Cisco span port
Results 1 to 9 of 9

Thread: Cisco span port

  1. #1
    Member
    Join Date
    Feb 2003
    Posts
    35

    Cisco span port

    I don't know if this is the right place to ask this, but since it involves traffic monitoring somewhat, I'm hoping someone here will have the answer. I am currently spanning a small VLAN (approx 15 switch interfaces) on a fairly low traffic lan back to an administrative interface (fe0/1). Now, my question is this: how do I know when I am over prescribing this port? I'm a bit of a Cisco newbie and am trying to figure out what counters on the "show interface FastEthernet 0/1" command will indicate lost packets due to spanning too much traffic back to this port. Does anyone have experience with this? Any pointers would be appreciated.

  2. #2
    Senior Member
    Join Date
    Nov 2002
    Posts
    382
    tolstoy, english is not my native tongue therefore forgive that silly question:
    What do u mean by spanning? Any relation with Spanning Tree Protocol?
    [shadow] SHARING KNOWLEDGE[/shadow]

  3. #3
    Junior Member
    Join Date
    Apr 2003
    Posts
    18
    Cisco's use of the acronym span stands for switch port analyzer, it is synonamous with other vendors use of the term "port mirroring". In essence it forwards a copy of all traffic seen on the monitored ports to the span port so that a sniffer/ids or some other network device can sample data.

    To answer the original question I am not sure there is a show command for interface utilization. What I would recomend though is to use mrtg (free linux based monitor) to monitor the span port. It does a great job of getting overall utilization statistics. I have used it in places where due to size or licensing constraints hp openview has not worked.

  4. #4
    Member
    Join Date
    Feb 2003
    Posts
    35
    Originally posted here by Networker
    tolstoy, english is not my native tongue therefore forgive that silly question:
    What do u mean by spanning? Any relation with Spanning Tree Protocol?
    I guess I mean port monitoring. I have also heard people refer to it as port spanning--Cisco Switched Port Analyzer (SPAN). In other words, running the IOS command:

    My_Switch(config-if)#port monitor fastEthernet 0/24

    Which basically duplicates all traffic on port fe0/24 to port fe0/1 (which is the port I am configuring in the above example). What I am wondering is how to tell if I am am putting too much stress on the monitoring switch port (fe0/1). I want to be able to tell if the monitoring port is in fact seeing everything a want it to see, or if it is dropping packets. I am hoping there are some basic counters that will show this.

    Hope this clears things up some.

  5. #5
    Senior Member
    Join Date
    Nov 2002
    Posts
    382
    AHHHHH! Thanx I keep learning everyday.

    yop, yop, yop! There is a high probablity to lose packets on a mirrored port especially if it is trunking 15 used ports. 15 ports 100baseT is a greater total bandwitdh than a fe port or even a giga one.
    I guess that common interface counters will gives u statistics info.
    Just a tip: U should not transmit any frame from that port. Inputs should be to 0.


    show interface fastethernet 0
    Fast Ethernet0 is up, line protocol is up
    [...]
    158773 packets input, 17362631 bytes, 4 no buffer
    Received 158781 broadcasts, 0 runts, 0 giants, 7 throttles
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    0 watchdog, 0 multicast
    0 input packets with dribble condition detected
    6299 packets output, 622530 bytes, 0 underruns
    1 output errors, 0 collisions, 3 interface resets

    0 babbles, 0 late collision, 0 deferred
    1 lost carrier, 1 no carrier
    0 output buffer failures, 0 output buffers swapped out
    [shadow] SHARING KNOWLEDGE[/shadow]

  6. #6
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    You might want to consider SNMP monitoring the switch...pop it up in something like MRTG and you should see pretty quickly how often you are overwhelming your ports...

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  7. #7
    Junior Member
    Join Date
    Apr 2003
    Posts
    18
    Doh, nice reply networker, I stand corrected. Those stats would give you a quick indication of overutilization.

  8. #8
    Member
    Join Date
    Feb 2003
    Posts
    35
    Thanks Networker. So far, my counters on that interface have been fairly clear.

  9. #9
    I know that MRTG has been mentioned but I am currently working with a similar issue.

    I have 2 6500, 4 4006 and Nth 3548. I needed to monitor bandwidth, errors, etc.

    I have Ciscoworks running which is pretty good, but I wanted a running history that a non-technical user good read. I found MRTG.

    MRTG reads either MIBS vis SNMP and processes the data into a log file which is then processed as a graph and output is HTML. There is a quick and dirty configuration script which comes with MRTG that can be run with the IP address and community string. It gives out basic interface information.

    MRTG can graph alot of other types of information like drive utilization, current users on a server or local director, CPU tempature on switches or CPU's, fan speed, and anything else that is available from a MIB.

    MRTG can also be configured to read a log file. Suppose you are unable to use SNMP or the information you are looking for does not have a MIB? You can run a script that will gather the info you need and then have MRTG read that file.

    The latest use I have for MRTG. I noticed that there was some strange looking traffic on my MRTG graphs of the Cisco PIX. (I monitor interface utilization all my PIX interfaces). I did not know who in my network was responsable. I set up MRTG to monitor and graph all active interfaces on all my switches. I was able to locate the offending system.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides