Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
741
Views
0
Helpful
4
Replies

Local SPAN session on a C2950

Go to solution
marcelscheller
Level 1
Level 1

‎05-05-2006 01:13 AM - edited ‎03-03-2019 03:05 AM

Hello,

I've configured a SPAN session like this:

monitor session 1 source interface Fa0/11 both

monitor session 1 destination interface Fa0/8

I use ethereal to capture the packets, the source interface contains a webserver.

The only packets I should see are the one's destinated or originated from the source interface and some broadcast/multicast packets (switching).

Why do I see traffic between other hosts ???

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
bbaillie
Level 1
Level 1

‎05-05-2006 02:23 AM

The other hosts I assume are from the same VLAN as the webserver. When a spanningtree change happens the switch will expire all the MAC entries in its table and begin to learn them again. This means the switch will flood all MACs that are now unknown to it, to all its ports in the affected VLAN until it learns their location. After relearning everything the switch will behave as a normal switch.

Type the command "show spanningtree detail | include last change" to confirm the suspicion. If the last change was minutes ago then you have identified a problem to troubleshoot with spanningtree instability.

Brian

View solution in original post

0 Helpful
4 Replies 4

Go to solution
bbaillie
Level 1
Level 1

‎05-05-2006 02:23 AM

The other hosts I assume are from the same VLAN as the webserver. When a spanningtree change happens the switch will expire all the MAC entries in its table and begin to learn them again. This means the switch will flood all MACs that are now unknown to it, to all its ports in the affected VLAN until it learns their location. After relearning everything the switch will behave as a normal switch.

Type the command "show spanningtree detail | include last change" to confirm the suspicion. If the last change was minutes ago then you have identified a problem to troubleshoot with spanningtree instability.

Brian

0 Helpful

Go to solution
marcelscheller
Level 1
Level 1
In response to bbaillie

‎05-05-2006 04:26 AM

Yes, the other hosts are in the same vlan.

You mean that when a switch doesn't know the location of a mac-address it will forward all the traffic of this mac-address to all the ports on a switch?

command-output for "sh span...":

number of topology changes changes 15 last change occurred 23:17:01 ago

The capture was made yesterday around the time of the spanning-tree changes. That seems to be the problem !

Thanks for your input, I will take a look closer at spanning-tree.

Regards Marcel

0 Helpful

Go to solution
bbaillie
Level 1
Level 1
In response to marcelscheller

‎05-05-2006 08:29 AM

To assist with the troubleshooting the command "show spanning-tree detail", on newer IOS and switches will display the port the switch received the last change from. Using this information you can track the problem back to it's source.

If a number of changes come in you can also use "debug spanning-tree events" to log the spanning tree changes to the switch log as they arrive for later investigation.

Brian

0 Helpful

Go to solution
marcelscheller
Level 1
Level 1
In response to bbaillie

‎05-08-2006 02:21 AM

The destination interface (with the sniffer connected) was causing the toplogy change when I started the monitor session. I've started a new capture session after about 15 minutes and the packets captured were the ones I aspected, no other traffic flows.

Thanks !

0 Helpful
Customers Also Viewed These Support Documents