Re: SPAN question

From: GAURAV MADAN (gauravmadan1177@gmail.com)
Date: Wed Dec 10 2008 - 03:01:26 ARST

• Next message: Hong Chan: "Re: BGP REGEX Help"
• Previous message: Narbik Kocharians: "Re: Passed"
• Maybe in reply to: GAURAV MADAN: "SPAN question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thnx Darby and Pavel

This has definately helped me go back and check where I was wrong ..

Thnx Again
Gaurav Madan

On Wed, Dec 10, 2008 at 4:56 AM, Darby Weaver <ccie.weaver@gmail.com> wrote:

> I'll promise you SPAN source and destination sessions do not need to be in
> the same VLAN.
>
>
> http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml
>
> I just posted this link elsewhere.
>
> But it should help clear up any misconceptions on the matter of
> SPAN/RSPAN/ERSPAN.
>
> Enjoy!
>
> On Tue, Dec 9, 2008 at 9:45 AM, GAURAV MADAN <gauravmadan1177@gmail.com>wrote:
>
>> make sense
>>
>> Thnx for providing clearification
>>
>>
>>
>> On Tue, Dec 9, 2008 at 6:05 PM, Pavel Bykov <slidersv@gmail.com> wrote:
>>
>> > Local span session means it is local to the switch, not local to the
>> VLAN.
>> > The only thing switch looks at is switchport mode, if it's ACCESS or
>> TRUNK.
>> > If It's access, the encapsulation of mirrored packets is stripped,
>> unless
>> > "encapsulation replicate" keyword is used. If the mode is TRUNK, then
>> the
>> > encapsulation is preserved.
>> >
>> > Now, for the experience part, here is a common example. Let's say you
>> need
>> > to look if custommers are placed in correct QinQ tunnels and
>> COS/EXP/DSCP
>> > are correct.
>> > You have one vlan (trunk) inside of another vlan (trunk) labeled with
>> MPLS
>> > header.
>> > This is a local span session. What VLAN are you going to set your port
>> to?
>> > What if you are mirroring many such ports, many p-vlans and even more
>> > c-vlans?
>> >
>> >
>> > On Mon, Dec 8, 2008 at 3:17 PM, GAURAV MADAN <gauravmadan1177@gmail.com
>> >wrote:
>> >
>> >> Hi
>> >>
>> >> Thnx for the link
>> >> What I understand from :
>> >>
>> >> Source ports can be in the same or different VLANs.
>> >>
>> >> is that when one is creating SPAN session ; there can be multiple
>> source
>> >> ports and these multiple source ports can be in diff vlan as well.
>> >>
>> >> With all respect to ur experience ; I seriously dont know why we allow
>> >> one vlan traffic to be mirrored out to a port which is in different
>> vlan .
>> >> I am asking only for Local SPAN session .
>> >>
>> >> Gaurav Madan
>> >> On Mon, Dec 8, 2008 at 6:50 PM, Pavel Bykov <slidersv@gmail.com>
>> wrote:
>> >>
>> >>> It's either an old book, or author made a mistake.
>> >>> I know from practical experience, that this is not a requirement.
>> >>>
>> >>> Also, please check out the following documents:
>> >>>
>> >>>
>> http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swspan.html#wp1036686
>> >>>
>> >>> Especially "Destination Port" and "Source port" requirements.
>> >>> E.g. there it states:
>> >>> Source ports can be in the same or different VLANs.
>> >>> etc.
>> >>> you can even sniff trunks with encapsulation.
>> >>>
>> >>>
>> >>> On Mon, Dec 8, 2008 at 2:10 PM, GAURAV MADAN <
>> gauravmadan1177@gmail.com>wrote:
>> >>>
>> >>>> Hi
>> >>>>
>> >>>> I am really not sure .. where i read this (couldnt rrecollect)
>> >>>> just gava a random search in google and found :
>> >>>>
>> >>>>
>> >>>>
>> http://books.google.com/books?id=-rnt_ik0mSYC&pg=PA482&lpg=PA482&dq=span+source+and+dest+in+same+vlan&source=web&ots=LDb-x54w0e&sig=1JJ9VIJEHHQOkugjl6QCVQ_nmyQ&hl=en&sa=X&oi=book_result&resnum=1&ct=result
