06-09-2020 01:00 PM
Recently setup a span port on a Cisco 2960 and I'm seeing every packet twice. Source is a vlan and I originally specified both for traffic although now I'm thinking this may be the issue. Can someone confirm correct syntax to capture all traffic from a specific vlan? This is what I have setup at the moment.
monitor session 1 source vlan 402
monitor session 1 destination interface Gi1/0/9
Solved! Go to Solution.
06-09-2020 02:20 PM
Hi Chris,
If you have a monitor session set up and the source is a vlan, you will get a copy sent to the span port when the packet enters the VLAN (rx) and another copy of the same packet when it exits and access port (tx). To get around this you can set the span session to only monitor rx traffic so you only get a copy of the packet as it enters the vlan or enters an access port but not both.
You should however read the documentation carefully, as there are some other behaviour as well, like L3 routed traffic...entering from another VLAN and routed out your VLAN (402) which looks like it might not be showed if using the 'rx' keyword...
The cmd 'monitor session 1 source vlan 402' defaults to both rx and tx traffic....so maybe try the 'rx' keyword after the command.
Play around with the features and compare what you want, what you see and what the docs says...you will get there ;-)
Hope this helps
JC
06-09-2020 01:36 PM
The syntax is correct. but what is this VLAN is this transit VLAN in the network?
06-09-2020 01:37 PM
The syntax is correct. What is the output of "show monitor"?
HTH
06-09-2020 01:51 PM
S1#sh monitor
Session 1
---------
Type : Local Session
Source VLANs :
Both : 402
Destination Ports : Gi1/0/9
Encapsulation : Native
Ingress : Disabled
S1#
06-09-2020 02:13 PM
From the config guide regarding RSPAN but not local SPAN.
When RSPAN is enabled, each packet being monitored is transmitted twice, once as normal traffic and once as a monitored packet. Therefore monitoring a large number of ports or VLANs could potentially generate large amounts of network traffic.
HTH
06-09-2020 02:20 PM
Hi Chris,
If you have a monitor session set up and the source is a vlan, you will get a copy sent to the span port when the packet enters the VLAN (rx) and another copy of the same packet when it exits and access port (tx). To get around this you can set the span session to only monitor rx traffic so you only get a copy of the packet as it enters the vlan or enters an access port but not both.
You should however read the documentation carefully, as there are some other behaviour as well, like L3 routed traffic...entering from another VLAN and routed out your VLAN (402) which looks like it might not be showed if using the 'rx' keyword...
The cmd 'monitor session 1 source vlan 402' defaults to both rx and tx traffic....so maybe try the 'rx' keyword after the command.
Play around with the features and compare what you want, what you see and what the docs says...you will get there ;-)
Hope this helps
JC
06-09-2020 03:09 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide