Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
327
Views
0
Helpful
1
Replies

Is the switch span tx and recv needed for a 4230 sensor?

dlac455
Level 1
Level 1

‎01-23-2003 11:01 AM - edited ‎03-09-2019 01:49 AM

Please help settle a debate we are having in my shop:

I say I need both the tx and rcv options on the VLAN span that my 4230 is attached to .

My coworker argues that only the rcv option is needed.

Would anyone like to weigh in?

Thanks

Labels:
0 Helpful
1 Reply 1

marcabal
Cisco Employee
Cisco Employee

‎01-23-2003 11:32 AM

Depends entirely on your setup and span configuration.

Here are some examples of what I have experienced.

The sensor needs to see both the packets going from the client to the server (Machine A -> Machine B), as well as the responses from the server to the client (Machine B -> Machine A) in order to monitor correctly.

Where possible you want to prevent the duplication of packets.

NOTE: A vlan span is technically a port span of all ports in the vlan. So even though you configure it as a Vlan span you need to think of it as a port span. That is whay I base the results off of ports in my example below.

BASIC SETUP:

Machine A --->port 4/1 Switch Vlan 10 port 5/1 -----> Machine B

A both (tx+rx) span of vlan 10 will result in duplicate packets:

A->B packets will be captured as rx packets on 4/1 and tx packets on 5/1

B->A packets will be captured as rx packets on 5/1 and tx packets on 4/1

A rx span of vlan 10 will result in a single copy of each packet:

A->B packets will be captured as rx packets on 4/1

B->A packets will be captured as tx packets on 5/1

A tx span of vlan 10 will result in a single copy of each packet:

A->B packets will be captured as tx packets on 5/1

B->A packets will be captured as tx packets on 4/1

A both span of both ports 4/1 and 5/1 will result in duplicate packets:

A->B packets will be captured as rx packets on 4/1 and tx packets on 5/1

B->A packets will be captured as rx packets on 5/1 and tx packets on 4/1

A rx span of both ports 4/1 and 5/1 will result single copy of each packet:

A->B packets will be captured as rx packets on 4/1

B->A packets will be captured as rx packets on 5/1

A tx span of both ports 4/1 and 5/1 will result in single copy of each packet:

A->B packets will be captured as tx packets on 5/1

B->A packets will be captured as tx packets on 4/1

A both (tx+rx) span of just port 4/1 will result in a single copy of each packet:

A->B packets will be captured as rx packets on 4/1

B->A packets will be captured as tx packets on 4/1

MSFC ROUTING SETUP:

Machine A --->port 4/1 Switch Vlan 10 --> MSFC --> vlan 20 port 5/1 -----> Machine B

The MSFC changes things because it does not always participate in span sessions. The first few packets in a stream will go to the MSFC port and might be picked up by span, but additional packets in the stream will be fast switched (routed in sup hardware and not sent to MSFC in order to increase routing performance) so a span against the MSFC port won't see them. This is because even a vlan span is a span of the ports, so with the MSFC the initial packets going to the MSFC may be spanned, but fastswitched packets don't go to the MSFC port so must be spanned on the other ports.

A both (tx+rx) span of vlan 10 will result in some duplicate and some single copies of each packet:

Initial A->B packets captured as rx packets on 4/1 and tx packets on MSFC

Additional A->B packets captured as rx packets on 4/1 only

Initial B->A packets captured as rx packets on MSFC and tx packets on 4/1

Additional B->A packets captured as tx packets on 4/1 only

A rx span of vlan 10 will result in a single copy of some packets and no copies of others:

A->B packets will be captured as rx packets on 4/1

Initial B->A packets will be captured as rx packets on MSFC

Additional B-A packets will not be captured because of fast switching

A tx span of vlan 10 will result in a single copy of some packets and no copies of others:

Initial A->B packets will be captured as tx packets on MSFC

Additonal A->B packets will not be captured

B->A packets will be captured as tx packets on 4/1.

The following examples you will see are still the same with or without the MSFC involved:

A both span of both ports 4/1 and 5/1 will result in duplicate packets:

A->B packets will be captured as rx packets on 4/1 and tx packets on 5/1

B->A packets will be captured as rx packets on 5/1 and tx packets on 4/1

A rx span of both ports 4/1 and 5/1 will result single copy of each packet:

A->B packets will be captured as rx packets on 4/1

B->A packets will be captured as rx packets on 5/1

A tx span of both ports 4/1 and 5/1 will result in single copy of each packet:

A->B packets will be captured as tx packets on 5/1

B->A packets will be captured as tx packets on 4/1

A both (tx+rx) span of just port 4/1 will result in a single copy of each packet:

A->B packets will be captured as rx packets on 4/1

B->A packets will be captured as tx packets on 4/1

0 Helpful
Customers Also Viewed These Support Documents