3 Replies Latest reply on Feb 4, 2014 5:15 AM by quazar66

    1524ST Monitor Session

    quazar66 New Member

      I have a 1524ST switch running 17.03.05.00.E.  I have setup the following monitor session:

       

      NT-SW-ISO-1524-1#sh run | i monitor

      monitor session 1 destination interface gigabit-ethernet 0/23

      monitor session 1 source interface gigabit-ethernet 0/9 both

       

      If I show the monitor session I get:

       

      NT-SW-ISO-1524-1#sh monitor sess 1

      Monitor Session 1

      -----------------

      Source Ports:

          RX Only:   None

      Destination Port: giga-eth 0/23

       

      Now comes the really weird part...When I plug a laptop into port 23 and run wireshark, I see some ARP, Netbios Name Requests, and Link-Local Multicast Name Resolutions packets coming from an IP/MAC combination that should not exist on this switch.  When I search the MAC Address table on the switch, this MAC does not show up anywhere, so cannot even begin to track it down.  Help..!..!..!

        • Re: 1524ST Monitor Session
          levi Employee

          quazar66:

           

          Thank you for asking this question in the support community.  What are your intentions with the port mirror?  Are you attempting to determine what traffic is arriving from switchport 0/9?  Keep in mind the NV1524ST only mirrors inbound traffic.  Therefore, I recommend you change the port-mirror configuration to look similar to the following (here is the Configuring Port Mirroring in AOS guide for reference):

           

          monitor session 1 destination interface gigabit-ethernet 0/23

          monitor session 1 source interface gigabit-ethernet 0/9 rx


          Is either port 0/9 or 0/23 a trunk port with VLAN tagging, because that may cause an issue if the device at the mirroring destination doesn't support VLAN tags.  Please, let me know what information you are attempting to obtain from the port mirror and I will be happy to help in any way I can.

           

          Levi

            • Re: 1524ST Monitor Session
              quazar66 New Member

              Levi,

               

              My initial project was to mirror the traffic in/out of port 9 (Adtran 7100 WAN port) to sniff the traffic and verify the QoS markings.  While I did confirm that the packets are being marked, the odd traffic that showed up in the wireshark capture is causing some confusion.  Both 0/9 and 0/23 are access ports on VLAN 55.  The traffic that is showing up in the capture should only exist on the other side of the a Cisco 3845 router that is plugged into this switch.  How can this traffic show up in a capture, but not have an entry in the MAC address table?

                • Re: 1524ST Monitor Session
                  quazar66 New Member

                  Levi,

                   

                  I figured it out...The laptop we were using for the Wireshark capture had a static IP and was trying to talk out the monitor port.  Since that port was not set to allow traffic from the PC, the MAC of the laptop did not go into the MAC address table.  Mystery Solved!