Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CISCO SPAN IMPLEMENTATION

Can someone help me on SPAN implementation , we got a new box from alert logic that monitors the traffic and informs vulnerabilities in the network ,  they want us to create a SPAN port and connect it to their device , we have a core switch which has the following vlan 10, 20, 30, 40 , 50 , 60 , 70 , there are  also edge switches which goes to the floor(Trunk)  , where users are connected , there is a lab connection which is on a vlan 80 ( 192.168.1.1)  but lab has different  subnet  10.100.x.x ).     We don’t have RSPAN and not planning one,  I would like to the best way to implement it .

Also I would like to know that whether the below span configuration for VLAN will pass traffic from the edge switches without any change in edge switches (most edge switches are Extreme)

How does the routed traffic from Lab ( eg : lab traffic 10.100.x.x ) via vlan 80 can be monitored.

CORE ---  à LAB

|

Edge Switches

monitor session 1 source vlan 10, 20 , 30 , 40 , 50, 60, 70

core (config)#monitor session 1 source vlan 12 , 14 , 16 , 18 , 20

core (config)# monitor session 1 destination interface G 6/48   // Core

or

core (config)#monitor session 1 source G 1/1 ( Core Trunk connected to LAB)

core (config)#monitor session 1 source G 1/2 ( Core Trunk connected EDGE SWITCH1 )

core (config)#monitor session 1 source G 1/13( Core Trunk connected EDGE SWITCH 2)

core ( config) # monitor session 1 filter vlan 10, 20,30,40,50,60,70,80,90

core (config)# monitor session 1 destination interface G 6/48   // Core

2 REPLIES
Silver

CISCO SPAN IMPLEMENTATION

I think the second solution is better because that way you don't put extra traffic on the trunk links. Otherwise you would double the traffic sent on your trunk links.

However I'm not sure what's connected to Gi6/48. Is that the sniffer?

Daniel Dib
CCIE #37149

Daniel Dib CCIE #37149 Please rate helpful posts.
New Member

CISCO SPAN IMPLEMENTATION

Thanks Daniel for the reply ,  G 6/48 is the port that will be connected to the box Alter Logic which sniffs the traffic .

what if i do the below instead of the trunk port .

the core switch has connection to Internet on g 5/1, 5/2 access port  ,( Vlan 20) 

                                                  MPLS1 connection to Global site  - G  5/3 ( access port vlan 10

                                                  MPLS connection to Global -  G  5/4 ( Access port vlan 10)

                                                  Lab connection - G 5/5

ore (config)#monitor session 1 source G 5/1, 5/2   ( To internet - access port )

core (config)#monitor session 1 source G 5/3 ( Access port to MPLS  )

core (config)#monitor session 1 source G 5/4 ( Access port to MPLS 2 )

Core  ( config) # monitor session 1 source G 5/5  ( access port to LAB

core (config)# monitor session 1 destination interface G 6/48   // Core

147
Views
0
Helpful
2
Replies
CreatePlease to create content