Re: SPAN on 3560 - enable traffic forwarding on destination

It's clear now.

Thanks a lot!

ZZ

On Fri, Sep 11, 2009 at 10:28 AM, Mark Cairns <m.a.cairns_at_gmail.com> wrote:

> Just to dig up some info on this.
>
>
> http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_37_se/configuration/guide/swspan.html
>
> From the destination port section:
>
> "When a port is configured as a SPAN destination port, the configuration
> overwrites the original port configuration"
>
> "When it is active, incoming traffic is disabled. The port *does not
> transmit any traffic except that required for the SPAN session*."
>
> Mark
> #17755, Security
>
>
> On Fri, Sep 11, 2009 at 10:06 AM, Ryan West <rwest_at_zyedge.com> wrote:
>
>> That's interesting, but makes sense. What ZZ is trying to accomplish is
>> very easy with a 2950, you just place the ingress keyword at the end of the
>> destination SPAN and it just works. I had thought that there was similar
>> functionality in the 12.2 Cat2k and Cat3k lines, but I didn't have much luck
>> either when I tested recently with 12.2(46)SE6.
>>
>> I tried 'ingress vlan' and 'ingress untagged vlan' but neither produced
>> the results I was looking for. Has anyone else had different results with
>> the Cat3k's?
>>
>> -ryan
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> Mark Cairns
>> Sent: Friday, September 11, 2009 9:54 AM
>> To: ZZ
>> Cc: Cisco certification
>> Subject: Re: SPAN on 3560 - enable traffic forwarding on destination port
>>
>> ZZ,
>>
>> I think you have done exactly what you have in your description. You
>> configured SPAN to receive traffic from Gi0/24 and you have enabled
>> traffic
>> forwarding from your PC via the ingress VLAN so you can send unicast,
>> broadcast, etc from your PC. However I don't think you are going to
>> receive
>> traffic back. You can send a SYN packet to a host and try to initiate a
>> telnet session but the response to that packet will never get back to your
>> PC because the switch is sending you SPAN traffic. It is no longer a
>> normal
>> port participating in VLAN 146.
>>
>> The ingress VLAN would be used by something like an IDS sending TCP resets
>> where it only needs to transmit traffic, not build a session to another
>> device.
>>
>> I'd recommend putting a second NIC in your PC (or use wireless) if you
>> want
>> to capture and be on the network at the same time.
>>
>> Mark
>> #17755, Security
>>
>> On Fri, Sep 11, 2009 at 9:13 AM, ZZ <zurabz_at_gmail.com> wrote:
>>
>> > no solution? nobody?
>> >
>> >
>> > ZZ
>> >
>> > On Thu, Sep 10, 2009 at 2:08 PM, ZZ <zurabz_at_gmail.com> wrote:
>> >
>> > > Hello Experts,
>> > >
>> > > I'm having hard time configuring SPAN on switch and the same time
>> > enabling
>> > > traffic forwarding on my PC (Wireshark which is destinasion span
>> > session).
>> > >
>> > > Here is the config:
>> > >
>> > > Rack1SW3#sh run | i moni
>> > >
>> > > monitor session 1 source interface Gi0/24
>> > > monitor session 1 destination interface Gi0/1 ingress untagged vlan
>> 146
>> > >
>> > > interface GigabitEthernet0/1
>> > > description PC_Wireshark
>> > > switchport access vlan 146
>> > > switchport mode access
>> > > spanning-tree portfast
>> > > end
>> > >
>> > > interface GigabitEthernet0/24
>> > > switchport access vlan 43
>> > > switchport mode access
>> > > spanning-tree portfast
>> > > end
>> > >
>> > > As soon as I enable SPAN I see traffic on Wireshark but don't have an
>> > > access to any device on the LAN.
>> > >
>> > > Kindly let me know what I'm missing.
>> > >
>> > > Thanks,
>> > > ZZ
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Sep 11 2009 - 10:33:14 ART