Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
486
Views
5
Helpful
2
Replies

6509 RSAN ingress/egress point clarification

wilson_1234_2
Level 3
Level 3

‎07-13-2009 04:48 AM - edited ‎03-06-2019 06:43 AM

This was answered in a previous posting, but I am unclear on the answer,

According to Cisco documentation:

"Monitored Traffic Direction

You can configure local SPAN sessions, RSPAN source sessions, and ERSPAN source sessions to monitor ingress traffic (called ingress SPAN), or to monitor egress traffic (called egress SPAN), or to monitor traffic flowing in both directions.

Ingress SPAN copies traffic received by the source ports and VLANs for analysis at the destination port. Egress SPAN copies traffic transmitted from the source ports and VLANs. When you enter the both keyword, SPAN copies the traffic received and transmitted by the source ports and VLANs to the destination port."

I can understand how either direction of traffic on a single port is mirrored to the destination port.

But if you have a layer three switch and you desiginate the direction of traffic like so:

monitor session 1 source vlan 2-20 rx

monitor session 1 destination interface Gi1/1

Is the traffic mirrored from the layer 2 vlan or the SVI of the vlan on the switch?

If it is the layer 2 vlan, what is considered the "rx" direction point of the layer 2 vlan?

Is the inbound traffic to each individual port in vlans 2-20 mirrored to Gi1/1?

If it is the SVI of the vlan, would the mirrored traffic be the traffic received on the SVI from the devices in the vlan using the SVI as a default gateway?

Labels:
0 Helpful
2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎07-14-2009 05:20 AM

Hello Richard,

your understanding is correct or at least I share your ideas on this:

>> Is the traffic mirrored from the layer 2 vlan or the SVI of the vlan on the switch?

layer2 broadcast domain

>> Is the inbound traffic to each individual port in vlans 2-20 mirrored to Gi1/1?

yes

when using both you can see multiple copies of each frame on the sniffer trace: one copy as the frame is received on port x and one copy as frame is sent out port y in the same vlan

inter-vlan routing should appear once per vlan but if the packet is sent from vlan2 to vlan3 again you can see two different ethernet frames that actually carry the same IP packet inside (after the packet rewrite)

Hope to help

Giuseppe

wilson_1234_2
Level 3
Level 3
In response to Giuseppe Larosa

‎07-14-2009 05:52 AM

Thanks Guiseppe:

"inter-vlan routing should appear once per vlan but if the packet is sent from vlan2 to vlan3"

Sorry, but I am still not clear in the Vlan Interface tie in.

Wouldn't vlan2 sent to vlan3 be inter vlan routing?

So, are you saying a packet could show up three times when using "both"?:

1 time when leaving interface vlan2

1 time when leaving vlan2 port

1 time when entering vlan3 port

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card