Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1287
Views
0
Helpful
6
Replies

SPAN port on 2960

Go to solution
ChrisH86
Level 1
Level 1

‎06-09-2020 01:00 PM

Recently setup a span port on a Cisco 2960 and I'm seeing every packet twice.  Source is a vlan and I originally specified both for traffic although now I'm thinking this may be the issue.  Can someone confirm correct syntax to capture all traffic from a specific vlan?  This is what I have setup at the moment.

 

monitor session 1 source vlan 402
monitor session 1 destination interface Gi1/0/9

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jcockburn
Level 1
Level 1

‎06-09-2020 02:20 PM

Hi Chris,

 

If you have a monitor session set up and the source is a vlan, you will get a copy sent to the span port when the packet enters the VLAN (rx) and another copy of the same packet when it exits and access port (tx). To get around this you can set the span session to only monitor rx traffic so you only get a copy of the packet as it enters the vlan or enters an access port but not both.

 

You should however read the documentation carefully, as there are some other behaviour as well, like L3 routed traffic...entering from another VLAN and routed out your VLAN (402) which looks like it might not be showed if using the 'rx' keyword...

 

The cmd 'monitor session 1 source vlan 402' defaults to both rx and tx traffic....so maybe try the 'rx' keyword after the command.

Play around with the features and compare what you want, what you see and what the docs says...you will get there ;-)

 

Hope this helps

JC

View solution in original post

0 Helpful
6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎06-09-2020 01:36 PM

The syntax is correct. but what is this VLAN is this transit VLAN in the network?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎06-09-2020 01:37 PM

The syntax is correct. What is the output of "show monitor"?

HTH

0 Helpful

Go to solution
ChrisH86
Level 1
Level 1
In response to Reza Sharifi

‎06-09-2020 01:51 PM

S1#sh monitor
Session 1
---------
Type                     : Local Session
Source VLANs             :
    Both                 : 402
Destination Ports      : Gi1/0/9
    Encapsulation      : Native
          Ingress      : Disabled


S1#

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to ChrisH86

‎06-09-2020 02:13 PM

From the config guide regarding RSPAN but not local SPAN.

When RSPAN is enabled, each packet being monitored is transmitted twice, once as normal traffic and once as a monitored packet. Therefore monitoring a large number of ports or VLANs could potentially generate large amounts of network traffic.

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swspan.html

HTH

0 Helpful

Go to solution
jcockburn
Level 1
Level 1

‎06-09-2020 02:20 PM

Hi Chris,

 

If you have a monitor session set up and the source is a vlan, you will get a copy sent to the span port when the packet enters the VLAN (rx) and another copy of the same packet when it exits and access port (tx). To get around this you can set the span session to only monitor rx traffic so you only get a copy of the packet as it enters the vlan or enters an access port but not both.

 

You should however read the documentation carefully, as there are some other behaviour as well, like L3 routed traffic...entering from another VLAN and routed out your VLAN (402) which looks like it might not be showed if using the 'rx' keyword...

 

The cmd 'monitor session 1 source vlan 402' defaults to both rx and tx traffic....so maybe try the 'rx' keyword after the command.

Play around with the features and compare what you want, what you see and what the docs says...you will get there ;-)

 

Hope this helps

JC

0 Helpful

Go to solution
ChrisH86
Level 1
Level 1
In response to jcockburn

‎06-09-2020 03:09 PM

thanks - this is what I suspected but could not find it on google! :)
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card