SPAN or RSPAN

Hi,
I need to setup port mirroring on Catalyst 4006 switch. Both source and destination port is on the same switch.
I need to capture all traffics across the LAN for analysis. Is it enough by configuring SPAN? Please advise.

Hi Friend,
If your both source and destination port are on a same switch you are good to go with SPAN.
Have a look at this link to configure SPAN on cat4k switch
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/rel7_1/config/span.htm
But as you also said you want to capture traffic acorss the lan in this case the source port may exist on different switches and incase your source port and destination port exist on different switch then you surely need a RSPAN.
Also instead of configuring a specific source port to capture you can capture complete vlan when you configure SPAN you can also configure source vlan to capture all traffic on and for that vlan.
HTH, if yes please rate the post.
Ankur

Similar Messages

How can I use Local SPAN with RSPAN ??

How can I use Local SPAN with RSPAN ??
I want to mirror traffics from ISP-A and ISP-B to Anomaly-detector module.
so I had configured like this...
C6500-A
vlan 1000
name RSPAN
remote-span
monitor session 10 source interface Gi5/1 - 2 rx
monitor session 10 destination remote vlan 1000
monitor session 20 destination anomaly-detector-module 3 data-port 1
monitor session 20 source remote vlan 1000
interface GigabitEthernet1/13
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1000
switchport mode trunk
no ip address
C6500-B
vlan 1000
name RSPAN
remote-span
monitor session 10 source interface Gi5/1 - 2 rx
monitor session 10 destination remote vlan 1000
interface GigabitEthernet1/13
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1000
switchport mode trunk
no ip address
end
but it was not working..
it wasn't any change of input packet hit count when
I'd enter a command 'show anomaly-detector module 3 data-port 1 traffic'
was upper configuration wrong..?
Can I use VACL configuration ?

try to change "monitor session 10 destination remote vlan 1000 " to "monitor session 10 destination anomaly-detector-module 3 data-port 1 " on C6500-A

SPAN and RSPAN, ISL and TRUNKING

Hello,
I have some questions regarding the do's and don'ts of SPANNING. If you have for example several switches with one port, say port 48 SPANNED to another switch that collapses all the traffic to be monitored by an IDS or network analyzer.
What would be the best way to do this if you were concerned about multiple VLAN's being on the switches you were SPANNING from?
My idea was to turn each of the SPAN ports into a TRUNK PORTS and also use ISL encapsulation between the switches and the âAggregate Switchâ that everything collapses to. Then, I would have a Monitor Session âAnother SPAN taking all of those SPAN's for the other switches to a single port for monitoring.
This was because on each of the switches have TRUNKED 802.1q FIBER PORTS and are capable of receiving any VLAN. Also, although 802.1q is common, for this I was thinking of using ISL because it does not require a Native VLAN. If a port on the switch is changed to a different VLAN (Switch Port Access VLAN XX) and the Monitor âSPANâ is not set for TRUNKING, I don't think we would see that traffic from a different VLAN would we?
RSPAN could be used but there are already physical SPAN's coming from each of the switches to monitor. Is there any down side to using physically cabled SPAN's vs RSPAN?
What is the best practice for monitoring segregated networks that cannot use RSPAN? Physically cabled SPAN's with Monitor Sessions?
Am I thinking of this correctly or have I derailed?
Thanks

If you have source ports belonging to several different VLANs, or if you are using SPAN on several VLANs on a trunk port, you may want to identify to which VLAN a packet you are receiving on the destination SPAN port belongs. This is possible by enabling trunking on the destination port before configuring it for SPAN. This way, all packets forwarded to the
sniffer will also be tagged with their respective VLAN IDs.

SPAN or RSPAN Configuration for intermediate Switch.

Hi
I am having three switches. My Sniffer is connected with my Core Switche port 11.
I am having 1 core SW, 2 Access SW.
CoreSW --------------Trunk--------------->AccessSw1-----------------Trunk-------------------------AccessSw2.
I am trying to configure Monitor session between AccessSW2 and Core SW.
my configuration ar Core SW
monitor session 1 destination interface Fa0/11
monitor session 1 source remote vlan 901
At AssessSw2
monitor session 1 source interface Fa0/1 - 22
monitor session 1 destination remote vlan 901
these configurations work fine if I ommit AccessSw1.
So what Configuration I need at AccessSW1 to communicate fine. Please help me on this..

