cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1978
Views
0
Helpful
8
Replies

SPAN Monitoring traffic on a VLAN

Richard Lucht
Level 1
Level 1

We have a VLAN for QA, the gateway is a CISCO 2811 router.  We want to set up a monitor on a switch to replicate all data that goes across this VLAN.  We set up a SPAN with the source as the VLAN and a destination is an interface on the switch.  We are only getting broadcast messages.  I want all traffic from this VLAN to go to our monitor on a CISCO interface.  What would I need to make all of this work?

 

Here is what we have on the CISCO Switch.

 

4700-SR-B1B#sh monitor session all
Session 1
---------
Type              : Local Session
Source VLANs      :
    Both          : 871
Destination Ports : Fa0/46
    Encapsulation : Replicate
          Ingress : Disabled

 

8 Replies 8

LJ Gabrillo
Level 5
Level 5

 

Try this:

#conf t

#monitor session 1 source vlan <desired vlan ID>
#monitor session 1 destination interface f0/46          -your sniffer device here

 

and in your "show command i dont see any source configured

That is the command I ran, 871 is the VLAN I am using as the source.  I tried it again and the output on the show is the same.

Guessing you are using wireshark?

Try disabling your firewall, it may be blocking traffic

Anyway, if it still does not work, best solution is to monitor the port going to the router itself

#monitor session 1 source interface <port to router>
#monitor session 1 destination interface f0/46          -your sniffer device here


In your wireshark, you can use filters to filter out unnecessary networks, or show only desired network

Its not Wireshark, I am not sure what they set up.  the destination port is also in the same VLAN as the source we want to monitor.  Will that work?  There is no firewall.

Well, first of all, whatever vlan that port is (destination) it does not matter

Anyway, I think you better consult the people on whatever device you have placed there considering you are "not sure what they set up" w/c I recommend you should know first.

That device may not support sniffing, but rather WCCP.

 

Let assume that it does use sniffing and considering that is a device, whatever that is, there should be a way to filter out traffic, or exclude traffic to whatever the purpose that device is.

consult your installer/contractor about that.

Thanks, it is Wireshark.  All they are seeing is broadcast messages.

Well do my recommendation as above :))

#monitor session 1 source interface <port to router>
#monitor session 1 destination interface f0/46          -your sniffer device here

Again use wireshark filters to filter out unneeded traffic, or display only desired traffic.
The "how to filter" in wireshark, pretty simple just there is a big "filter" once you start capturing.

Thanks, I will work on this a for a while and let you know.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: