Early Vid: Port Mirroring
Added 2024-12-18 17:10:28 +0000 UTCLearning how to set up port mirroring on a Cisco 2950 and using it to troubleshoot a Cisco Cache Engine.
Video goes live Friday!
Comments
Port mirroring is both super handy, and an information security nightmare if done wrong.
Jonathan Cilley
2024-12-19 22:53:43 +0000 UTCOh interesting! I'll look at that... certainly worth a try.
clabretro
2024-12-19 15:25:49 +0000 UTCIt definitely looks like a PC, in fact there is an IDE header in there. That could be something to explore. I did replace the CMOS battery but it didn't change the behavior in any way.
clabretro
2024-12-19 15:25:20 +0000 UTCThe VxWorks boot filename says ata0/vxWorks which is usually IDE rather than SCSI, does it have a CF card internally with the bootloader? I'd be willing to bet that it's a PC inside a Cisco box AKA little guy. The device type could be corrupt on the flash? I also wonder if it's like the Cisco router you had where the data was held in battery backed CMOS and the battery has died?
John Osborne
2024-12-19 13:04:57 +0000 UTCThe other patrons have good ideas about Wiresharking/tcpdumping from the server's perspective too. Something I'm a little curious about: how are your switch ports configured? Do you have `spanning-tree portfast edge`or `switchport host` configured? Out of the box, every port on the switch is going to participate in spanning tree. That means that when the link comes up, there's still going to be the full 30 second delay for STP to convince itself that there isn't going to be another bridge on the segment before it starts accepting traffic. I'm wondering whether this cache server is bringing the link up and then trying to boot before the switch is accepting traffic and then cycling the link again to start it over again. It's kinda a shot in the dark but even if it's a red herring I figure you might want to `switchport host` all of your host-facing ports anyway to save you some time...
Eric
2024-12-19 05:59:03 +0000 UTCGood call on tcpdump!
clabretro
2024-12-18 21:19:41 +0000 UTCYeah I'll probably start listening on both sides!
clabretro
2024-12-18 21:19:15 +0000 UTCYour results make me wonder if the switch isn't forwarding those ARP packets through to the Linux PC at 192.168.1.200. Maybe you could setup Wireshark on that machine to see if they're actually coming into its ethernet interface?
Jordan
2024-12-18 20:48:52 +0000 UTCYou have used Wireshark, so you are a Wireshark user. ;-) I dare say that your use of Wireshark was effective in that you learned something. As a veteran Wireshark user, I'm not really seeing what I would consider to be bidirectional traffic on the capture. Maybe I missed it in the tests with the Pi. I'd balance the Wireshark port mirroring with tcpdump on the TFTP server to see if it's receiving the ARP request and / or sending ARP replies.
DrScriptt
2024-12-18 20:47:07 +0000 UTCThanks, I appreciate it!
ConnerWithAnE
2024-12-18 20:38:25 +0000 UTCGood luck on your final!
clabretro
2024-12-18 19:37:23 +0000 UTCThe early videos suck me in. I have a final in 6 hours to study for! But ofc I gotta stop and watch the early video. Great stuff, didn’t know port mirroring existed! Definitely some good information to have in the old back pocket.
ConnerWithAnE
2024-12-18 19:12:32 +0000 UTCexcellent!
clabretro
2024-12-18 17:38:55 +0000 UTCThese early vid notifications make me so happy because they come through right after my therapy session on Wednesdays right before lunch so I have something to watch while I eat!
JesseTheStig
2024-12-18 17:27:54 +0000 UTC
