cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
18196
Views
10
Helpful
9
Replies

Is it possible to filter SPAN traffic?

alanwright1
Level 1
Level 1

Hi,

I have a scenario where the copied traffic of a SPAN setup is overloading a device on the span port. Most of the traffic in reality is not wanted anyway, is there a way to filter the traffic getting copied to the SPAN port?

Something like this

G1/0/1 ---> SPAN ---(ACL)---> 1/0/20

TIA

Alan

9 Replies 9

mattwilsonuk
Level 1
Level 1

Dont know about creating an ACL for the SPAN if your using wireshark use capture filters so the NIC only looks for relevant data.

Or are you filtering from a busy vlan to a 100mb client?

Matt

Bit of a long story here Matt but that avenue is not optional here, i need to filter before the capture device. Thanks for the idea though

try applying a normal router acl to the destination span port. just make sure you apply it in the appropriate direction.

I've never done this so I can't say for sure if it will work. It would also help to know the platform/IOS rev in question.

Hi,

I am attempting this on 3750 and/or 2960 both are at 12.2.35.

With SPAN port, it seems only the IN keyword is allowed when applying the ACL, in any case, this was what i tried first, but made no difference.

Never tried it on a 3750 but this works well on a 6500 - setup a rspan session locally, apply an vlan acl (vacl) to the rspan destination vlan - then you have very granular control over the traffic sent to the destination port. This link describes the technique on a 6500:

https://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008017b753.shtml

I have a need to apply some filtering on an RSPAN this week on a 3750. I got this from a Cisco engineer with my current case.

vasmdf-dr-001(config)#monitor session 1 filter ip access-group ?

<1-199> IP access list (standard or extended)

<1300-2699> IP expanded access list (standard or extended)

WORD Access-list name

Example.

1. use span with filter:

ip access-list e voice-record

permit udp any range any range

monitor session 1 filter ip access-group voice-record

Hope this helps. Jon

Hi Jon,

WHat version of IOS are they using. Mine only gives the vlan option, not the one you mentioned.

INBOUND1(config)#monitor session 2 filter ?

vlan SPAN filter VLAN

I hope it is that easy ;)

Hi Alan,

For troubleshooting my particular issue I upgraded to 12.2(46)SE. We are running the IP services image.

c3750-advipservicesk9-mz.122-46.SE.bin

Jon

Hi Jon,

Upgraded but no joy, i now get a % FSPAN can not be supported on

% GigabitEthernet1/0/1 error

I checked some more on CCO only to find that FSPAN is only linked to 3750E, so i assume then that 3750 cannot enable FSPAN (Flow based Span).

Any other ideas for 3750?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: