Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3406
Views
0
Helpful
7
Replies

SPAN interface session captures all vlan trafic, not only traffic actually send to workstation connected

IT-Servicedesk
Level 1
Level 1

‎03-02-2017 04:29 AM - edited ‎03-08-2019 09:34 AM

I have setup a remote RSPAN session to monitor all traffic to and from a specific workstations

I created a RSPAN vlan 100 and configured both ports:

on the source switch
monitor session 1 source interface Gix/y/z 
monitor session 1 destination remote vlan 100

On the destination switch
monitor session 1 destination interface Gia/b/c
monitor session 1 source remote vlan 100

I had expected that all traffic comming from and going to the workstation connected to the source interface would be copied to the destination interface.

In reality it looks like all traffic from the VLAN to which the source port belongs is captured, so including the traffic between 2 other nodes not designated for the workstation on the source port.

So it looks more like a monitor VLAN instead of monitoring Port.

I'm sure the traffic is not comming from an other monitored interface because when I disable the monitoring on my source interface, I receive no traffic at all on the destination interface.


How do I setup RSPAN to capture only the packets which are send to/from the workstation connected to the source port
I know i can set up a capture filter in wireshark, but that is not what I want.

Jacques 

Labels:
0 Helpful
7 Replies 7

Julio E. Moisa
VIP
VIP

‎03-02-2017 04:44 AM

Hi

Have you tried with:

monitor session 1 source interface Gix/y/z  tx or rx

tx = transmitted info
rx = received info

Characteristics of Source Port

A source port, also called a monitored port, is a switched or routed port that you monitor for network traffic analysis. In a single local SPAN session or RSPAN source session, you can monitor source port traffic, such as received (Rx), transmitted (Tx), or bidirectional (both). The switch supports any number of source ports (up to the maximum number of available ports on the switch) and any number of source VLANs.

A source port has these characteristics:

  • It can be any port type, such as EtherChannel, Fast Ethernet, Gigabit Ethernet, and so forth.

  • It can be monitored in multiple SPAN sessions.

  • It cannot be a destination port.

  • Each source port can be configured with a direction (ingress, egress, or both) to monitor. For EtherChannel sources, the monitored direction applies to all physical ports in the group.

  • Source ports can be in the same or different VLANs.

  • For VLAN SPAN sources, all active ports in the source VLAN are included as source ports.

VLAN Filtering

 

When you monitor a trunk port as a source port, all VLANs active on the trunk are monitored by default. You can use VLAN filtering in order to limit SPAN traffic monitoring on trunk source ports to specific VLANs.

  • VLAN filtering applies only to trunk ports or to voice VLAN ports.

  • VLAN filtering applies only to port-based sessions and is not allowed in sessions with VLAN sources.

  • When a VLAN filter list is specified, only those VLANs in the list are monitored on trunk ports or on voice VLAN access ports.

  • SPAN traffic coming from other port types is not affected by VLAN filtering, which means that all VLANs are allowed on other ports.

  • VLAN filtering affects only traffic forwarded to the destination SPAN port and does not affect the switching of normal traffic.

  • You cannot mix source VLANs and filter VLANs within a session. You can have source VLANs or filter VLANs, but not both at the same time.

Reference: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/10570-41.html

Hope it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

IT-Servicedesk
Level 1
Level 1
In response to Julio E. Moisa

‎03-02-2017 04:54 AM

Thanks for your reply! Yes I did try that....

1. The source port is not a trunk, it is part of a dedicated vlan

2. when I select RX only, I see traffic entering the switch from the workstation, but not the traffic from the switch to the workstation (but this is exactly what I would expect)

3. when I select TX only, I seem to see all traffic on the VLAN, so before the switch applies it's mac address table filter to forward only broadcasts and unicast traffic designated specifically for the workstation connected.

Jacques

0 Helpful

Julio E. Moisa
VIP
VIP
In response to IT-Servicedesk

‎03-02-2017 05:03 AM

Now if you set up both

monitor session 1 source interface Gix/y/z both

You should see practically every traffic generated or received on that port. 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

IT-Servicedesk
Level 1
Level 1
In response to Julio E. Moisa

‎03-02-2017 05:28 AM

Thanks for you reply but since 'both' is the default, there is no need to add it on the command line
The show monitor command shows that "both" is selected.

The problem is that I see to much traffic, the switch should prevent traffic not designated for the mac address of the workstation to be blocked from being forwarded to the workstation (and probably it does just that) but my monitor session show all traffic on the vlan, not just the traffic to/from the workstation as it appears on the interfaces rj45 connector.

Jacques

0 Helpful

devils_advocate
Level 7
Level 7
In response to IT-Servicedesk

‎03-02-2017 06:13 AM

Presumably Vlan 100 was designated as a specific SPAN Vlan as below?

Switch1(config)#vlan 100
Switch1(config-vlan)#name RSPAN-Vlan
Switch1(config-vlan)#remote-span

You can't put hosts into the remote span vlan, it has to be specific for the SPAN traffic. 

Assuming you have done this, you should only see traffic to and from the source port. If the source is an access port in a single vlan, you would also see broadcast traffic for that Vlan as the connected host will see all broadcasts but you shouldn't be seeing unicast traffic between two hosts which are not the host connected to the source port. 

0 Helpful

IT-Servicedesk
Level 1
Level 1
In response to devils_advocate

‎03-02-2017 06:51 AM

Correct, that is also why I stated in my initial post:

I'm sure the traffic is not coming from an other monitored interface because when I disable the monitoring on my source interface, I receive no traffic at all on the destination interface.

Jacques

0 Helpful

Julio E. Moisa
VIP
VIP
In response to IT-Servicedesk

‎03-02-2017 07:03 AM

Yeap, that is correct, the remote vlan is used for that role only not to be used for end users as it was mentioned previously. 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card