SPAN Configuration - Cisco 3560

Answered Question
Jan 21st, 2009

Hello,

I'm trying to configure SPAN on my Cisco Catalyst 3560 in order to be able to mirror traffic from one port to another.

To summarize, the mirroring is not working. I'm able to test if SPAN is working by checking the traffic on the network cards and by trying our monitoring software (Websense) which is supposed to work if SPAN is operational.

Please find attached the important parts of the configuration.

PS - The monitoring software worked just fine when I replaced the switch with a dumb hub, so I figured out that the problem is definitely originating from the Cisco and its SPAN configuration.

Please note that the setup of the network cards is correct, but the interesting thing is that even though the configuration of SPAN is done on the FastEthernet interfaces, the network cards which are connected to ports 36 and 46 are both showing a speed of 1Gbps under the network connection properties. I'm not sure if that could be a part of the problem.

I tried to manually set the network cards to operate at 100Mbps or 10Mbps but that didn't work for me also.

Another interesting point: On another Cisco switch in a different office, I went through the same configuration and SPAN worked just fine and the network cards were showing a speed of 100Mbps.

I would really appreciate your help.

Thank you in advance.

Raymond.

Attachment: 
I have this problem too.
0 votes
Correct Answer by Kerem Gursu about 7 years 10 months ago

Hi Raymond,

Your logs and outputs do not indicate a problem on the switch side. Also you have observed the same configuration on a different site which have worked.

It seems like a problem with the NICs. Did you try to use the latest drivers for the NICs? Are those the same NICs that you have successfully configured span session on a different site? If you do use the same cards and latest software , I recommend replacing the NICs or opening a case to the manufacturer of the NICs.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (4 ratings)
Loading.
Giuseppe Larosa Wed, 01/21/2009 - 23:25

Hello Raymond,

on both ports configure speed and duplex

int fas0/36

speed 100

duplex full

int fas0/46

speed 100

duplex full

and configure also the NICs for 100 full

For some reasons auto-negotiation fails and you need to hardcode speed and duplex on both ends of each link.

This is part of the problem if layer1 physical doesn't match the switch may not understand traffic on the source port and cannot replicate it on the SPAN destination port

Also because GE over RJ-45 uses all 4 pairs while FE uses only two pairs (wires 1,2 and 3,6)

So a port at 1Gbps cannot be understood by someone looking only at 2 pairs signals.

Hope to help

Giuseppe

interedlb Thu, 01/22/2009 - 00:47

Hello Giuseppe,

Thank you for your answer.

Unfortunately, that didn't work for me. I set the interfaces speed and mode on the Cisco switch to 100/Full as advised. I also configured the network cards to 100/Full.

I also set the Firewall's internal interface (Which is the source of the SPAN) to operate at 100/Full.

The properties of the network connections now show 100Mbps but still no traffic at all on the monitoring network card (Which is put in stealth mode of course).

Any other solutions please? I can't figure out what could be causing this problem.

Your help is much appreciated.

Thank you,

Raymond

interedlb Thu, 01/22/2009 - 23:42

Hello,

Does anyone has any idea or advice about the above please?

Thank you,

Raymond

Kerem Gursu Fri, 01/23/2009 - 01:50

Hi Raymond ,

You have configured both source port and the destination port to be placed in vlan 1. Also you are using Vlan 1 as and SVI by using the Ip address ip address 172.16.20.1 255.255.0.0 .

The Span session will not come up , unless the L2 vlan or the physical port is up. By using Vlan 1 as a vlan and an SVI , the span session might be experiencing problems.

Can you try to put the source port to a different vlan ?

interedlb Fri, 01/23/2009 - 02:09

Hello Kerem,

Thank you for your reply.

I created Vlan2 and I put the source port to that Vlan but it didn't work. I then tried putting both the source and destination ports to Vlan2 but also no luck.

Please find attached the updated configuration.

Any other possible causes for this problem? This is really one the weirdest problems I have ever experienced with a Cisco switch!

Your help is much appreciated and thanks again.

Raymond

Kerem Gursu Fri, 01/23/2009 - 03:40

Hello Raymond,

I used the same config in my lab , it works without a problem. This leaves open question of NIC & switch compatibility .

What do you see in the output of show interface fas 0/36 and show interface fas 0/46 ? What does the log output show when you disconnect / connect these ports?

Also , "if available " I would suggest changing the port from fas 0/36 and fas 0/46 to other unused ports and configure the span session again.

HTH

interedlb Fri, 01/23/2009 - 04:06

Hello HTH,

Please find attached the output of the commands:

show interface fa 0/36

show interface fa 0/46

When I disabled the network card connected to fa0/46, the output of show interface fa 0/46 didn't change.

Both network cards are:

D-Link DGE-530T V.B1 Gigabit Ethernet Adapter

Please note that I have already tried to change the ports from 0/36 and 0/46 but that didn't work either.

Do you think that the problem is a compatibility issue with the network cards? Can we say that for sure?

What should be my next step? Is it replacing the network cards with another model or maybe you can point out to another type of fix that would solve the problem?

I appreciate your help.

Thank you.

Raymond

glen.grant Fri, 01/23/2009 - 04:20

I wouldn't keep the port settings at 100/half, change it to 100 full then if need be I would stick a sniffer on there to see if you are getting traffic or not , if so then i would suspect a nic card problem . I have never seen a problem span working on the cisco end. Everything else looks fine and in the state it should be in . I would also be suspect if your nic card says the speed is something other than what the port settings say when you issue a show interface status command . Also the destination port will always show down/down in a span session with it also saying "monitoring" which it does , this is normal and you will not see any interface state change plugging things in and out until you remove the span session.

interedlb Mon, 01/26/2009 - 00:34

Hello Glen,

I installed Microsoft Network Monitor and I was able to capture packets. Also please note that when I used a dumb hub instead of the switch I was able to capture all the packets and the monitoring software was working properly. So I'm pretty sure that the problem is not from the network card itself but from the Switch-NIC communication.

PS - Attached is the result of the show interface commands, it looks right.

Any other suggestions please? I'm kind of stuck here.

Thank you.

Raymond

Correct Answer
Kerem Gursu Mon, 01/26/2009 - 04:00

Hi Raymond,

Your logs and outputs do not indicate a problem on the switch side. Also you have observed the same configuration on a different site which have worked.

It seems like a problem with the NICs. Did you try to use the latest drivers for the NICs? Are those the same NICs that you have successfully configured span session on a different site? If you do use the same cards and latest software , I recommend replacing the NICs or opening a case to the manufacturer of the NICs.

Actions

This Discussion