Is it possible to filter SPAN traffic?

Unanswered Question
Sep 15th, 2009

Hi,

I have a scenario where the copied traffic of a SPAN setup is overloading a device on the span port. Most of the traffic in reality is not wanted anyway, is there a way to filter the traffic getting copied to the SPAN port?

Something like this

G1/0/1 ---> SPAN ---(ACL)---> 1/0/20

TIA

Alan

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
mattwilsonuk Tue, 09/15/2009 - 04:46

Dont know about creating an ACL for the SPAN if your using wireshark use capture filters so the NIC only looks for relevant data.

Or are you filtering from a busy vlan to a 100mb client?

Matt

alanwright1 Tue, 09/15/2009 - 04:55

Bit of a long story here Matt but that avenue is not optional here, i need to filter before the capture device. Thanks for the idea though

srue Tue, 09/15/2009 - 05:35

try applying a normal router acl to the destination span port. just make sure you apply it in the appropriate direction.

I've never done this so I can't say for sure if it will work. It would also help to know the platform/IOS rev in question.

alanwright1 Tue, 09/15/2009 - 05:40

Hi,

I am attempting this on 3750 and/or 2960 both are at 12.2.35.

With SPAN port, it seems only the IN keyword is allowed when applying the ACL, in any case, this was what i tried first, but made no difference.

pattyj Tue, 09/15/2009 - 08:31

I have a need to apply some filtering on an RSPAN this week on a 3750. I got this from a Cisco engineer with my current case.

vasmdf-dr-001(config)#monitor session 1 filter ip access-group ?

<1-199> IP access list (standard or extended)

<1300-2699> IP expanded access list (standard or extended)

WORD Access-list name

Example.

1. use span with filter:

ip access-list e voice-record

permit udp any range any range

monitor session 1 filter ip access-group voice-record

Hope this helps. Jon

alanwright1 Tue, 09/15/2009 - 08:48

Hi Jon,

WHat version of IOS are they using. Mine only gives the vlan option, not the one you mentioned.

INBOUND1(config)#monitor session 2 filter ?

vlan SPAN filter VLAN

I hope it is that easy ;)

pattyj Tue, 09/15/2009 - 08:59

Hi Alan,

For troubleshooting my particular issue I upgraded to 12.2(46)SE. We are running the IP services image.

c3750-advipservicesk9-mz.122-46.SE.bin

Jon

alanwright1 Wed, 09/16/2009 - 04:03

Hi Jon,

Upgraded but no joy, i now get a % FSPAN can not be supported on

% GigabitEthernet1/0/1 error

I checked some more on CCO only to find that FSPAN is only linked to 3750E, so i assume then that 3750 cannot enable FSPAN (Flow based Span).

Any other ideas for 3750?

Actions

This Discussion