I have a windows XP with two NICs in it. I have one NIC connected to a switch (in VLAN 16 with IP 10.10.6.23). The other NIC is connected to the same switch. I set up a monitor session as such:
monitor session 1 source vlan 16
monitor session 1 destination int fa0/6
Fa0/6 is where the 2nd NIC is connected to. Fa0/5 is where the IPd nice is connected to.
I am able to ping the 10.10.6.23 address until I enable the monitoring port. As soon as I bring up that port, I lose all connectivity to the 10.10.6.23 address. Ideas? Both NICs in the XP machine are connected at 100mb Full duplex. Think it is some routing issue on the XP Box?
A destination interface (also called a monitor interface) is a switched or routed interface where SPAN sends packets for analysis. Once an interface becomes an active destination interface, incoming traffic is disabled. You cannot configure a SPAN destination interface to receive ingress traffic. The interface does not forward any traffic except that required for the SPAN session.
An interface specified as a destination interface in one SPAN session cannot be a destination interface for another SPAN session. An interface configured as a destination interface cannot be configured as a source interface. EtherChannel interfaces cannot be SPAN destination interfaces.
Specifying a trunk interface as a SPAN destination interface stops trunking on the interface.
Ryan, I have not yet experienced vlan-base span the way you are doing it which in fact syntax seems correct based on brief reading done, in your monitor session you want to filter vlan 16, mirror the traffic to destination nic fe0/6, so far this seems by the book. Once you bring up the interface your other nic IP stops which has nothing to do with source or dest ports, indeed it is odd and don't have the answer to this one and hope someone may have experience similar and post the explanation, I will lab this out at some point. Do any other hosts in the switch on 10.10.6.0 looses connectivity or is it just the 10.10.6.23?
I would like to suggest though you try the monitoring differently. For example, you may want to use a uplink port and filter vlan 16 in the session, if uplink is a trunk it would be feasable to use it as a source port.
Thanks for the reply. No, it is just this host. I need to access the host remotely via Remote Desktop via the 10.10.6.23 IP so the host can sniff with the un IPd NIC. I like your suggestion on filtering, but the problem with that is that the switch is running L3 software, so it is actually the gateway for that VLAN and there is communication between two servers on that VLAN, which is what I'm interested in capturing.
Also, This problem happens even when the monitor session is not configured, just having the PC connected to the switch with both NICs. I am going to try swapping the NIC that is IPd to see if that makes a difference. Thanks for your reply.
My guess is that you have bpdu-guard enabled on one or other of the ports (probably F0/5 or both) and that you have the internal XP bridge enabled in the PC. The switch is seeing BPDUs that are bridged by th PC, and disabling F0/5. But that is just a guess.
The other guess is again to do with BPDUs and bridging: that you don't have bpdu-guard enabled, but the Spanning Tree is putting F0/5 into blocking because it is seeing briged BPDUs. Againm the solution is to disable the internal XP bridge.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...