Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
688
Views
5
Helpful
5
Replies

SPAN inress question.

Evgeniy Ivanov
Level 1
Level 1

‎10-12-2017 01:03 AM - edited ‎03-08-2019 12:20 PM

Hi, folks!
I am trying to make following setup:
- There is a WAN router , connected to C2960S switch port gig 1/0/23, This port is in trunk mode, but WAN connection is in Vlan 1
- There is a ESXI host behind port 1/0/13 on same switch. There are some VMs in different vlans, and ESXI management vlan is 911. This port is also in trunk mode.

I want to mirror traffic from port gig 1/0/23 (only vlan 1 related traffic) to VM behind gig 1/0/13 port.  And i want to keep this port 1/0/13 in forwarding state, because i need access to my VMs.


Here is my config:
monitor session 1 source interface Gi1/0/23 both
monitor session 1 filter vlan 1
monitor session 1 destination interface gigabitEthernet 1/0/13 encapsulation replicate ingress vlan 1

From my point of view, this configuration should:
1) mirror only vlan1 traffic to the port 1/0/13
2)  allow ingress traffic on port 1/0/13,  and save 802.1 tag  in packets. Also, if ingress traffic is untagged, it will forward it into vlan 1.


After aplying this configuration, port gig 1/0/13 is in up/down ((monitoring) state.

Also, i can't reach my VMs behind this port.

Any ideas?

Labels:
0 Helpful
5 Replies 5

Mark Malone
VIP Alumni
VIP Alumni

‎10-12-2017 01:33 AM

Hi
The port 1/0/13 is up/down because its the destination port in the span config that's how it works , once it set to destination its going to go into that state , you cant have it as the destination port and also work as a standard access port if that's what your trying to achieve ,the feature cant work like that
0 Helpful

Meheretab Mengistu
Level 7
Level 7
In response to Mark Malone

‎10-12-2017 04:44 PM

Hi Evgeniy,

Generally, you do not need to do that. You will dedicate a sniffing port (destination port) for the packet sniffer application.... However, if you want to use it as an access port while capturing traffic, for any reason, you will need to add and modify your config a little bit as follows:

monitor session 1 source interface Gi1/0/23 both
monitor session 1 filter vlan 1
monitor session 1 destination interface GigabitEthernet 1/0/13 encapsulation replicate ingress dot1q vlan 1

And you need to add a Static MAC entry because the switch will never learn out source to forward frames back:

mac address-table static xxxx.xxxx.xxxx vlan 1 interface GigabitEthernet 1/0/13

Once you configure the above commands, the port can be used as a normal access port (while it still works as destination port).

HTH,
Meheretab
HTH,
Meheretab
0 Helpful

Evgeniy Ivanov
Level 1
Level 1
In response to Meheretab Mengistu

‎10-12-2017 10:39 PM

Hi, all!

Thanks for your replies, i will check it and inform you about results. 

 

You wrote

Once you configure the above commands, the port can be used as a normal access port (while it still works as destination port).

 

But even with this command, port will be in up/down state, correct?

 

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to Evgeniy Ivanov

‎10-13-2017 03:27 AM

See the last line here on span dest ports , port will alwayts be up/down in monitoring mode once its set as a destination port

 

Characteristics of Destination Port

Each local SPAN session or RSPAN destination session must have a destination port (also called a monitoring port) that receives a copy of traffic from the source ports and VLANs.

A destination port has these characteristics:

  • A destination port must reside on the same switch as the source port (for a local SPAN session).

  • A destination port can be any Ethernet physical port.

  • A destination port can participate in only one SPAN session at a time. A destination port in one SPAN session cannot be a destination port for a second SPAN session.

  • A destination port cannot be a source port.

  • A destination port cannot be an EtherChannel group.

    Note: From Cisco IOS Software Release 12.2(33)SXH and later, PortChannel interface can be a destination port. Destination EtherChannels do not support the Port Aggregation Control Protocol (PAgP) or Link Aggregation Control Protocol (LACP) EtherChannel protocols; only the on mode is supported, with all EtherChannel protocol support disabled.

    Note: Refer to Local SPAN, RSPAN, and ERSPAN Destinations for more information.

  • A destination port can be a physical port that is assigned to an EtherChannel group, even if the EtherChannel group has been specified as a SPAN source. The port is removed from the group while it is configured as a SPAN destination port.

  • The port does not transmit any traffic except that traffic required for the SPAN session unless learning is enabled. If learning is enabled, the port also transmits traffic directed to hosts that have been learned on the destination port.

Evgeniy Ivanov
Level 1
Level 1
In response to Mark Malone

‎10-16-2017 12:07 AM

Well, thank you for help!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card