Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SPAN on 6509 to allow ingress traffic (access port)

I have a Cisco 6509 with a Sup720 and running IOS version 12.2. I'm trying to set up a SPAN port to allow traffic going in. I need to setup a packet sniffer but at the same time allow the sniffer computer to go out to the internet.

According to "SPAN destination ports drop ingress traffic"

Any ideas or recommendations? I need to set this up for a SurfControl server.


Hall of Fame Super Bronze

Re: SPAN on 6509 to allow ingress traffic (access port)

You can't have both. The port where this device is connected (the sniffer computer) will be up/down (monitoring) state.

Ideally, you shouldn't be using the sniffer device for other type of traffic.

One suggestion would be adding a second NIC on the device for this type of traffic.

Re: SPAN on 6509 to allow ingress traffic (access port)

Edison's suggestion is right - really you should not allow ingress traffic fro a capture device, adding a second NIC is FAR prefereable.

I am not sure it is present in all versions and across all platforms, but look at the monitor conmmand where you set the destination - there is normally an ingress keyword there that will allow it.

You mention this is for a surf control server - if so I am not convinced that a span port is what you want, as SPAN would duplicate traffic to the server. I am not familiar with surf control, but I strngly suspect what you want is to *divert* the traffic through surf control.

There are a couple of ways you may be able to achieve that.

Policy based routing means you can set up rules on the routing engine that say "from insidem destination port 80, forward to surfcontrol, from outside, source port 80, forward to surfcontrol.

You could investigate if sorfcontrol will participate in WCCP and use that, though I doubt it.

You could possibly set up DNS to refer all web traffic to surf control.

Depending upon the capabilities of the box, you may even be able to consider putting he surfcontrol in line with traffic, though that may have implications for the rest of your traffic.

You may even be able to do it by getting users to set the surfcontrol box as a proxy, and dropping http traffic that tries to go direct.

New Member

Re: SPAN on 6509 to allow ingress traffic (access port)

What I had to do was install a separate switch (C2950-24) with only 3 ports used. One from the 6509, one for the pix and the other for the SurfControl box. I am using the following command on that box to give me what I need.

monitor session 1 source interface Fa0/1

monitor session 1 destination interface Fa0/24 ingress vlan 1

I'm not too sure how the SurfControl box works, but I've seen it used in a couple of places, and basically all traffic is simply sniffed, then when it finds a packet that wants to be directed to let's say it intercepts that message and replies with its own html message, and terminates the session. Personally, I prefer an inline filter, but this is what we have.

Any other way to workaround this? I can't direct all traffic to the SurfControl box because it won't route, I have to sniff packets, and allow SurfControl to talk to the network.

I was just working with an AP recently, is their any way to create a BVI port on the 6509?