Question : Monitor Port Problem on Cisco 1924 Switch

Cisco 1924 Switch
Monitor Port: Port 4
Monitoring: All ports
Desire: Capture all traffic on switch through Port 4.
Problem: Port 4 is set to block unknown unicast/multicast addresses. Ethereal captures only reveal broadcasts and traffic with dest/src of my PC. I believe that this is cause by the blocking of unknown unicast/multicast addresses. Correct me if I'm wrong.

config t
int e 0/4
no port block unicast
no port block multicast

This sequence of settings has no effect on the configuration of the switch whatsoever. 'show run' still shows port 4 as blocking unknown unicast/multicast addresses. I read where if the network port was enabled that disabling/enabling the blocking of uni/mulit-cast addresses would have no effect. I've made sure that the network port setting is disabled.

Your thoughts?

Answer : Monitor Port Problem on Cisco 1924 Switch

You can block flooding of unicast/multicast packets on per-port basis and if I understand correctly the blocking is working from the port (and not to the port). (same link under Enabling or Disabling Flooding of Unknown MAC Addresses)

Even if you have disabled (blocked) flooding from all other ports this shouldn't make you problems with monitoring trafic, but if you have aged addresses in switch table there could be problems with traffic. The address table is only one for the whole switch. The switch has to know which address in on which port.

To enable desired monitoring from you first post shouldbe in this way:

Step 1: Select the Capturing Frames to the Monitoring Port check box.
Step 2: Select the monitoring port 4 from the Select Monitoring Port drop-down list.
You can designate any port as the monitoring port, but the following restrictions apply:
The monitoring port cannot be a member of more than one bridge group.
Do not make bridge group membership changes on the monitoring port or monitored ports until after you disable monitoring.
Step 3 Select the port(s) you want to monitor from the Port Not Monitored list - your case all ports
Step 4 Click Add.

If you want that the port passes traffic at all, it should be enabled.

SPAN-ing simply forwards all trafic also to the monitoring port.
RX,TX traffic is measured in bytes, forwarding in packets.

As I said, the logic of the switch is forwarding traffic FROM the port.
When the port receives the packet from PC (rx count increases) the packet is analized and only if passes all "security checks" (flood blocking, security port ...) it is forwarded (increases forwarded count) to other port(s).
If the port receives packet which is forwarded from other port on the same switch the packet is simply sent to PC connected to that port and only tx count is increased. In your case the sum of all forwarded packets from all ports should be equal to number of tx packets on monitoring port.

I don't think that there is the way to find out where the packets were forwarded to. Maybe you could do something with same external program (www.mrtg.org) using SNMP and MIB tables. Some additional data you can get on detailed statistics on ports.

Regards, Davorin

Random Solutions

Shares viewed through Gateway For NFS aren't refreshed properly.

Security aspects of opening the IMAP port directly to my exchange server

Remotely remove a TCP/IP printer

Connect to Mac from PC over internet connection.

Problems with voip.

Cisco IOS Bridge and IP Routing Mode with MAC based ACL

Asterisk voicemail

proxy settings keep resetting every time I shut pc off

Domino server crashes every 30 minutes

Automatically install printer + tcp/ip printer port from an exe file or something?