cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
462
Views
0
Helpful
2
Replies

Changing SPAN session causes STP problem

wilson_1234_2
Level 3
Level 3

This is the setup, I hope anyone interested in reading this can follow:

I have a DMZ switch that holds all the DMZ interfaces for two PIX firewalls (four on each PIX), along with the outside interfaces of those PIX firewalls and the edge router interface. The DMZ switch has an interface in the inside network "switch" VLAN, everything else in this switch is in VLAN1.

There is an inside router that connects to this switch via a GBIC connector. The inside router is a 7206 and it's inside interface is connected to the the DMZ switch.

There is a core 6509 switch that also connects to the DMZ switch via the other GBIC connector. This is a trunk link up to the DMZ switch, the trunk carries all VLANs.

Each device is in it's own VLAN, so the router interface has only the core switch SVI as the only thing it the router vlan with it.

The router gets to the SVI on the core switch through the DMZ switch.

The core switch is the default gateway for all VLANs.

Number one, it seems to me that this is not a very good setup going through the DMZ switch like this, as a passthtough from the core switch to the router.

I made a change to remove a VLAN from a configured SPAN session that is on the core 6509 switch and it shut down the port from the DMZ switch to the 7206 router, and hosed up the OSPF process in the PIX firewall in the DMZ switch.

The SPAN session is mirroring ALL vlans to a port for the IDS to monitor. I removed the existing SPAN session, removed on VLAN and reconfigured it back exactly as it was, minus the one VLAN.

I guess my questions are:

Is it dangerous (unstable) to mirror all ports (user traffic, routers, switches) to a single port like this for IDS purposes?

I know it was an STP issue, but I can't really find what exactly happened

Does it seem to you guys like this needs to be redesigned for a better and safer logical layout?

2 Replies 2

glen.grant
VIP Alumni
VIP Alumni

Not sure what the issue was but the following is right out of cisco docs.

?Destination ports never participate in any spanning tree instance. Local SPAN includes BPDUs in the monitored traffic, so any BPDUs seen on the destination port are from the source port. RSPAN does not support BPDU monitoring.

Thanks for the reply,

So I guess I can eliminate that as a cause.

The port stayed down for a half an hour until I pulled the GBIC connector an plugged it back in.

It was the connection to the 7206 to the DMZ switch that was a non trunk link.