Alexander,
You will have to specify the remote vlan on Sw2, just creating it won't help. Following is the config for the SW2.
Switch(config)# monitor session 1 source remote vlan 901Switch(config)# monitor session 1 destination interface fastEthernet0/5
The commands are a bit platform specific, as they are a bit different for the 6500 switches:
For SW2 on Cisco6500
Router(config)# monitor session 1 type rspan-destination
Router(config-rspan-dst)# source remote vlan 2
Router(config-rspan-dst)# destination interface gigabitethernet 1/2
Thanks
Ankur
"Please rate the post if found useful"

RSPAN with Cat2950 Switches

Good day,
I'm trying to create a RSPAN session with 2 Catalyst 2950 switches but it doesn't work (no packets shown by the network analyzer).
I don't know what I'm doing wrong. Does anybody see any mistake in my configuration?
- all ports in VLAN 1, except of Fa0/48 (Trunk to neighbor device)
Switch 1:
vlan 99
name Monitor-VLAN
remote-span
interface FastEthernet0/24
description switch-2 Fa 0/48
switchport mode trunk
switchport nonegotiate
monitor session 1 source interface Fa0/1 rx
! Notebook for testing connected to Fa0/1
monitor session 1 destination remote vlan 99 reflector-port Fa0/23
Switch 2:
vlan 99
name Monitor-VLAN
remote-span
interface FastEthernet0/24
description switch-1 Fa 0/48
switchport mode trunk
switchport nonegotiate
monitor session 1 destination interface Fa0/1
! NW-Analyzer connected to Fa0/1
monitor session 1 source remote vlan 99
Regards,
Rolf

Amit,
sorry - I didnt see your response yesterday.
Heres the output of show version:
Switch#s vers
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA4a, RELEASE SOFTWARE
(fc1)
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Fri 16-Sep-05 10:46 by yenanh
Image text-base: 0x80010000, data-base: 0x80562000
ROM: Bootstrap program is C2950 boot loader
Switch uptime is 45 minutes
System returned to ROM by power-on
System image file is "flash:/c2950-i6q4l2-mz.121-22.EA4a.bin"
cisco WS-C2950-24 (RC32300) processor (revision R0) with 21039K bytes of memory.
Processor board ID xxxxx
Last reset from system-reset
Running Standard Image
24 FastEthernet/IEEE 802.3 interface(s)
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: xxxx
Motherboard assembly number: xxxx
Power supply part number: xxxx
Motherboard serial number: xxxx
Power supply serial number: xxxx
Model revision number: R0
Motherboard revision number: A0
Model number: WS-C2950-24
System serial number: xxxx
Configuration register is 0xF
I studied the Configuring SPAN and RSPAN (Chapter 21 of Catalyst 2950 Desktop Switch Configuration Guide) again and found as a Configuration Guideline:
..., you must have EI installed on your switch.
I wonder what EI means?
Regards,
Rolf

Span blade server on Cisco 3020?

I have an HP blade center with a Cisco 3020. From what I know, the baldes use a connection on the backplane for network connectivity. So my question is, can you setup a monitoring session to capture traffic from one individual blade server? I would normally span source interface destination interface. But how do I specify the blade server's interface when it's not on the switch itself? Thanks.

