I have a scenario where the copied traffic of a SPAN setup is overloading a device on the span port. Most of the traffic in reality is not wanted anyway, is there a way to filter the traffic getting copied to the SPAN port?
Something like this
G1/0/1 ---> SPAN ---(ACL)---> 1/0/20
Dont know about creating an ACL for the SPAN if your using wireshark use capture filters so the NIC only looks for relevant data.
Or are you filtering from a busy vlan to a 100mb client?
Bit of a long story here Matt but that avenue is not optional here, i need to filter before the capture device. Thanks for the idea though
try applying a normal router acl to the destination span port. just make sure you apply it in the appropriate direction.
I've never done this so I can't say for sure if it will work. It would also help to know the platform/IOS rev in question.
I am attempting this on 3750 and/or 2960 both are at 12.2.35.
With SPAN port, it seems only the IN keyword is allowed when applying the ACL, in any case, this was what i tried first, but made no difference.
Never tried it on a 3750 but this works well on a 6500 - setup a rspan session locally, apply an vlan acl (vacl) to the rspan destination vlan - then you have very granular control over the traffic sent to the destination port. This link describes the technique on a 6500:
I have a need to apply some filtering on an RSPAN this week on a 3750. I got this from a Cisco engineer with my current case.
vasmdf-dr-001(config)#monitor session 1 filter ip access-group ?
<1-199> IP access list (standard or extended)
<1300-2699> IP expanded access list (standard or extended)
WORD Access-list name
1. use span with filter:
ip access-list e voice-record
permit udp any range any range
monitor session 1 filter ip access-group voice-record
Hope this helps. Jon
WHat version of IOS are they using. Mine only gives the vlan option, not the one you mentioned.
INBOUND1(config)#monitor session 2 filter ?
vlan SPAN filter VLAN
I hope it is that easy ;)
For troubleshooting my particular issue I upgraded to 12.2(46)SE. We are running the IP services image.
Upgraded but no joy, i now get a % FSPAN can not be supported on
% GigabitEthernet1/0/1 error
I checked some more on CCO only to find that FSPAN is only linked to 3750E, so i assume then that 3750 cannot enable FSPAN (Flow based Span).
Any other ideas for 3750?