for example shutdown or suspend network ports where traffic is looping, ports with unidirectional traffic and various other causes.  This renders the port useless and no traffic is passed over it, the LED on the switch or router turns orange.

To determine if a port is in errdisable state you can issue the command:

Switch#sh int gigabitEthernet 1/0/25 status
Port Name Status Vlan Duplex Speed Type
Gi1/0/25 mynetwork err-disabled 1 auto auto 1000BaseSX SFP

Additionally to see all errdisabled interfaces that will be enabled you can use

Switch# show errdisable recovery

This command will show all errdisable causes with enabled recovery and all interfaces that will be enabled on the next timeout.

To configure errdisable recovery, you will use exactly that command

Switch#conf t
Switch(config)#errdisable recovery cause bpduguard

That command will enable recovery for the bpduguard (STP loop) cause.

errdisable recovery timer

Switch(config)#errdisable recovery interval 30

This will set a 30 second interval between timeouts, for every timeout cycle – all interfaces which are shutdown because of errdisable will be re-enabled.

If the reason for the errdisable status persists, the interface will then be shutdown and set to status errdisable again. If you set the timeout too low, you may use a lot of CPU because the interface will effectively be flapping.