Hi Josh,
I'm not sure I really follow you here. The backplane of the blade server chassis is simply used as a communications channel between the blade server NICs and the server facing interfaces of the switch i.e., Gi0/1-16 and has no real bearing on how SPAN would work.
SPAN in the Catalyst 3020 switch works in exactly the same way as other Catalyst switches, with you specifying the source and destination interfaces etc., as you normally would. So assuming you have a server connected to Gi0/1 that you wanted to capture traffic to/from then you would configure something along the lines of monitor session 1 source interface gi0/1.
The tricky part can be the SPAN session destination and you have a number of options.
Use a server within the same chassis as the capture device.
If you have a server in the same chassis that has packet capture capability then you simply specify its NIC interface as the SPAN destination e.g., monitor session 1 destination interface gi0/2. The problem here is that when the destination interface goes into the monitoring state you'll lose in-band connectivity to the server so you would need to use the console to access the server.
Attach an external capture device to one of the switches external interfaces
The Catalyst 3020 has eight external facing interfaces i.e., Gi0/17-24 which are typically used for upstream network connectivity. If not all of these are in use then attach your capture device to one of those interfaces and configure the SPAN destination appropriately e.g., monitor session 1 destination interface Gi0/24.
Attach your capture device to an upstream switch and, on the Catalyst 3020, use an RSPAN VLAN as the destination to carry the traffic
This requires you define an RSPAN VLAN on the Catalyst 3020 and configure this as the SPAN destination. This VLAN is then configured on the external interfaces between your Catalyst 3020 and the upstream switch, where you would connect your capture device. In this case the upstream switch obviously requires a SPAN session to be configured as well.
There's discussion on the use of SPAN and RSPAN in the Integrating the Cisco Catalyst Blade Switch 3020 for the HP c-Class BladeSystem into the Cisco Data Center Network Architecture design guide that would go into more detail and has examples configurations.
Regards

802.1X on Etherchannels

We are deploying ISE and everything seems to be working just fine.
We have a series of servers accessing the network using etherchannels.
We are complete aware that 802.1X is not recommended for Servers but we would like to activate it for a proof of concept.
Is there a way (or work around) to activate 802.1X in a port-channel?
Thanks for your help!

Hello vbuendia, I wonder if we know each other?
802.1x is not supported on port-channels. You can potentially look into SGA for securing servers in your environment.
Here is a snip-it from the 15.x configuration guide:
The 802.1x protocol is supported on Layer 2 static-access ports, voice VLAN ports, and Layer 3
routed ports, but it is not supported on these port types:
– Trunk port—If you try to enable 802.1x authentication on a trunk port, an error message
appears, and 802.1x authentication is not enabled. If you try to change the mode of an
802.1x-enabled port to trunk, an error message appears, and the port mode is not changed.
– Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk
port. If you try to enable 802.1x authentication on a dynamic port, an error message appears,
and 802.1x authentication is not enabled. If you try to change the mode of an 802.1x-enabled
port to dynamic, an error message appears, and the port mode is not changed.
– Dynamic-access ports—If you try to enable 802.1x authentication on a dynamic-access (VLAN
Query Protocol [VQP]) port, an error message appears, and 802.1x authentication is not
enabled. If you try to change an 802.1x-enabled port to dynamic VLAN assignment, an error
message appears, and the VLAN configuration is not changed.
– EtherChannel port—Do not configure a port that is an active or a not-yet-active member of an
EtherChannel as an 802.1x port. If you try to enable 802.1x authentication on an EtherChannel
port, an error message appears, and 802.1x authentication is not enabled.
– Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can
enable 802.1x authentication on a port that is a SPAN or RSPAN destination port. However,
802.1x authentication is disabled until the port is removed as a SPAN or RSPAN destination
port. You can enable 802.1x authentication on a SPAN or RSPAN source port.
Thank you for rating!

IDSM-2 capture configuration

Hi friends,
I have enabled capture on the IDSM data-port 1 (Gig0/7). Now, i want to use data port 2 (Gig 0/8) also to capture another segment.
A snippet of my current config is as follows:
ip access-list extended MATCHALL
permit ip any any
vlan access-map CAPTUREALL 10
match address MATCHALL
action forward capture
vlan-filter CAPTUREALL vlan-list x
intrusion-detection module 3 management-port access-vlan 5
intrusion-detection module 3 data-port 1 capture
intrusion-detection module 3 data-port 1 capture allowed-vlan 1-4094
intrusion-detection module 3 data-port 1 autostate include
intrusion-detection module 3 data-port 1 portfast enable
My question is:
If i enable data port 2, then how do i bind a VACL to data port 2 only?
Thanks a lot
Gautam

