Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
507
Views
0
Helpful
4
Replies

VLAN SPAN

AlelA
Level 1
Level 1

‎12-06-2002 07:27 AM - edited ‎03-09-2019 01:18 AM

Cisco says:

"A source VLAN is a VLAN monitored for network traffic analysis. VLAN-based SPAN (VSPAN) uses a VLAN as the SPAN source. All the ports in the source VLANs become source ports. "

Is this true even if the ports are located on different switches?

I have ports belonging to the same VLAN scattered over 4 switches.

If I set this VLAN as the SPAN source , will I be able to monitor traffic of all the ports belonging to this VLAN even if they are located on different switches?

chears!

Labels:
0 Helpful
4 Replies 4

marcabal
Cisco Employee
Cisco Employee

‎12-06-2002 09:31 AM

No

All the ports in the source VLAN on this one switch become source ports.

This includes both your standard Access ports for that VLan, as well as traffic on that Vlan that is being sent in/out of Trunk ports carrying that Vlan.

Let's say you have machine A in vlan 10 connected to switch 1.

Switch 1 s connected to switch 2 with a trunk port carrying multiple vlans including 10.

Machines B and C are connected to switch 2 in vlan 10.

I do a Span of "rx" traffic for vlan 10 within switch 1.

If machine A talks to machine B (or machine C)

Then the packets from A will be received in vlan 10 on switch 1 and will be spanned (they will then be sent through the trunk to switch 2 an machine B).

The packets from machine B (or C) back to A will come in on vlan 10 in switch 2 (no span yet), and then sent through the trunk into switch 1. When they come in the trunk they are now received on vlan 10 in switch 1 so they will be spanned (they will then be sent to machine A.)

But for packets from machine B to C, all of the packets go into and back out of switch 2, so they will never be seen by the Span in switch 1.

So what are your options:

1) Use 2 sensors, one monitoring switch 1 span traffic, and the other monitoring switch 2 span traffic.

2) Instead of using a local Span, you can use RSpan (Remote Span) if your switches support it.

With Rspan it is like designating a Span in switch 1 and an additonal Span in switch 2. Instead of having a single destination port for each rspan, the rspan actually has a destination vlan. This destination vlan is a special vlan that carries the span traffic. You then setup the sensor port as a member/destination for this rspan vlan. The switches can then transmit "rspan" traffic on this rspan vlan between the switches so a single sensor can monitor both. The trunk between the switches must trunk this special rspan for this to all work.

0 Helpful

AlelA
Level 1
Level 1
In response to marcabal

‎12-09-2002 01:05 AM

Thanks for your answer...

Just another tip...

How many ports can I monitor in a single SPAN session on Catalyst 6500?

Is there any limitation in the number of ports monitored?

Chears

Ale

0 Helpful

marcabal
Cisco Employee
Cisco Employee
In response to AlelA

‎12-09-2002 01:52 AM

I don't know if there is a limit.

If someone else on this forum knows, then please respond.

Otherwise try reading through the Cat 6K documentation or contact the TAC.

Marco

0 Helpful

basicitone
Level 1
Level 1
In response to AlelA

‎01-23-2003 12:27 PM

The only limit that I know of is bandwidth and drop packet tolerance. I have had as many as 96 source ports configured before I discovered vlan sourcing then i saw how many dropped packets becuase of over taxing the ids. solution more sensors

0 Helpful
Customers Also Viewed These Support Documents