Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3307
Views
25
Helpful
11
Replies

SPAN Configuration Requirement

Go to solution
ranjit123
Level 3
Level 3

‎04-30-2021 08:36 AM

Dear All,

 

Attached is the diagram of the requirement..

 

Details are as below

 

1> Active - FW connected to 3650 Switch Stack with single port connectivity

2> Passive - FW connected to 3650 Switch Stack with single port connectivity

4> Connectivity between FW and Stack switch is using port-channel ( grouping of 2 ports )

3> One Snifer Devices is connected to Stack-SW-1 and another Snifer Device is connected to Stack-SW-2

 

Requirement is as below

 

1> Source ports for sniffing will be the port channel ports connected to the firewall and destination will be the Sniffer device connected on the Stack-SW-1 ( refer to the diagram the snifer device on the left hand side )

2> Source ports for sniffing will be the port channel ports connected to the firewall and destination will be the Sniffer device connected on the Stack-SW-2 ( refer to the diagram the snifer device on the right hand side )

 

What is the easiest way that i can do this... should i configure 2 different monitor sessions with same source ports and  different destination port for each session

 

OR

 

Does a single session support 2 different destination port on 3650-STACK..

 

Kindly Guide Me.....

 

Thanks a lot

 

Labels:
Preview file
74 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul driver
VIP
VIP
In response to ranjit123

‎05-01-2021 12:02 AM

Hello
Yes looks about right.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

0 Helpful
11 Replies 11

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎04-30-2021 09:15 AM

Hi,

Since the 2 3650 switches are stacked, they are logically one switch. So, you really only need one of the switches to be the destination device. Just make the destination one of the ports on switch-1.

HTH

0 Helpful

Go to solution
ranjit123
Level 3
Level 3

‎04-30-2021 12:19 PM - edited ‎04-30-2021 12:20 PM

Hello Reza,

Thanks a lot for your reply but the requirements is different and as I updated, can I configure two monitor sessions with same port's and 2 different destination port's..

 

 

Go to solution
Scott Hodgdon
Cisco Employee
Cisco Employee

‎04-30-2021 01:53 PM

Ranjit,

How are you creating a port channel between two different physical firewalls ? The only way I see that working is if the two firewalls are seen as one logical device.

What version of 3650 IOS are you running ?

Cheers,
Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking and Cloud Group

Go to solution
ranjit123
Level 3
Level 3
In response to Scott Hodgdon

‎04-30-2021 09:00 PM

Hello Scott,

 

Thanks a lot for your guidance as alwayz..

 

The FW are in Active-Passive mode...

0 Helpful

Go to solution
paul driver
VIP
VIP

‎04-30-2021 10:12 PM

Hello
A span source/destination port cannot be both at the same time, also only a single destination port is allowed per monitor session
As you want to span a PC  make sure the destination port can take the span traffic , sourcing from a PC to the destination port could overwhelm


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
ranjit123
Level 3
Level 3
In response to paul driver

‎04-30-2021 10:23 PM

Hello paul...

 

Thanks for your reply...

 

Will the below configuration work...

 

Monitor session 1

Source port-channel 1 ( which contains 2 ports connected to FW )

Destination port G1/1 ( port on stack- SW 1 which is connected to snifer -1 )

 

Monitor session 2

Source port-channel 1 ( which contains 2 ports connected to FW )

Destination port G2/1 ( port on stack- SW 2 which is connected to snifer -2 )

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to ranjit123

‎04-30-2021 10:44 PM - edited ‎04-30-2021 10:44 PM

Hello
Yes, it should work, but why would you want to do this, the traffic being monitored is the same?
However instead of the defining the PC as a whole as source you could chose the individual physical port of the PC in two different span sessions

 

Example:
etherchannel
Gi0/0 Gi0/1

monitor session 1 source interface Gi0/0
monitor session 1 destination interface Gi0/2

monitor session 2 source interface Gi0/1
monitor session 2 destination interface Gi0/3


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
ranjit123
Level 3
Level 3
In response to paul driver

‎04-30-2021 11:12 PM

Hello Paul,

 

Can individual port's of port-channel be part of 2 span sessions ... 

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to ranjit123

‎04-30-2021 11:25 PM - edited ‎04-30-2021 11:26 PM

Hello
Yes -
A span session can be sourced either from the whole PC or part of it (ie the physcal ports)


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
ranjit123
Level 3
Level 3
In response to paul driver

‎04-30-2021 11:43 PM

Hello Paul,

 

Thanks a lot for your replies this simplifies my task a lot...

-------------_------------------------

Can You Configure SPAN on an EtherChannel Port?

An EtherChannel does not form if one of the ports in the bundle is a SPAN destination port. If you try to configure SPAN in this situation, the switch tells you:

 

Channel port cannot be a Monitor Destination Port 

Failed to configure span feature 

You can use a port in an EtherChannel bundle as a SPAN source port.

--------------------------------------

So now my configuration will be as below..

 

Monitor session 1

Source port G1/1 ( port connected to active FW on the stack SW-1)

Destination port G1/2 ( port can stack SW-1 where sniffer decive 1 is connected )

 

Monitor session 2

Source port G2/1 ( port connected to passive firewall on stack SW-2 )

Destination port G2/2 ( port can stack SW-2 where sniffer decive 2 is connected )

Go to solution
paul driver
VIP
VIP
In response to ranjit123

‎05-01-2021 12:02 AM

Hello
Yes looks about right.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card