You can't bind a VACL to a particular data port.
You can only tell a capture port what vlans to monitor. The capture port will monitor all captured packets from those vlans regardless of what VACL was used to mark those packets as capture packets.
Your data-port 1 is already monitoring all 4094 vlans so there are no additional vlans that data-port 2 would need to capture packets for.
If your switch does routing then your configuration is correct. Even though the VACL is applied to a limited set of a vlan-list X, the packets marked for capture could wind up being routed to any vlan and so all vlans have to be monitored.
NOW you could add additional vlans to your exising vlan-list, or even create another VACL and apply it to a separate vlan list. BUT in either case your data-port 1 would already be configured for monitoring them.
If your switch is NOT doing routing (pretty rare these days), then you do have an alternative. You can change the "capture allowed-vlan" list for data-port 1 to be the same "vlan-list X" that your VACL is assigned to. Then you can create a new VACL and assign it to a list Y, and configure data-port 2 to be a capture port for allowed-vlan list Y.
But this really doesn't gain you a whole lot. You could just simply add vlan list Y to data-port 1 and still monitor everything with data-port 1.
Data-port 2 doesn't really gain you much as you as a 2nd capture port.
Where data-port 2 comes in handy is when you want to do a different type of monitoring.
Data-port 2 could be setup as a Span or Rspan destination port.
OR data-port 2 coudl be setup for InLine monitoring with InLine Vlan Pairs.
It is only when you need the second type of monitoring that you can really make use of data-port 2.
For capturing traffic on additional vlans you can just continue to use data-port 1.

IPS and IDS configuration

Hi,
The concepts of IDS and IDS are clear for me. Now I want to understand the difference between IDS and IPS in terms of deployement (does it use the same ports for monitoring and and command and control) and configuration (SPAN...).
Thanks.

Given this info, I'm going to assume that you don't want to run your IPS-4240 sensors inline...
Is it a safe guess that you're going to use the eight total monitoring interfaces you have to instead passively monitor different legs of the network, and that each switch will be configured to provide that capability via a SPAN on each switch?
BTW, I can't give you specifics on configuring SPAN without knowing which switch platform(s) you're using. In order to perhaps save time, here's some links for configuring SPAN and RSPAN on some more common switch platforms:
2940 series - http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2970/12119ea1/2970scg/swspan.htm
2950 series - http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12119ea1/2950scg/swspan.htm
2970 series - http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2970/12114ea1/2970scg/swspan.htm
3550 series - http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12112cea/3550scg/swspan.htm
3560 series - http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12119ea1/3560scg/swspan.htm
3750 series - http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12119ea1/3750scg/swspan.htm
4000 series - http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/7_5/config/span.htm
6500 series - http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_3/confg_gd/span.htm
If you have another switch, just use the string "configure SPAN RSPAN " in the cisco.com search engine and you should find what you need.
Though you want info on deploying the IPS-4240, here's a link with info for all the platforms:
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/prod_installation_guides_list.html
Finally, here's a link for software configuration itself (varous versions):
http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_installation_and_configuration_guides_list.html
I hope this helps,
Alex Arndt

%SW_MATM-4-MACFLAP_NOTIF: Host 00ff.ffff.ffff in vlan 112 is flapping between port Gi3/0/1 and port Fa2/0/46.....

