Re: SPAN Configuration For Websense

Karthikeyan Shanmugam · ‎07-04-2012

Hi,

I have configured SPAN in cisco 3750 switch as below mentioned. but the destination port protocol is down.Please help on this.

Network Diagram:

switch(config)#monitor session 1 source interface gigabitethernet1/0/1
switch(config)#monitor session 1 destination interface gigabitethernet1/0/11 ingress vlan 1

Switch#show int gi1/0/11

GigabitEthernet1/0/11 is up, line protocol is down (monitoring)

Hardware is Gigabit Ethernet, address is 0021.1c1d.bf8b (bia 0021.1c1d.bf8b)

MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,

reliability 255/255, txload 1/255, rxload 1/255

Thanks,

Karthik

Giuseppe Larosa · ‎07-04-2012

Hello Karthik,

what you see is normal the SPAN destination port is considered up/down monitoring, but this does not mean that SPAN will not work.

I see that you may want to use in someway the destination port for the optional command ingress vlan1. It should be possible with the correct optional commands. You should be able to use the destination port for vlan1 in addition to receiving on the port the mirrored traffic.

Hope to help

Giuseppe

Diego Maciel Gomes · ‎09-10-2012

Hello

I have the same doubt... but, look:

I have the port of my Firewall in Vlan 11 and this port I did the source, like below:

monitor session 1 source interface Gi1/0/11

I have the port of my Websense Network Agent in Vlan 101 and this port receive destination, like below:

monitor session 1 destination interface Gi1/0/12 ingress untagged vlan 11

Look. I put the vlan 11 = Vlan of my firewall like ingress on the interface of Websense.

So, I can not ping the IP of my Websense Network Agent. Im pinging from vlan 101 to 101, ok? The same subnet.

My inside interface of firewall has ip 10.11.1.X/24 and my interface websense network agent has 172.19.4.XXX/24

Is it a problem??? Interfaces with differents IPs and VLANs????

Thanks anyway,

Diego

srikanth ath · ‎09-10-2012

Hi Diego,

Refer below for the SPAN session example. and provide us the output for the span session you have created as

#sh monitor session 1.

As Line Protocol is down: can you check with duplex settings for the interface conneccted to firewall.

as many of the firewall comes with the fast ethernet link and it is connected to gigabit port of the switch (so set port speed of the switch to 100mbps, then shut and no shut command under the interface).

Do remember to enable IP routing on the switch and provide #sh IP route on the switch

example to set SPAN :

C2950#

configure terminal

C2950(config)#

monitor session 1 source interface gig 1/0/1

!--- This configures interface gig 1/01/1 as source port.

C2950(config)#

monitor session 1 destination interface gig 1/0/11

!--- This configures interface gig 1/01/11 as destination port.

Hope this helps you,

Thanks,

srikanth

ossalman · ‎09-10-2012

hi Karthik,

SPAN Destination Port Up/Down

When ports are spanned for monitoring, the port state shows as UP/DOWN.

When you configure a SPAN session to monitor the port, the destination interface shows the state down (monitoring), by design. The interface shows the port in this state in order to make it evident that the port is currently not usable as a production port. The port as up/down monitoring is normal.

for more info:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#topic8-8

hope this helps,

thanks,

/Osama

Diego Maciel Gomes · ‎09-11-2012

Hello

#

Session 1
---------
Type                   : Local Session
Source Ports           :
    Both               : Gi1/0/11
Destination Ports      : Gi1/0/12
    Encapsulation      : Native
          Ingress      : Enabled, default VLAN = 11
    Ingress encap      : Untagged

---------------------------------------------------------------------------

Ok, by design it shows state down...

But, Should I ping the interface showing down?? Because I can't.

My config:

monitor session 1 source interface Gi1/0/11

monitor session 1 destination interface Gi1/0/12 ingress untagged vlan 11

Gi11 is member of vlan 11

Gi12 is member of vlan 101

So, is this config above correct???

Iker Santamaria Molla · ‎09-11-2012

Hello Diego,

is the destination of your span, Gi1/0/12 interface?

Is this interface that connects the server to LAN?

If that is so, then it is imposible that the server respons to ping on that interface because it is on "monitoring mode".

Regards.

Diego Maciel Gomes · ‎09-11-2012

Hi

Gi11 = inside of my firewall

Gi12 = int connected on websense network agent.

So Im mirroring firewall int to network agent interface. I guess it is ok...

But the interfaces there are in differentes vlans and subnet... Is it a problem or not?

The int mirrored I put it as ingress of firewall vlan on monitor session configuration?

ossalman · ‎09-11-2012

hello

please just copy/past the following mentioned config to your device this should work:

switch(config)#monitor session 1 source interface gigabitethernet1/0/1
switch(config)#monitor session 1 destination interface  ingress vlan 1

the SPAN destination port should be any interface that is not use on this switch...
so, lets say that there is a port on the switch that is not connected to any device or end host, 
then you can use that port as destination SPAN port "where the wireshark should be connected to sniff the transmit and received traffic on port
gigabitethernet1/0/1"...

here is a youtube vedio as practical example:
https://www.youtube.com/watch?v=af4d_fAkwAY&feature=related

hope this helps,
regards
/Osama

SPAN Configuration For Websense

SPAN Destination Port Up/Down

ISE - Field Notice: FN74259 - Configuration Change Recomendado

ACI：Interface Configuration (version 6.0以降)

Nexus 9000 シリーズ: MTU Configuration

SPAN、 RSPAN 、 ERSPAN の解説

思科 ACI 排错工具 - SPAN 流量镜像抓包