×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

SPAN on 2950's

Unanswered Question
Mar 21st, 2003
User Badges:

I'm wanting to monitor incoming and outgoing traffic and am having some trouble.


Both the port needing to be monitored port(source) and the port w/ the sniffer on it(destination) are on the same vlan on a 2950-48. After reading up on SPAN and having done something similar on a 1900 and 2924 switch I configured SPAN with the following commands:


monitor session 1 source interface FastEthernet0/4

monitor session 1 destination interface FastEthernet0/7


Afterwards the sniffer on fa0/7 was down. Only after I read the below url


http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a0080150bca.html#1036749


Did I find that destination SPAN ports can't forward normal traffic - so basically if you have a sniffer/traffic analizer on that port you loose the ability to communication w/ that device remotely.


Is it just me or is that totally unacceptable.........


On the trusty 2924 you'd just configure a monitor port like so..


conf t

inter fa0/7

port monitor FastEthernet0/4


then all traffic going in or out of fa0/4 would be forwarded to fa0/7 AND you'd be able to communicate with the device on fa0/7.


What happened that this isn't allowed anymore??? I need remote access to this traffic analizer while its doing its job. However I can't do that w/ my 2950-48 but I could do the job with the older 2924?


What gives??? This seems like a step backwards to me...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
t.baranski Sat, 03/22/2003 - 14:46
User Badges:
  • Bronze, 100 points or more

While it's always good to have options, I'll note that it's generally best practice to put a sniffing interface in "stealth mode" (i.e., no IP address) and use a second interface on the sniffing device as the admin interface (with an IP address, connected to another port on the same switch). This prevents your TELNET/SSH/VNC/etc connection from being slowed down (or maybe stopped altogether) when the amount of traffic flowing through the SPAN port is high

Actions

This Discussion