Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4311
Views
0
Helpful
2
Replies

SPAN on 3850

Go to solution
RabbitSF
Level 1
Level 1

‎11-03-2017 09:23 AM - edited ‎03-08-2019 12:36 PM

First, I am not a Cisco pro so hopefully I can tell correctly what I want to ask.

 

We just got a Cisco Threat Check server from CDW and I just connected it to our two 3850 core switches (stacked?) and configured SPAN to monitor our network traffic. These core switches are our default gateway but the physical connection looks like this,

 

Client Devices-->3850 Core Switches-->2960x switch-->ASA Firewall-->Cloud

 

So the 3850s do not connect to the ASA directly. There is one 2960x in the middle.  I assumed that does not matter because the default gateway is the 3850 (correct me if that's not right). The 3850s and 2960x are located in different buildings. 2960x and ASA are in our MPOE with the Comcast fiber modem. The SPAN configuration from the 3850 is like below,

 

#show monitor
Session 1
---------
Type : Local Session
Source Ports :
Both : Gi1/1/2
Destination Ports : Gi1/0/1
Encapsulation : Native
Ingress : Disabled 

 

Question 1: How do I know if the Gi1/1/2 is the actual source port? The reason I configured that way just because I can see physically there is a fiber cable connected to that port so I assumed that's the port connected to the 2960x switch in the other building. But is there any way from the CLI can tell that port is actually connected to the 2960x switch?

 

Question 2: We have different VLANs. The Threat Check server is in the same VLAN as other main servers but not at the same VLAN as client devices. If that's the case, should I configure RSPAN instead of just SPAN?

 

Thanks so much in advance!

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
BradEast1
Level 3
Level 3

‎11-03-2017 09:27 AM

Try "show cdp neighbor" to verify what is plugged into that port.

 

If the source port and destination port are in the same switch, use SPAN. If they're in different switches, use RSPAN.

View solution in original post

0 Helpful

Go to solution
Austin Sabio
Level 4
Level 4

‎11-03-2017 09:29 AM - edited ‎11-03-2017 09:39 AM

1- try 'show cdp neighbors gigabitEthernet 1/1/2 detail'

it should provide you with cdp info about the destination device (2960x) 

 2- Using local span or rspan depends on the location of the source and destination monitored nodes. If both are on same switch then local span if not on the same switch then use with rspan.  

Please see 

https://supportforums.cisco.com/t5/network-infrastructure-documents/understanding-span-rspan-and-erspan/ta-p/3144951

I hope this helps and good luck!

-Austin

View solution in original post

0 Helpful
2 Replies 2

Go to solution
BradEast1
Level 3
Level 3

‎11-03-2017 09:27 AM

Try "show cdp neighbor" to verify what is plugged into that port.

 

If the source port and destination port are in the same switch, use SPAN. If they're in different switches, use RSPAN.

0 Helpful

Go to solution
Austin Sabio
Level 4
Level 4

‎11-03-2017 09:29 AM - edited ‎11-03-2017 09:39 AM

1- try 'show cdp neighbors gigabitEthernet 1/1/2 detail'

it should provide you with cdp info about the destination device (2960x) 

 2- Using local span or rspan depends on the location of the source and destination monitored nodes. If both are on same switch then local span if not on the same switch then use with rspan.  

Please see 

https://supportforums.cisco.com/t5/network-infrastructure-documents/understanding-span-rspan-and-erspan/ta-p/3144951

I hope this helps and good luck!

-Austin

0 Helpful
Customers Also Viewed These Support Documents