Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5678
Views
0
Helpful
3
Replies

Mirror port help on Cisco 3560

whiteford
Level 1
Level 1

‎09-04-2008 11:09 AM - edited ‎03-03-2019 11:25 PM

Hi,

I have a cisco 3560 switch in a remote office where FE 0/1 is the WAN port and the port I need mirrored. We are using a really good bit of software called Observer Suite 12 that analyses all the WAN traffic, however our Observer consultant says the WAN port is not "seeing" much traffic at all and it's as if the mirror isn't setup correct. I have checked with another Cisco guys and he says it's fine. I'm after your thoughts, the Observer consultant said "to work properly we need both duplex streams aggregating to a single outbound stream to the Observer probe on port 2"

Here is part of the config of the Cisco 3560:

interface FastEthernet0/1

no switchport

ip address 172.31.3.2 255.255.255.252

speed 100

duplex full

!

interface FastEthernet0/2

description ***MIRRORED WAN INTERFACE***

speed 100

duplex full

spanning-tree portfast

!

interface FastEthernet0/3

description ***OBSERVER PROBE PC***

speed 100

duplex full

spanning-tree portfast

interface Vlan1

description ***Data Layer 3 Interface***

ip address 172.30.3.1 255.255.255.0

monitor session 1 source interface Fa0/1

monitor session 1 destination interface Fa0/2

Thing is the gateway for all users in this remote office is VLAN 1 - 172.30.3.1, and the servers are at the othe side of the WAN at my HQ, we point everything to the this gateway from the HQ too.

The 172.31.3.2 on FE 0/1 goes to our ISP's BGP/MPLS.

Should we somehow be mirroring VLAN 1 instead?

Labels:
0 Helpful
3 Replies 3

Edison Ortiz
Hall of Fame
Hall of Fame

‎09-04-2008 02:06 PM

Should we somehow be mirroring VLAN 1 instead?

Yes.

Or you can have both Fa0/1 and Vlan 1 as sources.

HTH,

__

Edison.

0 Helpful

whiteford
Level 1
Level 1
In response to Edison Ortiz

‎09-05-2008 12:03 AM

Hi,

I now have:

monitor session 1 source vlan 1

monitor session 1 destination interface Fa0/2

But it seems to not gererate much more traffic, I did "monitor session 1 source vlan 1 both"

Any ideas?

0 Helpful

Edison Ortiz
Hall of Fame
Hall of Fame
In response to whiteford

‎09-05-2008 05:17 AM

You may be facing this caveat:

Only traffic that enters or leaves source ports or traffic that enters or leaves source VLANs can be monitored by using SPAN; traffic routed to a source VLAN cannot be monitored. For example, if incoming traffic is being monitored, traffic that gets routed from another VLAN to the source VLAN cannot be monitored; however, traffic that is received on the source VLAN and routed to another VLAN can be monitored.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swspan.html

HTH,

__

Edison.

Please rate helpful posts

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card