Could I simply add vlan 2 to get it to show up?

What information do you need to see ?

If you want to see the traffic coming from vlan 2, then add inside interface to your capture command:-

ASA#capture access-list interface inside

then do

show capture

Or if you are doing it from your switch as you said add the vlan or the port going to the ASA to your monitor session.

I'm doing it from the switch, so I'm spanning/mirroring the port to port 48.

You said add the port going to the ASA to my monitor session, but you can see I'm already monitoring port 3 on the switch which goes to the ASA

check the configuraion on asa. The port on asa would be in access mode vlan2

This is all I have for the inside prt which is fas1/0/3 on the switch (VLAN2) and giga0/1 on the ASA:

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.10.50 255.255.0.0 standby 192.168.10.49

ospf cost 10

That's fine. It you want to capture packets coming into and leaving this interface, use the capture command as above.

I'm using the switch to do all the capturing though to port 48, I'm just mirroring the ports to port 48, no sign of vlan 2, but everything else:

monitor session 2 source interface Fa1/0/1 , Fa1/0/3 , Fa1/0/9

monitor session 2 destination interface Fa1/0/48 encapsulation replicate

Then you should be getting the traffic you need, if not, tell me what traffic you want I will tell you how to get it.

I want my Observer packet capturing server to "see" vlan tags for Vlan 2 and 3. At the moment it only receives Vlan 1 everything else goes into a vlan called "no Vlan" on Observer because it is no seeig the tags.

Observer is in port 1/0/48 and I span the ports 1/0/3 (indide of ASA) and 1/0/9 (outside of ASA). The Cisco 3750 switch is doing all the work, I added this:

monitor session 2 source interface Fa1/0/3 , Fa1/0/9

monitor session 2 destination interface Fa1/0/48 encapsulation replicate

And here is the port info:

interface FastEthernet1/0/3

description inside ASA

switchport access vlan 2

interface FastEthernet1/0/9

description Outside ASA

switchport access vlan 3

If I change:

monitor session 2 source interface Fa1/0/3 , Fa1/0/9

to

monitor session 2 source interface Fa1/0/1

Which is:

interface FastEthernet1/0/1

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 3,4,6,7,9,10,300

switchport mode trunk

which is the trunk to the ASA I see all the Vlan's apart from vlan 2, so I know the NIC on the server and the span config is working ok and picking up the Vlan tags.

I would of thought the span would pickup the Vlan tags and pass wthem over to the Observer packet capturing server on port 1/0/48.

Hi

You won't see Tags for vlan 2 as the port it traverses is an access port and not a trunk so does not tag frames. If you want to see the packets coming from vlan 2, you can add a vlan as a montior source, but they still won't go via the trunk because as you have already stated, they are not added as an allowed vlan on the trunk port.

Shouldn't I atleast see Vlan 3 then?

Should I add Vlan2 to the allwo list evern though it's not needed and won't make any difference, but is there a chance if it add the tags then.

Or best leave as it is?

Don't add vlan 2 to the trunk as it's not needed, if traffic for vlan 3 is passing the trunk interface and vlan 3 is not native you should see tagged in the capture.

I think Vlan 1 is native on mine.

It seems no port will show Vlan info apart from the trunks. I just tried it on others in different vlans.