Yes, a SPAN destination port can be configured as trunks or access ports. Keep in mind that by using one or the other, there will be no difference in what is outputted.
Having said that, however, if your source port is a trunk, frames on that trunk will be tagged with the appropriate VLAN ID. Frames that will be outputted from the SPAN destination port will NOT have these tags UNLESS it is configured as a trunk port AND the encapsulation dot1q is enabled.
For example, if you create a SPAN monitor session 1, and you view this session with the commands below, you can see the encapsulation on the destination port is set to Native.
Switch#show monitor session 1
Session 1
---------
Type : Local Session
Source Ports :
Both : Fa0/24
Destination Ports : Fa0/1
Encapsulation : Native
Ingress : Disabled
Switch#
If the destination port Fa0/1 is configured to be a trunk AND is configured with dot1q encapsulation, then the tags will be included.
I hope this has been helpful!
Laz
shantel
(Shantel - Networklessons.com)
Split this topic
22
Hello,
I have two 3750 trunked with gi ethernchannel.
VTP enabled. SW1 is VTP client and is a source for RSPAN. VLAN 20 is only enabled.
SW2 is the destination for RSPAN source traffic, it is the VTP Server.
I tried VLAN 20 and got expected message: %VTP VLAN configuration not allowed when device is in CLIENT mode.
That prevents me to execute the next command remote span under for VLAN 20 on VTP client. Please add more content to your RSPAN example explaining how to enable RSPAN on VTP client.
Have you created your RSPAN VLAN(s) on a VTP server? You can apply the âremote-spanâ parameter as normal that way.
Also do be careful to check VTP pruning; it can remove RSPAN VLANs!
I have placed some example configuration below that I hope is useful.
Kind regards,
Jon
CiscoCat2970#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CiscoCat2970(config)#vtp ver 2
VTP mode already in V2.
CiscoCat2970(config)#vtp mode server
Device mode already VTP SERVER.
CiscoCat2970(config)#vlan 20
CiscoCat2970(config-vlan)#remote-span
CiscoCat2970(config-vlan)#exit
CiscoCat2970(config)#exit
CiscoCat2970#show vlan id 20
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
20 VLAN0020 active
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
20 enet 100020 1500 - - - - - 0 0
Remote SPAN VLAN
----------------
Enabled
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
CiscoCat2970#
Hi Rene
The example you used , is for a layer2 network. I mean you have not used any IP addresses etc.
what if we have a layer-3 network? For example we have a core router , aggregating lot of access switches and running eigrp routing. if we need to enable port analyzer still need to create vlan ?
SPAN and RSPAN are used to capture on L2 so anything on the upper layers, is also captured. You can use this on an interface that connects to a router to capture whatever you need.
Itâs also possible to capture traffic on a router btw:
Hello Rene,
I need some help and I am going to use the below topology as the reference.
In this switch I have two VLANs(VLAN 10 and VLAN 20). G1/1 is an access port assigned to VLAN 10 and G2/2 is also an access port assigned to VLAN 20. Now I want to connect two packet sniffing devices on port G3/3 and port G4/4 and they will use IP addresses from VLAN 10.
This will be the configuration:
========================
First of all, it doesnât really matter what IP addresses you configure on the packet sniffers. These devices will not be able to communicate with the network as their sole purpose is to sniff or detect any and all packets that are sent from the destination ports.
Secondly, the destination ports have all ingress traffic disabled, so even if they were configured with additional parameters, these are all overridden.
Essentially, no additional parameters are necessary on the destination ports.
You can find additional comprehensive information about the destination ports in a SPAN configuration at this Cisco documentation.
This is a very good question. Essentially, what you want to do with the above topology is to have the destination port receive monitoring information from both SPAN and RSPAN source ports.
According to Cisco:
The switch does not support a combination of local SPAN and RSPAN in a single session. That is,
an RSPAN source session cannot have a local destination port, an RSPAN destination session cannot
have a local source port, and an RSPAN destination session and an RSPAN source session that are
using the same RSPAN VLAN cannot run on the same switch.
So you will need to have two separate destination ports, one for the locally monitored source ports and one for the remotely monitored source ports.
In your example - âSwitch(config)#monitor session 1 destination interface fa0/2â I did that on my switch. I could not locate fa0/2 in show vlan or show int trunk. a show int fa0/2 switchport show operation mode : down a show int fa0/2 showed line protocol is down (monitoring). Does configuring fa0/2 as a destination in SPAN create all this?
When a port is configured as a destination port for SPAN/RSPAN, it no longer functions as a regular switchport. Indeed, it no longer shows up in the show VLAN or show interface trunk commands because it is neither an access or trunk port. The operation mode is down because the only other options are trunk or access, and it is none of those. The line protocol (Ethernet) is also down because it is not functioning as an Ethernet port. It is in a specialised state where it just sends copies of frames from the appropriate sources.
So to answer your question, yes, all of this is due to the configuration of the port as a monitoring port.
Sorry if this is in the wrong place it is my first post since becoming a member, also sorry if it is not allowed.
I am currently testing some security concerns for VPNs, I am wanting to view traffic going through the routers using Wireshark, In my current placement of this machine all I can see is EIGRP notifications for adjacencies and none of the traffic I am generating via ostinato to check if my packets are encrypted.
Can I get some recommendations of where I should put this packet sniffing machine running Wireshark?
No problem about your post, if thereâs a better location to place the post, then weâll move it to the appropriate thread. Congratulations on your first post!
As for your question, in order to get meaningful information on a wireshark capture device, youâll have to configure SPAN or RSPAN on the switch on which you are connecting. You can read more about these in the lesson of this thread, however, suffice it to say that SPAN and RSPAN allow you to copy traffic (frames and packets) of particular ports or VLANs to a monitoring port (simply a switchport with a specialized configuration) so that the wireshark software can collect and store the data. Concerning the physical placement of wireshark, itâs a good idea to connect it to the switch that is directly connected to the device that you want to monitor. For example, if you want to monitor traffic going through R3, then the placement of the wireshark device is good, but youâll have to configure SPAN.
If you want to capture all traffic that is traversing the link between Ethernetswitch-3 and R3 for example, then you will have to configure SPAN on Ethernetswitch-3 to copy all incoming and outgoing data on the E1 port to the E2 port.
Review the lesson of this thread for further details, and if you have any more questions, you know where to find us!
If you have a SPAN configuration where you are capturing packets from several source ports and sending them to the destination port, and you have a computer running wireshark that is connected to that destination port, then that computer wonât have network access. It can only capture packets. By issuing the command that Rene mentioned, you can cause that port to also send and receive normal data from the computer so it can be used as any other connection device while still capturing packets from the monitored source ports. You would do this in the event that you require network access on that device while capturing packets at the same time.
As for interoperability, I know of situations where RSPAN was implemented between a Cisco switch and a Hewlett Packard Procurve switch, but it may be that not all vendors are compatible. You should check on some examples that others may have shared online, but unless you try it out yourself to find out, thereâs no guarantee that it will work.
