RE: SPAN on 3560 - enable traffic forwarding on destination

That's interesting, but makes sense. What ZZ is trying to accomplish is very easy with a 2950, you just place the ingress keyword at the end of the destination SPAN and it just works. I had thought that there was similar functionality in the 12.2 Cat2k and Cat3k lines, but I didn't have much luck either when I tested recently with 12.2(46)SE6.

I tried 'ingress vlan' and 'ingress untagged vlan' but neither produced the results I was looking for. Has anyone else had different results with the Cat3k's?

-ryan

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Mark Cairns
Sent: Friday, September 11, 2009 9:54 AM
To: ZZ
Cc: Cisco certification
Subject: Re: SPAN on 3560 - enable traffic forwarding on destination port

ZZ,

I think you have done exactly what you have in your description. You
configured SPAN to receive traffic from Gi0/24 and you have enabled traffic
forwarding from your PC via the ingress VLAN so you can send unicast,
broadcast, etc from your PC. However I don't think you are going to receive
traffic back. You can send a SYN packet to a host and try to initiate a
telnet session but the response to that packet will never get back to your
PC because the switch is sending you SPAN traffic. It is no longer a normal
port participating in VLAN 146.

The ingress VLAN would be used by something like an IDS sending TCP resets
where it only needs to transmit traffic, not build a session to another
device.

I'd recommend putting a second NIC in your PC (or use wireless) if you want
to capture and be on the network at the same time.

Mark
#17755, Security

On Fri, Sep 11, 2009 at 9:13 AM, ZZ <zurabz_at_gmail.com> wrote:

> no solution? nobody?
>
>
> ZZ
>
> On Thu, Sep 10, 2009 at 2:08 PM, ZZ <zurabz_at_gmail.com> wrote:
>
> > Hello Experts,
> >
> > I'm having hard time configuring SPAN on switch and the same time
> enabling
> > traffic forwarding on my PC (Wireshark which is destinasion span
> session).
> >
> > Here is the config:
> >
> > Rack1SW3#sh run | i moni
> >
> > monitor session 1 source interface Gi0/24
> > monitor session 1 destination interface Gi0/1 ingress untagged vlan 146
> >
> > interface GigabitEthernet0/1
> > description PC_Wireshark
> > switchport access vlan 146
> > switchport mode access
> > spanning-tree portfast
> > end
> >
> > interface GigabitEthernet0/24
> > switchport access vlan 43
> > switchport mode access
> > spanning-tree portfast
> > end
> >
> > As soon as I enable SPAN I see traffic on Wireshark but don't have an
> > access to any device on the LAN.
> >
> > Kindly let me know what I'm missing.
> >
> > Thanks,
> > ZZ
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Sep 11 2009 - 10:06:23 ART