SPAN session tx or rx question

wilson_1234_2 · ‎12-09-2009

When configuring a SPAN session for a single direction on core 6509:

monitor session 1 source vlan 1, 5 , 7, 9 rx

Monitor session 1 destination interface g1/1

VLAN 5 is uplink to Firrewall/Internet

VLAN 7 is workstation VLAN

If a workstation is attempting to connect to an FTP server on the Internet, would I see any traffic on VLAN 5 in the rx direction?

Or does the SPAN session only see traffic sourced from the FTP server?

It the traffic is outbound to the FTP server, would there be any rx traffic inbound on the VLAN 5 port?

Edison Ortiz · ‎12-09-2009

If a workstation is attempting to connect to an FTP server on the Internet, would I see any traffic on VLAN 5 in the rx direction?

No, you will see traffic on Vlan 7 on the rx

Or does the SPAN session only see traffic sourced from the FTP server?

Vlan 5 (internet Vlan) will capture all received traffic from the internet so return traffic from the FTP server will be captured.

wilson_1234_2 · ‎12-09-2009

Thanks Edison, that is what I suspected.

But I was wondering (and I hope this is not a stupid question)

There will always be some return traffic from the Internet that gets captured rx on the VLAN 5 port, no matter who initiates the connection?

Since this is tcp, there will always be return traffic seen on the rx on SPAN 1 VLAN 5 from the Internet, correct?

Ganesh Hariharan · ‎12-09-2009

Yes you are rite you can see the traffic coming back from ftp server for ACK to source in internet facing vlan
and traffic which is initiated to ftp server from host from host vlan also.

Regards
Ganesh.H