LAN Switch Port Monitoring

LAN switches are a major improvement for environments with heavy LAN utilization.  On a switch, LAN frames are only delivered to ports which match the destination MAC address.  By moving this function from the LAN adapter to the LAN hardware, the burden of high LAN utilization on LAN adapters and CPUs can be significantly reduced.  This is very important in a WSOD "boot storm" or other high utilization environments.  The difference in performance can be dramatic.

The problem with this approach is that when a trace is taken, it must be from a port which gets copied on all frames.  This is often called port monitoring.  Although the frame is not destined for this port, the switch copies it to the specified port anyway.  Higher end switches will have this feature.  Most low end switches will not have this feature.  If a trace needs to be taken on a switch which does not have this feature, the trace must be taken from one of the end points of the communication flow of interest.  It is essential to consult environment specific LAN hardware references for details on switch configuration for tracing.  Each manufacturer implements this feature in a proprietary manner, if at all.

The key objective is to ensure that the port on which tracing is to occur is configured to receive non-directly addressed frames.

The following examples are using Cisco equipment.  In Cisco (TM) switches this feature is often called "SPAN" for Switched Port Analyzer.  Sometimes Cisco calls this "monitoring".

Configuring Port Monitoring on a Cisco 1924 Ethernet Switch

This process was documented using a Cisco WS-C1924C-A Ethernet switch.  This switch uses "standard edition" software and has 24 10Mbps ports, 1 AUI port and 2 100Mbps ports (1 fiber and 1 copper).  The firmware level was v8.00.03.

From the "Main" menu, disable "half-duplex back pressure".  Monitoring cannot be enabled unless this happens.

  1. S
  2. H
  3. D <enter>
  4. X
From the "Main" menu, enable monitoring on a specific port.
  1. M
  2. C
  3. E <enter>
  4. M
  5. port # <enter>
From the "Monitoring Configuration" menu, add the ports to be monitored to the list.
  1. A
  2. ALL or specific port #s <enter>
  3. X

Configuring Switched Port Analyzer on a Cisco 2926 Ethernet Switch

This process was documented using a Cisco WS-C2926 Ethernet switch.  This switch has 24 100Mbps ports, 1 AUI port and 2 100Mbps ports (both copper).  The software level was 2.4(3).

Logon into "enable" mode.  From the command line the status of SPAN can be seen by using the command:

show span

To enable SPAN:

set span enable

To associate a specific VLAN with a specific SPAN port (forces all traffic for the VLAN to be copied to the SPAN port):

set span vlan# spanMODULE/spanPORT both

This switch allows a broader range of options including only copying on receive or transmit (we specified "both" here).  Likewise, the ports to monitor can be just specific ports or can be an entire VLAN.

© 2000 Golden Code Development Corporation.  ALL RIGHTS RESERVED