Hi Guys,
Iam seeing above issue on two of my switches connected to core switch ....i know there are quite of few discussion open on same issue but mine is diff....
i see same issue on two switches connected via core swicth on same vlan ( 112)....when i do mac address lookup it says the mac thats generating this error is invalid so cant track the source of this mac....also just saw on topoogy change notification on core traced it back to originating switch which is also generating this error but dnt see any change on the switch that is generated topology change notification....prob is vlan 112 all interface on both switches conected via core are generating this message so five interfaces each .....any expert advise on how to approach it as i cant get to source port generating this as nearly five ports in vlan 112 on bloth switches generating this error. thanks
Apr 15 15:56:08: %SW_MATM-4-MACFLAP_NOTIF: Host 00ff.ffff.ffff in vlan 112 is flapping between port Fa3/0/46 and port Gi3/0/1
Apr 15 15:56:50: %SW_MATM-4-MACFLAP_NOTIF: Host 00ff.ffff.ffff in vlan 112 is flapping between port Fa2/0/46 and port Gi3/0/1
Apr 15 15:56:51: %SW_MATM-4-MACFLAP_NOTIF: Host 00ff.ffff.ffff in vlan 112 is flapping between port Fa3/0/46 and port Gi3/0/1
Apr 15 15:58:29: %SW_MATM-4-MACFLAP_NOTIF: Host 00ff.ffff.ffff in vlan 112 is flapping between port Fa2/0/46 and port Gi3/0/1
Apr 15 15:59:27: %SW_MATM-4-MACFLAP_NOTIF: Host 00ff.ffff.ffff in vlan 112 is flapping between port Gi3/0/1 and port Fa2/0/46
Apr 15 15:59:45: %SW_MATM-4-MACFLAP_NOTIF: Host 00ff.ffff.ffff in vlan 112 is flapping between port Fa2/0/46 and port Gi3/0/1
Apr 15 16:00:14: %SW_MATM-4-MACFLAP_NOTIF: Host 00ff.ffff.ffff in vlan 112 is flapping between port Gi3/0/1 and port Fa3/0/46
Apr 15 16:00:36: %SW_MATM-4-MACFLAP_NOTIF: Host 00ff.ffff.ffff in vlan 112 is flapping between port Fa2/0/46 and port Gi3/0/1
Apr 15 16:02:40: %SW_MATM-4-MACFLAP_NOTIF: Host 00ff.ffff.ffff in vlan 112 is flapping between port Fa3/0/46 and port Gi3/0/1
Apr 15 16:03:22: %SW_MATM-4-MACFLAP_NOTIF: Host 00ff.ffff.ffff in vlan 112 is flapping between port Fa3/0/46 and port Gi3/0/1
Apr 15 16:03:31: %SW_MATM-4-MACFLAP_NOTIF: Host 00ff.ffff.ffff in vlan 112 is flapping between port Gi3/0/1 and port Fa2/0/46
Apr 15 16:04:03: %SW_MATM-4-MACFLAP_NOTIF: Host 00ff.ffff.ffff in vlan 112 is flapping between port Fa3/0/46 and port Gi3/0/1
Apr 15 16:04:34: %SW_MATM-4-MACFLAP_NOTIF: Host 00ff.ffff.ffff in vlan 112 is flapping between port Fa2/0/46 and port Gi3/0/1
Apr 15 16:04:41: %SW_MATM-4-MACFLAP_NOTIF: Host 00ff.ffff.ffff in vlan 112 is flapping between port Gi3/0/1 and port Fa2/0/46
Apr 15 16:05:05: %SW_MATM-4-MACFLAP_NOTIF: Host 00ff.ffff.ffff in vlan 112 is flapping between port Fa2/0/46 and port Gi3/0/1
Apr 15 16:05:13: %SW_MATM-4-MACFLAP_NOTIF: Host 00ff.ffff.ffff in vlan 112 is flapping between port Gi3/0/1 and port Fa3/0/46
sh spanning-tree vlan 112
VLAN0112
Spanning tree enabled protocol rstp
Root ID    Priority    8192
             Address     001e.13c1.5a70
             Cost        3004
             Port        109 (GigabitEthernet3/0/1)
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority    49264 (priority 49152 sys-id-ext 112)
             Address     001f.261c.1d80
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec
             Aging Time 300
UplinkFast enabled but inactive in rapid-pvst mode
Interface        Role Sts Cost      Prio.Nbr Type
Fa2/0/46         Desg FWD 3019      128.104 P2p
Fa1/0/46         Desg FWD 3019      128.50   P2p
Gi3/0/1          Root FWD 3004      128.109 P2p
Fa3/0/46         Desg FWD 3019      128.158 P2p
Fa3/0/47         Desg FWD 3100      128.159 P2p
Fa3/0/48         Desg FWD 3019      128.160 P2p

