SPAN Configuration For Websense

Unanswered Question
Jul 4th, 2012
User Badges:

Hi,


I have configured SPAN in cisco 3750 switch as below mentioned. but the destination port protocol is down.Please help on this.


Network Diagram:




switch(config)#monitor session 1 source interface gigabitethernet1/0/1
switch(config)#monitor session 1 destination interface gigabitethernet1/0/11 ingress vlan 1

Switch#show int gi1/0/11

GigabitEthernet1/0/11 is up, line protocol is down (monitoring)

  Hardware is Gigabit Ethernet, address is 0021.1c1d.bf8b (bia 0021.1c1d.bf8b)

    MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,

     reliability 255/255, txload 1/255, rxload 1/255


Thanks,

Karthik

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Wed, 07/04/2012 - 01:30
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Karthik,

what you see is normal the SPAN destination port is considered up/down monitoring, but this does not mean that SPAN will not work.


I see that you may want to use in someway the destination port for the optional command ingress vlan1. It should be possible with the correct optional commands. You should be able to use the destination port for vlan1 in addition to receiving on the port the mirrored traffic.


Hope to help

Giuseppe

Diego Maciel Gomes Mon, 09/10/2012 - 21:35
User Badges:

Hello


I have the same doubt... but, look:


I have the port of my Firewall in Vlan 11 and this port I did the source, like below:

monitor session 1 source interface Gi1/0/11


I have the port of my Websense Network Agent in Vlan 101 and this port receive destination, like below:

monitor session 1 destination interface Gi1/0/12 ingress untagged vlan 11


Look. I put the vlan 11 = Vlan of my firewall like ingress on the interface of Websense.


So, I can not ping the IP of my Websense Network Agent. Im pinging from vlan 101 to 101, ok? The same subnet.


My inside interface of firewall has ip 10.11.1.X/24 and my interface websense network agent has 172.19.4.XXX/24


Is it a problem??? Interfaces with differents IPs and VLANs????


Thanks anyway,


Diego

srikanth ath Mon, 09/10/2012 - 22:26
User Badges:

Hi Diego,


Refer below for the SPAN session example. and provide us the output for the span session you have created as

#sh monitor session 1.


As Line Protocol is down: can you check with duplex settings for the interface conneccted to firewall.

as many of the firewall comes with the fast ethernet link and it is connected to gigabit port of the switch (so set port  speed of the switch to 100mbps, then shut and no shut command under the interface).


Do remember to enable IP routing on the switch and provide #sh IP route on the switch


example to set SPAN :


C2950#

configure terminal


C2950(config)#

C2950(config)#

monitor session 1 source interface gig 1/0/1


!--- This configures interface gig 1/01/1 as source port.


C2950(config)#

monitor session 1 destination interface gig 1/0/11



!--- This configures interface gig 1/01/11 as destination port.



Hope this helps you,


Thanks,

srikanth

ossalman Mon, 09/10/2012 - 23:05
User Badges:
  • Cisco Employee,

hi Karthik,

SPAN Destination Port Up/Down


When ports are spanned for monitoring, the port state shows as UP/DOWN.


When you configure a SPAN session to monitor the port, the  destination interface shows the state down (monitoring), by design. The  interface shows the port in this state in order to make it evident that  the port is currently not usable as a production port. The port as  up/down monitoring is normal.



for more info:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#topic8-8


hope this helps,

thanks,

/Osama

Diego Maciel Gomes Tue, 09/11/2012 - 06:22
User Badges:

Hello


#

Session 1
---------
Type                   : Local Session
Source Ports           :
    Both               : Gi1/0/11
Destination Ports      : Gi1/0/12
    Encapsulation      : Native
          Ingress      : Enabled, default VLAN = 11
    Ingress encap      : Untagged

---------------------------------------------------------------------------


Ok, by design it shows state down...


But, Should I ping the interface showing down?? Because I can't.


My config:


monitor session 1 source interface Gi1/0/11

monitor session 1 destination interface Gi1/0/12 ingress untagged vlan 11


Gi11 is member of vlan 11

Gi12 is member of vlan 101


So, is this config above correct???

Iker Santamaria... Tue, 09/11/2012 - 09:30
User Badges:

Hello Diego,

is the destination of your span, Gi1/0/12 interface?


Is this interface that connects the server to LAN?


If that is so, then it is imposible that the server respons to ping on that interface because it is on "monitoring mode".


Regards.

Attachment: 
Diego Maciel Gomes Tue, 09/11/2012 - 12:06
User Badges:

Hi


Gi11 = inside of my firewall

Gi12 = int connected on websense network agent.


So Im mirroring firewall int to network agent interface. I guess it is ok...


But the interfaces there are in differentes vlans and subnet... Is it a problem or not?


The int mirrored I put it as ingress of firewall vlan on monitor session configuration?

ossalman Tue, 09/11/2012 - 23:17
User Badges:
  • Cisco Employee,

hello


please just copy/past the following mentioned config to your device this should work:


switch(config)#monitor session 1 source interface gigabitethernet1/0/1
switch(config)#monitor session 1 destination interface  ingress vlan 1

the SPAN destination port should be any interface that is not use on this switch...
so, lets say that there is a port on the switch that is not connected to any device or end host,
then you can use that port as destination SPAN port "where the wireshark should be connected to sniff the transmit and received traffic on port
gigabitethernet1/0/1"...

here is a youtube vedio as practical example:

https://www.youtube.com/watch?v=af4d_fAkwAY&feature=related


hope this helps,
regards
/Osama

Actions

This Discussion

Related Content