09-15-2009 04:44 AM - edited 03-06-2019 07:43 AM
Hi,
I have a scenario where the copied traffic of a SPAN setup is overloading a device on the span port. Most of the traffic in reality is not wanted anyway, is there a way to filter the traffic getting copied to the SPAN port?
Something like this
G1/0/1 ---> SPAN ---(ACL)---> 1/0/20
TIA
Alan
09-15-2009 04:46 AM
Dont know about creating an ACL for the SPAN if your using wireshark use capture filters so the NIC only looks for relevant data.
Or are you filtering from a busy vlan to a 100mb client?
Matt
09-15-2009 04:55 AM
Bit of a long story here Matt but that avenue is not optional here, i need to filter before the capture device. Thanks for the idea though
09-15-2009 05:35 AM
try applying a normal router acl to the destination span port. just make sure you apply it in the appropriate direction.
I've never done this so I can't say for sure if it will work. It would also help to know the platform/IOS rev in question.
09-15-2009 05:40 AM
Hi,
I am attempting this on 3750 and/or 2960 both are at 12.2.35.
With SPAN port, it seems only the IN keyword is allowed when applying the ACL, in any case, this was what i tried first, but made no difference.
09-15-2009 07:05 AM
Never tried it on a 3750 but this works well on a 6500 - setup a rspan session locally, apply an vlan acl (vacl) to the rspan destination vlan - then you have very granular control over the traffic sent to the destination port. This link describes the technique on a 6500:
https://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008017b753.shtml
09-15-2009 08:31 AM
I have a need to apply some filtering on an RSPAN this week on a 3750. I got this from a Cisco engineer with my current case.
vasmdf-dr-001(config)#monitor session 1 filter ip access-group ?
<1-199> IP access list (standard or extended)
<1300-2699> IP expanded access list (standard or extended)
WORD Access-list name
Example.
1. use span with filter:
ip access-list e voice-record
permit udp any range any range
monitor session 1 filter ip access-group voice-record
Hope this helps. Jon
09-15-2009 08:48 AM
Hi Jon,
WHat version of IOS are they using. Mine only gives the vlan option, not the one you mentioned.
INBOUND1(config)#monitor session 2 filter ?
vlan SPAN filter VLAN
I hope it is that easy ;)
09-15-2009 08:59 AM
Hi Alan,
For troubleshooting my particular issue I upgraded to 12.2(46)SE. We are running the IP services image.
c3750-advipservicesk9-mz.122-46.SE.bin
Jon
09-16-2009 04:03 AM
Hi Jon,
Upgraded but no joy, i now get a % FSPAN can not be supported on
% GigabitEthernet1/0/1 error
I checked some more on CCO only to find that FSPAN is only linked to 3750E, so i assume then that 3750 cannot enable FSPAN (Flow based Span).
Any other ideas for 3750?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide