02-26-2009 12:59 PM - edited 03-06-2019 04:16 AM
Hello,
I am running 2 span sessions on my Cisco 3750:
monitor session 1 source interface fastethernet 1/0/3
monitor session 1 destination interface fastethernet 1/0/6
monitor session 2 source interface fastethernet 1/0/3 , 1/0/9
monitor session 2 destination interface fastethernet 1/0/48 encapsulation replicate
Now I want to add more source ports to session 2 is this OK to do?
Currently it is monitoring the inside and outside of our firwall VLANS 1/0/3 and 1/0/9, I have a few other VLAN's on the 3750 that I would like to span to port 48 which is where our packet capture server is (Observer).
02-26-2009 01:15 PM
Now I want to add more source ports to session 2 is this OK to do?
Currently it is monitoring the inside and outside of our firwall VLANS 1/0/3 and 1/0/9, I have a few other VLAN's on the 3750 that I would like to span to port 48 which is where our packet capture server is (Observer).
Per Span configuration guide statement, the answer is yes, you can add as much as interfaces available on that switch to the session 2.
The switch supports any number of source ports (up to the maximum number of available ports on the switch) and any number of source VLANs (up to the maximum number of VLANs supported). However, the switch supports a maximum of two sessions (local or RSPAN) with source ports or VLANs, and you cannot mix ports and VLANs in a single session.
02-26-2009 01:19 PM
Thanks,
How can I get the VLAN tags to show up in the packet capture software, should the "Encapsulation replicate" do this?
02-26-2009 01:31 PM
Yes, "encapsulation replicate" should send tagged packets on destination port but the destination port should have the same encap as source, see below.
The default configuration for local SPAN session ports is to send all packets untagged. SPAN also does not normally monitor bridge protocol data unit (BPDU) packets and Layer 2 protocols, such as Cisco Discovery Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), Spanning Tree Protocol (STP), and Port Aggregation Protocol (PAgP). However, when you enter the encapsulation replicate keywords when configuring a destination port, these changes occur:
â¢Packets are sent on the destination port with the same encapsulation-untagged, Inter-Switch Link (ISL), or IEEE 802.1Q-that they had on the source port.
â¢Packets of all types, including BPDU and Layer 2 protocol packets, are monitored.
Therefore, a local SPAN session with encapsulation replicate enabled can have a mixture of untagged, ISL, and IEEE 802.1Q tagged packets appear on the destination port.
02-26-2009 01:37 PM
Thanks, how should I have my destination port setup?
All I have for the packet capture NIC is something like:
"interface fastethernet 1/0/48"
No vlan is in it, it is completely empty etc, the NIC has no IP too, not even sure it should be half/full duplex, or any encapsualtion/trunk/vlan added to it?
02-26-2009 02:21 PM
"Packets are sent on the destination port with the same encapsulation-untagged, Inter-Switch Link (ISL), or IEEE 802.1Q-that they had on the source port."
If source is dot1q trunk, then destination should be dot1q trunk.
makes sense?
02-26-2009 02:25 PM
int fas1/0/1 is my trunk port and it's dot1q
source ports are in vlan 2 and 3, so these must be dot1q
int fas1/0/48 has no settings on the port, are you suggesting I make this interface a trunk dot1q interface aswell?
02-26-2009 01:16 PM
Based on config guide, the answer is YES.
"For SPAN sources, you can monitor traffic for a single port or VLAN or a series or range of ports or VLANs for each session. You cannot mix source ports and source VLANs within a single SPAN session. "
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide