Re: Confusion with VLAN traffic - IETL-RS v4 SPAN
From: Ronnie Angello (ronnie.angello@gmail.com)
Date: Wed Jan 24 2007 - 11:01:30 ART
Also note that monitoring VLAN tx and rx traffic without configuring any
clever filtering will likely result in an excessive amount of duplicate
frames being captured.
Ronnie
On 1/24/07, Ronnie Angello <ronnie.angello@gmail.com> wrote:
>
> Actually it is documented that the 3560 supports monitoring of both tx and
> rx traffic for source VLANs. The 3550 does not.
>
>
>
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg/swsp
an.htm
>
> Source VLANs
>
> VLAN-based SPAN (VSPAN) is the monitoring of the network traffic in one or
> more VLANs. The SPAN or RSPAN source interface in VSPAN is a VLAN ID, and
> traffic is monitored on all the ports for that VLAN.
>
> VSPAN has these characteristics:
>
> �All active ports in the source VLAN are included as source ports and can
> be monitored in either or both directions.
>
> �On a given port, only traffic on the monitored VLAN is sent to the
> destination port.
>
> �If a destination port belongs to a source VLAN, it is excluded from the
> source list and is not monitored.
>
> �If ports are added to or removed from the source VLANs, the traffic on
> the source VLAN received by those ports is added to or removed from the
> sources being monitored.
>
> �You cannot use filter VLANs in the same session with VLAN sources.
>
> �You can monitor only Ethernet VLANs.
>
>
>
> On 1/24/07, Fabrice Paz <fabrice.paz@googlemail.com> wrote:
> >
> > Thanks all,
> >
> > It's really clear on the Cisco web site that you can only monitor
> > received traffic on a VLAN, by this I understand received traffic on the
> > switchport belonging to that particular VLAN.
> >
> > The only weird thing is that from where I have done the test the switch
> > still give me the option to set both, rx and tx.
> >
> > Switch1Rack1(config)#monitor session 1 source vlan 12 ?
> > , Specify another range of VLANs
> > - Specify a range of VLANs
> > both Monitor received and transmitted traffic
> > rx Monitor received traffic only
> > tx Monitor transmitted traffic only
> > <cr>
> >
> >
> > Not sure if this is because I am running a WS-C3560-48TS with
> > c3560-advipservicesk9-mz.122-25.SEE2.
> > You have seen already my results showing the three different
> > possibilities, since the results are different I guess that this might be
a
> > new feature that Cisco didn't documented yet and will assume that from
this
> > version you can also monitor sent traffic on a VLAN.
> >
> > Thanks,
> >
> > Fab
> >
> >
> >
> >
> > On 24/01/07, Ronnie Angello <ronnie.angello@gmail.com > wrote:
> > >
> > > You can only monitor rx traffic on VLANs.
> > >
> > >
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225see/scg/swspan
.htm#wp1403438
> > >
> > >
> > > In fact, I'm unable to configure the monitor session source VLAN
> > > without specifying rx.
> > >
> > > CAT1(config)#monitor session 1 source vlan 10 ?
> > > , Specify another range of VLANs
> > > - Specify a range of VLANs
> > > rx Monitor received traffic only
> > >
> > > CAT1(config)#monitor session 1 source vlan 10
> > > % Incomplete command.
> > >
> > > CAT1(config)#monitor session 1 source vlan 10 rx
> > > CAT1(config)#
> > > Ronnie
> > >
> > > On 1/23/07, Fabrice Paz < fabrice.paz@googlemail.com > wrote:
> > >
> > > > Hi GS,
> > > >
> > > > I have a problem understanding VLAN traffic, here the question
> > > >
> > > > R6
> > > > |
> > > > |
> > > > |Fa0/6
> > > > R1--------------SW1--------------R2
> > > >
> > > > R1 and R2 are both in VLAN12 ( 12.0.0.1/8 & 12.0.0.2/8)
> > > >
> > > > Configure SPAN on SW1 to redirect all traffic from VLAN 12 to R6
> > > >
> > > >
> > > > My answer to that is;
> > > > monitor session 1 source vlan 12
> > > > monitor session 1 destination interface Fa0/6
> > > >
> > > > The correct answer is;
> > > > monitor session 1 source vlan 12 rx
> > > > monitor session 1 destination interface Fa0/6
> > > >
> > > > 1) Should I understand the question as "Configure SPAN on SW1 to
> > > > redirect
> > > > all traffic leaving VLAN 12 to R6"?
> > > > 2) There is no SVI on the topology, if my poitn 1) is right is that
> > > > making
> > > > sense to put an rx or tx for this kind of question?
> > > >
> > > >
> > > > To try to understand I have done the folowing test (I have removed
> > > > keepalive
> > > > from all interface involved)
> > > >
> > > > from R1 "ping 12.0.0.2 repeat 20" while SW1 is "monitor session 1
> > > > source
> > > > vlan 12 rx" a "show int Fa0/6" on SW1 show 40 packet output
> > > > from R1 "ping 12.0.0.2 repeat 20" while SW1 is "monitor session 1
> > > > source
> > > > vlan 12 tx" a "show int Fa0/6" on SW1 show 40 packet output
> > > > from R1 "ping 12.0.0.2 repeat 20" while SW1 is "monitor session 1
> > > > source
> > > > vlan 12" a "show int Fa0/6" on SW1 show 80 packet output
> > > >
> > > > Results are exactly the same when pinging 255.255.255.255 from R1 in
> > > > the
> > > > three scenarios. It's clear that rx an tx are affecting something
> > > >
> > > > 3) Any idea of what rx and tx mean in the case VLAN
> > > > 4) Considering that "monitor session 1 source vlan 12" include both
> > > > rx and
> > > > tx would that fail the task at the exam if they are expecting rx to
> > > > be set?
> > > >
> > > > Thanks,
> > > >
> > > > Fab
> > > >
> > > >
> > > >
This archive was generated by hypermail 2.1.4
: Thu Feb 08 2007 - 23:46:57 ART