Monitor Session problem

rtjensen4 · ‎09-28-2007

Sort of an odd issue.

I have a windows XP with two NICs in it. I have one NIC connected to a switch (in VLAN 16 with IP 10.10.6.23). The other NIC is connected to the same switch. I set up a monitor session as such:

monitor session 1 source vlan 16

monitor session 1 destination int fa0/6

Fa0/6 is where the 2nd NIC is connected to. Fa0/5 is where the IPd nice is connected to.

I am able to ping the 10.10.6.23 address until I enable the monitoring port. As soon as I bring up that port, I lose all connectivity to the 10.10.6.23 address. Ideas? Both NICs in the XP machine are connected at 100mb Full duplex. Think it is some routing issue on the XP Box?

glen.grant · ‎09-28-2007

Destination Interface

A destination interface (also called a monitor interface) is a switched or routed interface where SPAN sends packets for analysis. Once an interface becomes an active destination interface, incoming traffic is disabled. You cannot configure a SPAN destination interface to receive ingress traffic. The interface does not forward any traffic except that required for the SPAN session.

An interface specified as a destination interface in one SPAN session cannot be a destination interface for another SPAN session. An interface configured as a destination interface cannot be configured as a source interface. EtherChannel interfaces cannot be SPAN destination interfaces.

Specifying a trunk interface as a SPAN destination interface stops trunking on the interface.

rtjensen4 · ‎09-28-2007

Thanks for the response, but I think maybe I didnt explain the problem well enough.

The XP machine has 2 NICs both plugged into the same switch.

Nic 1: 10.10.6.23 int fa0/5

Nic 2: No IP int fa0/6 (used to sniff)

The problem occurs whenever I do a no shut on fa0/6. Doesn't matter whether I have the destination for the monitor session set.

I am able to PING / Connect to the ip of Nic 1 just fine until I bring up the port that Nic 2 is plugged into, then I have no connectivity to it.

JORGE RODRIGUEZ · ‎09-28-2007

Ryan, I have not yet experienced vlan-base span the way you are doing it which in fact syntax seems correct based on brief reading done, in your monitor session you want to filter vlan 16, mirror the traffic to destination nic fe0/6, so far this seems by the book. Once you bring up the interface your other nic IP stops which has nothing to do with source or dest ports, indeed it is odd and don't have the answer to this one and hope someone may have experience similar and post the explanation, I will lab this out at some point. Do any other hosts in the switch on 10.10.6.0 looses connectivity or is it just the 10.10.6.23?

I would like to suggest though you try the monitoring differently. For example, you may want to use a uplink port and filter vlan 16 in the session, if uplink is a trunk it would be feasable to use it as a source port.

Try filter as bellow, post results.

monitor session 1 source int gig0/20

monitor session 1 filter vlan 16

monitor session 1 destination inte fa0/6

Rgds

Jorge

Jorge Rodriguez

rtjensen4 · ‎09-28-2007

Thanks for the reply. No, it is just this host. I need to access the host remotely via Remote Desktop via the 10.10.6.23 IP so the host can sniff with the un IPd NIC. I like your suggestion on filtering, but the problem with that is that the switch is running L3 software, so it is actually the gateway for that VLAN and there is communication between two servers on that VLAN, which is what I'm interested in capturing.

Also, This problem happens even when the monitor session is not configured, just having the PC connected to the switch with both NICs. I am going to try swapping the NIC that is IPd to see if that makes a difference. Thanks for your reply.

rseiler · ‎09-29-2007

Did you disable 'file and printer sharing', 'client for microsoft networks', 'qos packet scheduler', and 'internet protocol' under the general tab on your second (monitor) nic?

If not, are you sure you are not killing the xp pc with monitoring traffic?

What is the switch type, supervisor, and linecard (model #'s, IOS version) that this xp pc is plugged into. Do both ports from the XP pc connect to the switch on neighboring ports?

The only other item I can think of is be sure you have not installed or configured the microsoft bridging stack on the xp pc.

balajitvk · ‎09-29-2007

Hi,

Did you tried by connecting the destination port to the other machine??? and also see the show log o/p of the switch whether any mac flapping b/w two ports is there??

Rgs.

Kevin Dorrell · ‎09-30-2007

My guess is that you have bpdu-guard enabled on one or other of the ports (probably F0/5 or both) and that you have the internal XP bridge enabled in the PC. The switch is seeing BPDUs that are bridged by th PC, and disabling F0/5. But that is just a guess.

The other guess is again to do with BPDUs and bridging: that you don't have bpdu-guard enabled, but the Spanning Tree is putting F0/5 into blocking because it is seeing briged BPDUs. Againm the solution is to disable the internal XP bridge.

If it is either of those, please let us know.

Kevin Dorrell

Luxembourg