ASAK Mohammed,
There are lots of thread discussing about this, you should do a search before creating a new post.
Anyway, this is how you approach these types of flapping:
1. Is the the given MAC flapping in the log flapping only 1 time or you see it multiple times over a reasonobly short time?
   If you see it only once or once every 2-3 hours this might be not an issue worth being investigated. Sporadic one time flapping are expected in L2 broadcast domain.
If you see it often continue to step 2.
2. Identify and locate the flapping mac in vlan 125: 3270.990a.a504
Is the mac of a dual-homes server using some kind of load balancing algorithm (active/active) for which the same address is used from both NICs?
If yes, the message is not and issue but just an indication. Fix this type of LB (make it active/standby or make sure the server uses 2 different mac addresses, one per NIC) or if it is not possible leave it like this.
3. Is the MAC a the wireless NIC of a PC?
Make sure that the user was not moving from one AP to another (flapping is normal in this case)
4.
See if you have increasing TCN's and check if they are coming from the same interface.
From this point on you keep on troubleshooting STP until you find the offending link (likely going up and down) or the switch. You also need to check if STP in vlan112 is coherent with the actual L2 topology you have.
=====================================================
2- Some more details information which might be helpfull to you.
http://www.cisco.com/en/US/products/hw/switches/ps663/products_tech_note09186a
00801434de.shtml#subtopic1k
Problem
The switch generates %SYS-3-P2_ERROR: Host xx:xx:xx:xx:xx:xx is flapping
between ports? messages, where xx:xx:xx:xx:xx:xx is a MAC address.
Description
This example shows the console output that you see when this error occurs:
%SYS-4-P2_WARN: 1/Host 00:50:0f:20:08:00 is flapping between port 1/2 and port
4/39
Use the steps and guidelines in this section in order to understand and
troubleshoot the cause of this error message.
The message indicates that your Catalyst 4500/4000 switch has learned a MAC
address that already exists in the content-addressable memory (CAM) table, on
a port other than the original one. This behavior repeatedly occurs over short
periods of time, which means that there is address flapping between ports..
If the message appears for multiple MAC addresses, the behavior is not normal.
This behavior indicates a possible network problem because the MAC addresses
move quickly from one port to another port before the default aging time. The
problem can be looping traffic on the network. Typical symptoms include:
·        High CPU utilization
·        Slow traffic throughout the network
·        High backplane utilization on the switch
For information on how to identify and troubleshoot issues with spanning tree,
refer to Spanning Tree Protocol Problems and Related Design Considerations
<http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800
951ac.shtml> .
If the error message appears for one or two MAC addresses, locate these MAC
addresses in order to determine the cause. Issue the show cam mac_addr command
in order to identify from where these MAC addresses have been learned. In this
command, mac_addr is the MAC address that the error reports as flapping.
After you determine between which ports this MAC address is flapping, track
down the MAC address. Connect to the intermediate devices between your
Catalyst 4500/4000 and the device that has the problem MAC address. Do this
until you are able to identify the source and how this device connects to the
network.
Note: Because the MAC address is flapping between two ports, track down both
of the paths.
This example shows how to track both of the paths from which this MAC address
has been learned:
Note: Assume that you have received this message and you have begun to
investigate it.
%SYS-4-P2_WARN: 1/Host 00:50:0f:20:08:00 is flapping between port 1/2 and port
4/39
In order to track down how this MAC address was learned from both ports,
complete these steps:
1.     Consider port 1/2 first, and issue the show cam dynamic 1/2 command.
If you see the MAC address 00:50:0f:20:08:00 in the list of the MAC addresses
that have been learned on this port, determine if this is a single host that
is connected or if there are multiple hosts that are registered on that port.
2.     On the basis of whether there is a single or multiple hosts,
investigate the device:
o   If there is a single host (00:50:0f:20:08:00) that is connected, check the
other port that is registered and see if the host is dually attached to the
switch.
In this example, the other port is port 4/39.
o   If the host has connections to other devices that can eventually lead back
to this switch, try to track down the intermediate devices.
