cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4225
Views
11
Helpful
11
Replies

SPAN Configuration - Cisco 3560

interedlb
Level 1
Level 1

Hello,

I'm trying to configure SPAN on my Cisco Catalyst 3560 in order to be able to mirror traffic from one port to another.

To summarize, the mirroring is not working. I'm able to test if SPAN is working by checking the traffic on the network cards and by trying our monitoring software (Websense) which is supposed to work if SPAN is operational.

Please find attached the important parts of the configuration.

PS - The monitoring software worked just fine when I replaced the switch with a dumb hub, so I figured out that the problem is definitely originating from the Cisco and its SPAN configuration.

Please note that the setup of the network cards is correct, but the interesting thing is that even though the configuration of SPAN is done on the FastEthernet interfaces, the network cards which are connected to ports 36 and 46 are both showing a speed of 1Gbps under the network connection properties. I'm not sure if that could be a part of the problem.

I tried to manually set the network cards to operate at 100Mbps or 10Mbps but that didn't work for me also.

Another interesting point: On another Cisco switch in a different office, I went through the same configuration and SPAN worked just fine and the network cards were showing a speed of 100Mbps.

I would really appreciate your help.

Thank you in advance.

Raymond.

1 Accepted Solution

Accepted Solutions

Hi Raymond,

Your logs and outputs do not indicate a problem on the switch side. Also you have observed the same configuration on a different site which have worked.

It seems like a problem with the NICs. Did you try to use the latest drivers for the NICs? Are those the same NICs that you have successfully configured span session on a different site? If you do use the same cards and latest software , I recommend replacing the NICs or opening a case to the manufacturer of the NICs.

View solution in original post

11 Replies 11

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Raymond,

on both ports configure speed and duplex

int fas0/36

speed 100

duplex full

int fas0/46

speed 100

duplex full

and configure also the NICs for 100 full

For some reasons auto-negotiation fails and you need to hardcode speed and duplex on both ends of each link.

This is part of the problem if layer1 physical doesn't match the switch may not understand traffic on the source port and cannot replicate it on the SPAN destination port

Also because GE over RJ-45 uses all 4 pairs while FE uses only two pairs (wires 1,2 and 3,6)

So a port at 1Gbps cannot be understood by someone looking only at 2 pairs signals.

Hope to help

Giuseppe

Hello Giuseppe,

Thank you for your answer.

Unfortunately, that didn't work for me. I set the interfaces speed and mode on the Cisco switch to 100/Full as advised. I also configured the network cards to 100/Full.

I also set the Firewall's internal interface (Which is the source of the SPAN) to operate at 100/Full.

The properties of the network connections now show 100Mbps but still no traffic at all on the monitoring network card (Which is put in stealth mode of course).

Any other solutions please? I can't figure out what could be causing this problem.

Your help is much appreciated.

Thank you,

Raymond

Hello,

Does anyone has any idea or advice about the above please?

Thank you,

Raymond

Hi Raymond ,

You have configured both source port and the destination port to be placed in vlan 1. Also you are using Vlan 1 as and SVI by using the Ip address ip address 172.16.20.1 255.255.0.0 .

The Span session will not come up , unless the L2 vlan or the physical port is up. By using Vlan 1 as a vlan and an SVI , the span session might be experiencing problems.

Can you try to put the source port to a different vlan ?

Hello Kerem,

Thank you for your reply.

I created Vlan2 and I put the source port to that Vlan but it didn't work. I then tried putting both the source and destination ports to Vlan2 but also no luck.

Please find attached the updated configuration.

Any other possible causes for this problem? This is really one the weirdest problems I have ever experienced with a Cisco switch!

Your help is much appreciated and thanks again.

Raymond

Sorry I didn't add the configuration attachment in my previous reply.

Please find it attached with this reply.

Thank you.

Raymond

Hello Raymond,

I used the same config in my lab , it works without a problem. This leaves open question of NIC & switch compatibility .

What do you see in the output of show interface fas 0/36 and show interface fas 0/46 ? What does the log output show when you disconnect / connect these ports?

Also , "if available " I would suggest changing the port from fas 0/36 and fas 0/46 to other unused ports and configure the span session again.

HTH

Hello HTH,

Please find attached the output of the commands:

show interface fa 0/36

show interface fa 0/46

When I disabled the network card connected to fa0/46, the output of show interface fa 0/46 didn't change.

Both network cards are:

D-Link DGE-530T V.B1 Gigabit Ethernet Adapter

Please note that I have already tried to change the ports from 0/36 and 0/46 but that didn't work either.

Do you think that the problem is a compatibility issue with the network cards? Can we say that for sure?

What should be my next step? Is it replacing the network cards with another model or maybe you can point out to another type of fix that would solve the problem?

I appreciate your help.

Thank you.

Raymond

I wouldn't keep the port settings at 100/half, change it to 100 full then if need be I would stick a sniffer on there to see if you are getting traffic or not , if so then i would suspect a nic card problem . I have never seen a problem span working on the cisco end. Everything else looks fine and in the state it should be in . I would also be suspect if your nic card says the speed is something other than what the port settings say when you issue a show interface status command . Also the destination port will always show down/down in a span session with it also saying "monitoring" which it does , this is normal and you will not see any interface state change plugging things in and out until you remove the span session.

Hello Glen,

I installed Microsoft Network Monitor and I was able to capture packets. Also please note that when I used a dumb hub instead of the switch I was able to capture all the packets and the monitoring software was working properly. So I'm pretty sure that the problem is not from the network card itself but from the Switch-NIC communication.

PS - Attached is the result of the show interface commands, it looks right.

Any other suggestions please? I'm kind of stuck here.

Thank you.

Raymond

Hi Raymond,

Your logs and outputs do not indicate a problem on the switch side. Also you have observed the same configuration on a different site which have worked.

It seems like a problem with the NICs. Did you try to use the latest drivers for the NICs? Are those the same NICs that you have successfully configured span session on a different site? If you do use the same cards and latest software , I recommend replacing the NICs or opening a case to the manufacturer of the NICs.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: