Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
576
Views
0
Helpful
2
Replies

CISCO SPAN IMPLEMENTATION

binoy.baby
Level 1
Level 1

‎10-30-2013 09:36 PM - edited ‎03-07-2019 04:20 PM

Can someone help me on SPAN implementation , we got a new box from alert logic that monitors the traffic and informs vulnerabilities in the network ,  they want us to create a SPAN port and connect it to their device , we have a core switch which has the following vlan 10, 20, 30, 40 , 50 , 60 , 70 , there are  also edge switches which goes to the floor(Trunk)  , where users are connected , there is a lab connection which is on a vlan 80 ( 192.168.1.1)  but lab has different  subnet  10.100.x.x ).     We don’t have RSPAN and not planning one,  I would like to the best way to implement it .

Also I would like to know that whether the below span configuration for VLAN will pass traffic from the edge switches without any change in edge switches (most edge switches are Extreme)

How does the routed traffic from Lab ( eg : lab traffic 10.100.x.x ) via vlan 80 can be monitored.

CORE ---  à LAB

|

Edge Switches

monitor session 1 source vlan 10, 20 , 30 , 40 , 50, 60, 70

core (config)#monitor session 1 source vlan 12 , 14 , 16 , 18 , 20

core (config)# monitor session 1 destination interface G 6/48   // Core

or

core (config)#monitor session 1 source G 1/1 ( Core Trunk connected to LAB)

core (config)#monitor session 1 source G 1/2 ( Core Trunk connected EDGE SWITCH1 )

core (config)#monitor session 1 source G 1/13( Core Trunk connected EDGE SWITCH 2)

core ( config) # monitor session 1 filter vlan 10, 20,30,40,50,60,70,80,90

core (config)# monitor session 1 destination interface G 6/48   // Core

Labels:
0 Helpful
2 Replies 2

daniel.dib
Level 7
Level 7

‎10-31-2013 12:24 AM

I think the second solution is better because that way you don't put extra traffic on the trunk links. Otherwise you would double the traffic sent on your trunk links.

However I'm not sure what's connected to Gi6/48. Is that the sniffer?

Daniel Dib
CCIE #37149

Daniel Dib
CCIE #37149
CCDE #20160011

Please rate helpful posts.
0 Helpful

binoy.baby
Level 1
Level 1

‎10-31-2013 01:06 AM

Thanks Daniel for the reply ,  G 6/48 is the port that will be connected to the box Alter Logic which sniffs the traffic .

what if i do the below instead of the trunk port .

the core switch has connection to Internet on g 5/1, 5/2 access port  ,( Vlan 20) 

                                                  MPLS1 connection to Global site  - G  5/3 ( access port vlan 10

                                                  MPLS connection to Global -  G  5/4 ( Access port vlan 10)

                                                  Lab connection - G 5/5

ore (config)#monitor session 1 source G 5/1, 5/2   ( To internet - access port )

core (config)#monitor session 1 source G 5/3 ( Access port to MPLS  )

core (config)#monitor session 1 source G 5/4 ( Access port to MPLS 2 )

Core  ( config) # monitor session 1 source G 5/5  ( access port to LAB

core (config)# monitor session 1 destination interface G 6/48   // Core

0 Helpful
Customers Also Viewed These Support Documents