SoFunction
Updated on 2025-04-09

Methods for Cisco equipment to monitor traffic

Method 1: HUB (The method is too simple... omitted)
Method 2: TAP (too professional.. Also need to invest in another way)
Method 3: SPAN (which is what everyone often calls Port Mirror or Port Monitor)
1。Cat2900XL/3500XL
2900XL(config)#interface fastethernet 0/24   //Enter interface configuration mode
2900XL(config)#port monito r fastethernet 0/1 //Configure f0/1 as the monitored port
2900XL(config)#port monitor fasterenernet 0/2 //Configure f0/2 as the monitored port

Through the above configuration, you can mirror the traffic in and out of the two ports f0/1 and f0/2 to f0/24

pass
show port monitor can view the SPAN configuration of the switch

2。Cat2950/3550/3750
3550(config)#monitor session 1 source interface f0/1 - 3 rx 
//Specify that the SPAN session group number is 1, the source port is f0/1-f0/3, and the traffic to these three ports is 1.
//rx-->Indicate that the incoming port is obtained by traffic, tx-->output port is obtained by traffic both incoming and outgoing traffic
3550(config)#monitor session 1 destination interface f0/4
//Specify the monitoring port as f0/4

3。Cat4000/6500  with CatOS
set span command
cat4k#set span 1/2 1/3
//Mirror 1/2 of the traffic to 1/3

4。Cat4500/6500 with IOS
Same as 2--Cat2950/3550/3750

Method 4: VACL
VACL=VLAN ACL=Security ACL
Only available on Cat6500

CatOS:
c6509 (enable) set security acl ip MyCap permit tcp any any eq 443
c6509 (enable) set security acl ip MyCap permit tcp any eq 443 any
c6509 (enable) set security acl ip MyCap permit ip any any capture
//Exclude all traffic accessing port 443, other traffic is of interest
c6509 (enable) commit security acl MyCap
//Define the name of a security ACL
c6509 (enable) set security acl map MyCap 100,101
//Apply security ACL to vlan 100 and 101
c6509 (enable) set security acl capture-ports 3/1
//Mirror the capture traffic to port 3/1


IOS:

c6509(config)# access-list 100 permit ip any any
c6509(config)# vlan access-map MyCap 10
c6509(config-access-map)# match ip address 100
c6509(config-access-map)# action forward capture
c6509(config)# vlan filter MyCap vlan-list 200 , 201
c6509(config)# interface gi3/1
c6509(config-if)# switchport capture

Article entry: csh     Editor in charge: csh