With Cisco devices, issue the show cdp neighbors mod/port detail command. The
output provides information about intermediate devices.
Here is sample output:
Cat4K> (enable) show cdp neighbors 1/2 detail
Port (Our Port): 1/2
Device-ID: brigitte
Device Addresses:
IP Address: 172.16.1.1
Novell address: aa.0
Holdtime: 171 sec
Capabilities: ROUTER
Version:
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-JS-L), Version 12.0(7)T, RELEASE SOFTWARE (fc2)
Copyright (c) 1986-1999 by cisco Systems, Inc.
Compiled Mon 06-DEC-99 17:10 by phanguye
Platform: cisco 2500
Port-ID (Port on Neighbors's Device): Ethernet0
VTP Management Domain: unknown
Native VLAN: unknown
Duplex: half
System Name: unknown
System Object ID: unknown
Management Addresses: unknown
Physical Location: unknown
Cat4K> (enable)
3.     Establish a Telnet session with the device and follow the path of the
MAC address.
In this example, the IP address is 172.16.1.1.
Repeat the procedure for all MAC addresses that the error message reports as
flapping.
4.     Create a simple diagram of the source device with that MAC address and
of the physical connections (the Catalyst 4500/4000 ports) from which and to
which this MAC address is flapping.
The diagram enables you to determine if this is a valid port and path for your
network layout.
If you verify that both ports on which the MAC address is flapping provide a
path toward that network node, there is a possibility that you have a
spanning-tree failure issue. Refer to Spanning Tree Protocol Problems and
Related Design Considerations
<http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800
951ac.shtml> in order to isolate and troubleshoot this loop.
In large networks in which multiple hosts from multiple vendors are
interconnected, difficulty arises as you try to track down the host with use
of just the MAC address. Use the search utility for the IEEE OUI and
Company_id Assignments <http://standards.ieee.org/regauth/oui/index.shtml> in
order to track down these MAC addresses. This list is the front end of the
database where IEEE has registered all MAC addresses that have been assigned
to all vendors. Enter the first three octets of the MAC address in the Search
for: field of this page in order to find the vendor that is associated with
this device. The first three octets in the example are 00:50:0f.
These are other issues that can cause this message to appear:
·        Server NIC redundancy problem?There is a server with a dual-attached
NIC that misbehaves and does not follow the standards. The server uses the
same MAC address for both ports that connect to the same switch.
·        Hot Standby Router Protocol (HSRP) flapping?Flapping HSRP can cause
these messages to appear in the Supervisor Engine console. If you notice that
HSRP implementation in your network is unstable, refer to Understanding and
Troubleshooting HSRP Problems in Catalyst Switch Networks
<http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00800
94afd.shtml> in order to resolve the problem.
·        EtherChannel misconfiguration?A misconfigured EtherChannel connection
can also cause these symptoms. If ports that the flapping message reports are
members of the same channel group, check your EtherChannel configuration and
refer to Understanding EtherChannel Load Balancing and Redundancy on Catalyst
Switches
<http://www.cisco.com/en/US/tech/tk389/tk213/technologies_tech_note09186a00800
94714.shtml> in order to troubleshoot the configuration.
·        Host reflects packets back onto the network?The reflection of packets
back onto the network by a host can also cause flapping. Typically, the root
cause of this packet reflection is a broken NIC or any failure of the physical
interface of the host that is connected to the port.
If the reflection of packets by the host is your root cause, obtain a sniffer
trace and examine the traffic that goes to and from the ports on which the
messages have appeared. If a host reflects packets, you typically see
duplicate packets in the trace. The duplicate packets are a possible symptom
of this flapping of the MAC address.
Refer to Configuring SPAN and RSPAN
<http://www.cisco.com/en/US/docs/switches/lan/catalyst4000/6.3and6.4/configura
tion/guide/span.html> for details on how to configure a port for use with a
sniffer.
·        Software or hardware defect?If you have tried to troubleshoot the
flapping message with the instructions in this section but you still notice
the issue, seek further assistance from Cisco Technical Support
<http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html> . Be
sure to mention and provide documentation of the information that you have
collected while you followed the steps. This information makes further
troubleshooting quicker and more efficient.
HTH
REgards
Inayath
*Plz rate all usefull posts.

