Today we needed to mirror a port on a Cisco switch in a country far far away meaning we couldn’t just wander down with a laptop.
So to get around this we decided to mirror the port to a VM that’s on site, here’s how we did it:
There’s two switches between the VM and the port we want to mirror so first we have to setup the port mirroring on every switch using RSPAN (Remote Switched Port Analyser) and a new vlan.
Add an RSPAN vlan to both the switch with the port to mirror, and to the switch that has the packet capture device on.
Then make sure that RSPAN vlan is trunked between the 2 switches and on the VMWARE interface.
switchport trunk allowed vlan add 9999
Assuming the following;
You use vlan 999 for the RSPAN vlan.
The port you want to mirror is on switch 1 port g1/0/2.
You want to send the mirrored traffic to switch 2 port 1/0/23 (the port that connects to VMWARE).
You are going to use monitor session 1 on both switches. (this can be any session number between 1-66, and can be different on each switch).
On Switch 1 (mirror port 2 and punt out the traffic to 9999)
Monitor session 1 source interface g1/0/2 both
Monitor session 1 destination remote vlan 999
On Switch 2 (suck in all traffic from 9999 and punt it to port 23)
Monitor session 1 source remote vlan 999
Monitor session 1 destination interface g1/0/23
You can see that the monitoring is set up with;
Next, we need to do the VMware side of things:
Setup a new port group on a vswitch:
Although we chose vlan 9999 when its pushed to the new port it will not be tagged so choose all:
Next edit the port group and allow Promiscuous mode, this will allow traffic not destined for the VMs MACs (normal behaviour, any traffic not destined to a VM MAC will be dropped):
Add a NIC to your VM using the port group:
Don’t worry about a IP etc:
Fire up Wireshark:
Look at all these glorious packets: