Re: SPAN question

From: Darby Weaver (ccie.weaver@gmail.com)
Date: Tue Dec 09 2008 - 21:26:04 ARST

• Next message: Darby Weaver: "Re: Multicast MSDP"
• Previous message: Darby Weaver: "Re: Broadcast keyword in FR Hub & Spok"
• Maybe in reply to: GAURAV MADAN: "SPAN question"
• Next in thread: GAURAV MADAN: "Re: SPAN question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I'll promise you SPAN source and destination sessions do not need to be in
the same VLAN.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml

I just posted this link elsewhere.

But it should help clear up any misconceptions on the matter of
SPAN/RSPAN/ERSPAN.

Enjoy!

On Tue, Dec 9, 2008 at 9:45 AM, GAURAV MADAN <gauravmadan1177@gmail.com>wrote:

> make sense
>
> Thnx for providing clearification
>
>
>
> On Tue, Dec 9, 2008 at 6:05 PM, Pavel Bykov <slidersv@gmail.com> wrote:
>
> > Local span session means it is local to the switch, not local to the
> VLAN.
> > The only thing switch looks at is switchport mode, if it's ACCESS or
> TRUNK.
> > If It's access, the encapsulation of mirrored packets is stripped, unless
> > "encapsulation replicate" keyword is used. If the mode is TRUNK, then the
> > encapsulation is preserved.
> >
> > Now, for the experience part, here is a common example. Let's say you
> need
> > to look if custommers are placed in correct QinQ tunnels and COS/EXP/DSCP
> > are correct.
> > You have one vlan (trunk) inside of another vlan (trunk) labeled with
> MPLS
> > header.
> > This is a local span session. What VLAN are you going to set your port
> to?
> > What if you are mirroring many such ports, many p-vlans and even more
> > c-vlans?
> >
> >
> > On Mon, Dec 8, 2008 at 3:17 PM, GAURAV MADAN <gauravmadan1177@gmail.com
> >wrote:
> >
> >> Hi
> >>
> >> Thnx for the link
> >> What I understand from :
> >>
> >> Source ports can be in the same or different VLANs.
> >>
> >> is that when one is creating SPAN session ; there can be multiple source
> >> ports and these multiple source ports can be in diff vlan as well.
> >>
> >> With all respect to ur experience ; I seriously dont know why we allow
> >> one vlan traffic to be mirrored out to a port which is in different vlan
> .
> >> I am asking only for Local SPAN session .
> >>
> >> Gaurav Madan
> >> On Mon, Dec 8, 2008 at 6:50 PM, Pavel Bykov <slidersv@gmail.com>
> wrote:
> >>
> >>> It's either an old book, or author made a mistake.
> >>> I know from practical experience, that this is not a requirement.
> >>>
> >>> Also, please check out the following documents:
> >>>
> >>>
> http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swspan.html#wp1036686
> >>>
> >>> Especially "Destination Port" and "Source port" requirements.
> >>> E.g. there it states:
> >>> Source ports can be in the same or different VLANs.
> >>> etc.
> >>> you can even sniff trunks with encapsulation.
> >>>
> >>>
> >>> On Mon, Dec 8, 2008 at 2:10 PM, GAURAV MADAN <
> gauravmadan1177@gmail.com>wrote:
> >>>
> >>>> Hi
> >>>>
> >>>> I am really not sure .. where i read this (couldnt rrecollect)
> >>>> just gava a random search in google and found :
> >>>>
> >>>>
> >>>>
> http://books.google.com/books?id=-rnt_ik0mSYC&pg=PA482&lpg=PA482&dq=span+source+and+dest+in+same+vlan&source=web&ots=LDb-x54w0e&sig=1JJ9VIJEHHQOkugjl6QCVQ_nmyQ&hl=en&sa=X&oi=book_result&resnum=1&ct=result
> >>>>
> >>>> It states :
> >>>>
> >>>> SPAN dest port and SPAN source port need to be in same vlan.
> >>>>
> >>>> PLease do correct me in case i am wrong
> >>>>
> >>>> Gaurav Madan.
> >>>> On Mon, Dec 8, 2008 at 4:42 PM, Pavel Bykov <slidersv@gmail.com
> >wrote:
> >>>>
> >>>>> Where did you read that they need to be in the same VLAN?
> >>>>> That is not true.
> >>>>> Right now you are receiving anything that flows through Fa 1/0/9.
> >>>>> Are data really flowing through Fa 1/0/9?
> >>>>>
> >>>>> On Mon, Dec 8, 2008 at 12:07 PM, GAURAV MADAN <
> >>>>> gauravmadan1177@gmail.com> wrote:
> >>>>>
> >>>>>> Hi Frnds
> >>>>>>
> >>>>>> Just to understand something better on SPAN ; I tested sniffing on a
> >>>>>> port on
> >>>>>> diff vlan (but landed in more confusion)
> >>>>>>
> >>>>>> i.e
> >>>>>>
> >>>>>> Rack1SW3(config)#do sh monitor sess 1
> >>>>>> Session 1
> >>>>>> ---------
> >>>>>> Type : Local Session
> >>>>>> Source Ports :
> >>>>>> Both : Fa1/0/9
> >>>>>> Destination Ports : Fa1/0/10
> >>>>>> Encapsulation : Native
> >>>>>> Ingress : Disabled
> >>>>>>
> >>>>>> Rack1SW3(config)#do sh run int f1/0/9
> >>>>>> Building configuration...
> >>>>>> Current configuration : 62 bytes
> >>>>>> !
> >>>>>> interface FastEthernet1/0/9
> >>>>>> switchport access vlan 10
> >>>>>> end
> >>>>>> Rack1SW3(config)#do sh run int f1/0/10
> >>>>>> Building configuration...
> >>>>>> Current configuration : 62 bytes
> >>>>>> !
> >>>>>> interface FastEthernet1/0/10
> >>>>>> switchport access vlan 2
> >>>>>> end
> >>>>>>
> >>>>>> Rack1SW3(config)#do sh run int vlan 10
> >>>>>> Building configuration...
> >>>>>> Current configuration : 55 bytes
> >>>>>> !
> >>>>>> interface Vlan10
> >>>>>> ip address 10.0.0.1 255.0.0.0
> >>>>>> end
> >>>>>>
> >>>>>> I am just send some pkts from external source to 10.0.0.1 (src
> >>>>>> 10.0.0.4 say
> >>>>>> )
> >>>>>> PC with etherial is connected to f1/0/10
> >>>>>>
> >>>>>> I am able to SNIFF .. Am i doing something wrong ..
> >>>>>> As i understand SPAN source and dest need to be in same vlan .
> >>>>>>
> >>>>>> Gaurav Madan
> >>>>>>
> >>>>>>
> >>>>>> Blogs and organic groups at http://www.ccie.net
> >>>>>>
> >>>>>>
> >>>>>>
> _______________________________________________________________________
> >>>>>> Subscription information may be found at:
> >>>>>> http://www.groupstudy.com/list/CCIELab.html
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>> Pavel Bykov
> >>>>> ----------------
> >>>>> Don't forget to help stopping the braindumps, use of which reduces
> >>>>> value of your certifications. Sign the petition at
> >>>>> http://www.stopbraindumps.com/
> >>>>>
> >>>>
> >>>>
> >>>
> >>>
> >>> --
> >>> Pavel Bykov
> >>> ----------------
> >>> Don't forget to help stopping the braindumps, use of which reduces
> value
> >>> of your certifications. Sign the petition at
> >>> http://www.stopbraindumps.com/
> >>>
> >>
> >>
> >
> >
> > --
> > Pavel Bykov
> > ----------------
> > Don't forget to help stopping the braindumps, use of which reduces value
> of
> > your certifications. Sign the petition at http://www.stopbraindumps.com/
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Darby Weaver: "Re: Multicast MSDP"
• Previous message: Darby Weaver: "Re: Broadcast keyword in FR Hub & Spok"
• Maybe in reply to: GAURAV MADAN: "SPAN question"
• Next in thread: GAURAV MADAN: "Re: SPAN question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jan 01 2009 - 12:53:08 ARST