Re: How many Span ports on a Cisco 3750

whiteford · ‎02-26-2009

Hello,

I am running 2 span sessions on my Cisco 3750:

monitor session 1 source interface fastethernet 1/0/3

monitor session 1 destination interface fastethernet 1/0/6

monitor session 2 source interface fastethernet 1/0/3 , 1/0/9

monitor session 2 destination interface fastethernet 1/0/48 encapsulation replicate

Now I want to add more source ports to session 2 is this OK to do?

Currently it is monitoring the inside and outside of our firwall VLANS 1/0/3 and 1/0/9, I have a few other VLAN's on the 3750 that I would like to span to port 48 which is where our packet capture server is (Observer).

Roberto Salazar · ‎02-26-2009

Now I want to add more source ports to session 2 is this OK to do?

Currently it is monitoring the inside and outside of our firwall VLANS 1/0/3 and 1/0/9, I have a few other VLAN's on the 3750 that I would like to span to port 48 which is where our packet capture server is (Observer).

Per Span configuration guide statement, the answer is yes, you can add as much as interfaces available on that switch to the session 2.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configuration/guide/swspan.html#wp1044603

The switch supports any number of source ports (up to the maximum number of available ports on the switch) and any number of source VLANs (up to the maximum number of VLANs supported). However, the switch supports a maximum of two sessions (local or RSPAN) with source ports or VLANs, and you cannot mix ports and VLANs in a single session.

whiteford · ‎02-26-2009

Thanks,

How can I get the VLAN tags to show up in the packet capture software, should the "Encapsulation replicate" do this?

Roberto Salazar · ‎02-26-2009

Yes, "encapsulation replicate" should send tagged packets on destination port but the destination port should have the same encap as source, see below.

The default configuration for local SPAN session ports is to send all packets untagged. SPAN also does not normally monitor bridge protocol data unit (BPDU) packets and Layer 2 protocols, such as Cisco Discovery Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), Spanning Tree Protocol (STP), and Port Aggregation Protocol (PAgP). However, when you enter the encapsulation replicate keywords when configuring a destination port, these changes occur:

â€¢Packets are sent on the destination port with the same encapsulation-untagged, Inter-Switch Link (ISL), or IEEE 802.1Q-that they had on the source port.

â€¢Packets of all types, including BPDU and Layer 2 protocol packets, are monitored.

Therefore, a local SPAN session with encapsulation replicate enabled can have a mixture of untagged, ISL, and IEEE 802.1Q tagged packets appear on the destination port.

whiteford · ‎02-26-2009

Thanks, how should I have my destination port setup?

All I have for the packet capture NIC is something like:

"interface fastethernet 1/0/48"

No vlan is in it, it is completely empty etc, the NIC has no IP too, not even sure it should be half/full duplex, or any encapsualtion/trunk/vlan added to it?

Roberto Salazar · ‎02-26-2009

"Packets are sent on the destination port with the same encapsulation-untagged, Inter-Switch Link (ISL), or IEEE 802.1Q-that they had on the source port."

If source is dot1q trunk, then destination should be dot1q trunk.

makes sense?

whiteford · ‎02-26-2009

int fas1/0/1 is my trunk port and it's dot1q

source ports are in vlan 2 and 3, so these must be dot1q

int fas1/0/48 has no settings on the port, are you suggesting I make this interface a trunk dot1q interface aswell?

Yudong Wu · ‎02-26-2009

Based on config guide, the answer is YES.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/swspan.html#wp1207676

"For SPAN sources, you can monitor traffic for a single port or VLAN or a series or range of ports or VLANs for each session. You cannot mix source ports and source VLANs within a single SPAN session. "