I'm trying to configure SPAN on my Cisco Catalyst 3560 in order to be able to mirror traffic from one port to another.
To summarize, the mirroring is not working. I'm able to test if SPAN is working by checking the traffic on the network cards and by trying our monitoring software (Websense) which is supposed to work if SPAN is operational.
Please find attached the important parts of the configuration.
PS - The monitoring software worked just fine when I replaced the switch with a dumb hub, so I figured out that the problem is definitely originating from the Cisco and its SPAN configuration.
Please note that the setup of the network cards is correct, but the interesting thing is that even though the configuration of SPAN is done on the FastEthernet interfaces, the network cards which are connected to ports 36 and 46 are both showing a speed of 1Gbps under the network connection properties. I'm not sure if that could be a part of the problem.
I tried to manually set the network cards to operate at 100Mbps or 10Mbps but that didn't work for me also.
Another interesting point: On another Cisco switch in a different office, I went through the same configuration and SPAN worked just fine and the network cards were showing a speed of 100Mbps.
I would really appreciate your help.
Thank you in advance.
Solved! Go to Solution.
Your logs and outputs do not indicate a problem on the switch side. Also you have observed the same configuration on a different site which have worked.
It seems like a problem with the NICs. Did you try to use the latest drivers for the NICs? Are those the same NICs that you have successfully configured span session on a different site? If you do use the same cards and latest software , I recommend replacing the NICs or opening a case to the manufacturer of the NICs.
on both ports configure speed and duplex
and configure also the NICs for 100 full
For some reasons auto-negotiation fails and you need to hardcode speed and duplex on both ends of each link.
This is part of the problem if layer1 physical doesn't match the switch may not understand traffic on the source port and cannot replicate it on the SPAN destination port
Also because GE over RJ-45 uses all 4 pairs while FE uses only two pairs (wires 1,2 and 3,6)
So a port at 1Gbps cannot be understood by someone looking only at 2 pairs signals.
Hope to help
Thank you for your answer.
Unfortunately, that didn't work for me. I set the interfaces speed and mode on the Cisco switch to 100/Full as advised. I also configured the network cards to 100/Full.
I also set the Firewall's internal interface (Which is the source of the SPAN) to operate at 100/Full.
The properties of the network connections now show 100Mbps but still no traffic at all on the monitoring network card (Which is put in stealth mode of course).
Any other solutions please? I can't figure out what could be causing this problem.
Your help is much appreciated.
Hi Raymond ,
You have configured both source port and the destination port to be placed in vlan 1. Also you are using Vlan 1 as and SVI by using the Ip address ip address 172.16.20.1 255.255.0.0 .
The Span session will not come up , unless the L2 vlan or the physical port is up. By using Vlan 1 as a vlan and an SVI , the span session might be experiencing problems.
Can you try to put the source port to a different vlan ?
Thank you for your reply.
I created Vlan2 and I put the source port to that Vlan but it didn't work. I then tried putting both the source and destination ports to Vlan2 but also no luck.
Please find attached the updated configuration.
Any other possible causes for this problem? This is really one the weirdest problems I have ever experienced with a Cisco switch!
Your help is much appreciated and thanks again.
I used the same config in my lab , it works without a problem. This leaves open question of NIC & switch compatibility .
What do you see in the output of show interface fas 0/36 and show interface fas 0/46 ? What does the log output show when you disconnect / connect these ports?
Also , "if available " I would suggest changing the port from fas 0/36 and fas 0/46 to other unused ports and configure the span session again.
Please find attached the output of the commands:
show interface fa 0/36
show interface fa 0/46
When I disabled the network card connected to fa0/46, the output of show interface fa 0/46 didn't change.
Both network cards are:
D-Link DGE-530T V.B1 Gigabit Ethernet Adapter
Please note that I have already tried to change the ports from 0/36 and 0/46 but that didn't work either.
Do you think that the problem is a compatibility issue with the network cards? Can we say that for sure?
What should be my next step? Is it replacing the network cards with another model or maybe you can point out to another type of fix that would solve the problem?
I appreciate your help.
I wouldn't keep the port settings at 100/half, change it to 100 full then if need be I would stick a sniffer on there to see if you are getting traffic or not , if so then i would suspect a nic card problem . I have never seen a problem span working on the cisco end. Everything else looks fine and in the state it should be in . I would also be suspect if your nic card says the speed is something other than what the port settings say when you issue a show interface status command . Also the destination port will always show down/down in a span session with it also saying "monitoring" which it does , this is normal and you will not see any interface state change plugging things in and out until you remove the span session.