>> >>>>
>> >>>> It states :
>> >>>>
>> >>>> SPAN dest port and SPAN source port need to be in same vlan.
>> >>>>
>> >>>> PLease do correct me in case i am wrong
>> >>>>
>> >>>> Gaurav Madan.
>> >>>> On Mon, Dec 8, 2008 at 4:42 PM, Pavel Bykov <slidersv@gmail.com
>> >wrote:
>> >>>>
>> >>>>> Where did you read that they need to be in the same VLAN?
>> >>>>> That is not true.
>> >>>>> Right now you are receiving anything that flows through Fa 1/0/9.
>> >>>>> Are data really flowing through Fa 1/0/9?
>> >>>>>
>> >>>>> On Mon, Dec 8, 2008 at 12:07 PM, GAURAV MADAN <
>> >>>>> gauravmadan1177@gmail.com> wrote:
>> >>>>>
>> >>>>>> Hi Frnds
>> >>>>>>
>> >>>>>> Just to understand something better on SPAN ; I tested sniffing on
>> a
>> >>>>>> port on
>> >>>>>> diff vlan (but landed in more confusion)
>> >>>>>>
>> >>>>>> i.e
>> >>>>>>
>> >>>>>> Rack1SW3(config)#do sh monitor sess 1
>> >>>>>> Session 1
>> >>>>>> ---------
>> >>>>>> Type : Local Session
>> >>>>>> Source Ports :
>> >>>>>> Both : Fa1/0/9
>> >>>>>> Destination Ports : Fa1/0/10
>> >>>>>> Encapsulation : Native
>> >>>>>> Ingress : Disabled
>> >>>>>>
>> >>>>>> Rack1SW3(config)#do sh run int f1/0/9
>> >>>>>> Building configuration...
>> >>>>>> Current configuration : 62 bytes
>> >>>>>> !
>> >>>>>> interface FastEthernet1/0/9
>> >>>>>> switchport access vlan 10
>> >>>>>> end
>> >>>>>> Rack1SW3(config)#do sh run int f1/0/10
>> >>>>>> Building configuration...
>> >>>>>> Current configuration : 62 bytes
>> >>>>>> !
>> >>>>>> interface FastEthernet1/0/10
>> >>>>>> switchport access vlan 2
>> >>>>>> end
>> >>>>>>
>> >>>>>> Rack1SW3(config)#do sh run int vlan 10
>> >>>>>> Building configuration...
>> >>>>>> Current configuration : 55 bytes
>> >>>>>> !
>> >>>>>> interface Vlan10
>> >>>>>> ip address 10.0.0.1 255.0.0.0
>> >>>>>> end
>> >>>>>>
>> >>>>>> I am just send some pkts from external source to 10.0.0.1 (src
>> >>>>>> 10.0.0.4 say
>> >>>>>> )
>> >>>>>> PC with etherial is connected to f1/0/10
>> >>>>>>
>> >>>>>> I am able to SNIFF .. Am i doing something wrong ..
>> >>>>>> As i understand SPAN source and dest need to be in same vlan .
>> >>>>>>
>> >>>>>> Gaurav Madan
>> >>>>>>
>> >>>>>>
>> >>>>>> Blogs and organic groups at http://www.ccie.net
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> _______________________________________________________________________
>> >>>>>> Subscription information may be found at:
>> >>>>>> http://www.groupstudy.com/list/CCIELab.html
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>
>> >>>>>
>> >>>>> --
>> >>>>> Pavel Bykov
>> >>>>> ----------------
>> >>>>> Don't forget to help stopping the braindumps, use of which reduces
>> >>>>> value of your certifications. Sign the petition at
>> >>>>> http://www.stopbraindumps.com/
>> >>>>>
>> >>>>
>> >>>>
>> >>>
>> >>>
>> >>> --
>> >>> Pavel Bykov
>> >>> ----------------
>> >>> Don't forget to help stopping the braindumps, use of which reduces
>> value
>> >>> of your certifications. Sign the petition at
>> >>> http://www.stopbraindumps.com/
>> >>>
>> >>
>> >>
>> >
>> >
>> > --
>> > Pavel Bykov
>> > ----------------
>> > Don't forget to help stopping the braindumps, use of which reduces value
>> of
>> > your certifications. Sign the petition at
>> http://www.stopbraindumps.com/
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Hong Chan: "Re: BGP REGEX Help"
• Previous message: Narbik Kocharians: "Re: Passed"
• Maybe in reply to: GAURAV MADAN: "SPAN question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jan 01 2009 - 12:53:08 ARST