No more monitor sessions available

Unanswered Question
Jul 23rd, 2007

I have a 6509 switch and I need to monitor a port, but I cannot create any more sessions.

All availble configurable sessions are being used for IDS.

Is there any other way for me to monitor a switch port to capture source and destination packets on a particular port?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.4 (5 ratings)
Loading.
wilson_1234_2 Tue, 07/24/2007 - 04:12

Thanks,

I did see that.

It looks to me like there can only be two local sessions configured on the switch and they are in use for IDS.

I cannot disturb those sessions.

The thing is, i need to monitor a port on that switch.

Is there any other way to do it?

Amit Singh Tue, 07/24/2007 - 04:39

Hi Wilson,

If you are talking about creating the local span session on Cat6500, then it is not supported at this point of time and we cannt use any other way.However you can still create upto 64 RSPAN destination sessions on the BOX. So if you have to monitor some remote ports on another switch, then you can have it configured for it on Cat 6500

At this point with the current software releases only 2 local SPAN sessions as available. However we are increasing this limit in the upcoming software release which is due to be released shortly and this will no more be a limitation.

HTH,Please rate if it does.

-amit singh

wilson_1234_2 Wed, 07/25/2007 - 06:24

Thank you it helps very much.

I am unclear on how to set up a remote span session for what I want to do:

I want to monitor a single switch port from a port on a different switch.

I know this is what RSPAN is for, but the documentation shows setting up VLANs.

Is there an easy procedure (like local span sessions) to do this?

Amit Singh Wed, 07/25/2007 - 06:42

Wilson,

You have to create a seperate vlan which is dedicated only to carry the RSPAN traffic from one switch to the another switch over the trunk. You have to have it.

Here is the procedure that I am outlining for you ..

First of all you have to create a vlan which will be only used for carrying the RSPAN traffic.Create a dedicated vlan on both the switches:

Conf t

vlan xx

remote-span

On the source switch where the port that is to be monitored is located,you have to run the following command:

conf t

monitor session 1 source < Define the interfaces or source vlan that you want to monitor>

monitor session 1 destination remote vlan xxx

On you destination switch, where the destination/sniffer PC is connected:

conf t

monitor session 1 source vlan xxx

monitor session 1 destination interface fa X/x -> port connected to the monitoring server.

Please use the link below for more info:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/span.htm

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12235se/scg/swspan.htm

HTH,Please rate if it does.

-amit singh

wilson_1234_2 Wed, 07/25/2007 - 08:05

Can I use this RSPAN procedure on the same switch (souce and destination), since I have no more local SPAN sessions available to use on that switch?

My sniffer workstation is on the same switch as the source port I want to sniff.

Amit Singh Wed, 07/25/2007 - 08:47

Nope you cannot have a RSPAN session on the same switch. This type of seesion is the Local SPAN session and if you dont have any local SPAN on the switch, then configure the local SPAN on the switch.

RSPAN is a remote port mirroring, where your source port is located on a different switch other than destination port/sniffer port.

HTH,Please rate if it does.

-amit singh

Actions

This Discussion