IDSM in redundant switching environment

I have two 6500 switches/routers trunked to each other serving various devices. The two switches are installed for the purpose of redundancy and same VLANs are configured on both. My question is related to deploying IDSM-2 blades in this environment. Can I just use single blade in one switch and still be able to monitor desired VLANs traffic through VACL or SPAN/VSPAN/RSPAN or do I need two IDSM blades; one in each switch. Has anyone deployed IDS in this environment and what are the benefits of deploying 2 (one is each) versus 1.

RSPAN is generally the method of choice for these types of configurations.
The packets from both switches can then be monitored by a single IDSM-2 in one switch.
You can also provide some redundancy by placing a second IDSM-2 in the other switch, and have both IDSM-2s monitoring the exact same traffic (each IDSM-2 is monitoring packets from both switches).
You will get duplicate alarms (one from each IDSM-2) when both are running, but it will ensure you do not miss any alarms if one of the switches should happen to go down for maintenance or power loss.
There are other deployment options, but these depend on some specifics that you will need to analyze:
Do you have assymmetric traffic?
Quite often in these types of setups, both the switches are carrying traffic at the same time, and on occasion the client traffic will go through one switch, but the server response traffic will come through the other switch. For the IDSM-2 to properly track these connections it needs to see traffic from both switches. So if assymetric traffic patterns exist, then RSPAN needs to be used so both switches can be monitored by a single IDSM-2.
If assymetric traffic does not exist, then the IDSM-2 does not need to monitor both switches.
You could deploy an IDSM-2 in each switch. Then using either span or VACL Capture the IDSM-2 could monitor just the traffic flowing through the switch where it is located.
What are the traffic rates?
The IDSM-2 has an upper performance limitation of 600Mbps. If you are forced to use RSPAN because of assymteric traffic patterns, then you will only have the ability to monitor 600Mbps and must choose wisely what will be RSPANed to the IDSM-2.
If you do not have assymetric patterns then you can at least use 2 IDSM-2s (one in each switch) and possibly more (see below).
If the traffic being routed by the switch/msfc?
If no traffic is being routed by the switch, and you do not have assymetric traffic patterns then you are in luck. This is the easiest deployment scenario. You can have multiple IDSM-2s in each switch. Each IDSM-2 would be configured to monitor one or more vlans using VACL Capture. The performance limitations are 600 Mbps times the numbers of IDSM-2s you purchase and can fit in the switch.
If traffic is being routed, however. You once again run into a situation where a single IDSM-2 has to monitor all of the vlans in the switch (when using VACL Capture). There is an interaction between the routing features of the switch/msfc which force a single IDSM-2 (per switch if no assymetric traffic patterns) to be used to monitor all of the vlans in that switch.
And you are now limited to the 600 Mbps limitation (or 2*600Mbps if you place one in each switch and there are no assymetric traffic patterns).

UCCX 8.0(2) SPAN/RSPAN based VOIP Monitoring

Hi Alll,
UCCX 8.0(2) High Availability (both servers are co-located in data center, where agents and supervisors are in building across the street over fibre)
SRND for UCCX 8 describes that it supports SPAN and/or RSPAN based voip monitoring, which is a requirement for my client as they have CAD Agents running on Citrix thin client and Supervisors on Thick client PCs.
However I am struggling to find a way to achieve this solution for my client with UCCX 8.x, UCCX 7 we would not have had this problem as you can configure 2nd NIC adaptor on UCCX server to be configured as VOIP Monitoring server port/IP under PostInstall and sniff all traffic for all Agent phone devices as configured under CDA.
Desktop Monitoring is not supported for thin client environment. Customer may eventually purchase QM/WFM, but for now we urgently require the essentials of agent monitoring on UCCX.
Please has anybody successfully had this configuration described above achieved? or have any ideas?
Thank you,
Yavuz

Have you been able to get a response to this post? I am running into the exact same issue with an upgrade to UCCx 8.0. SPAN on the 2nd NIC isn't allowed, and now the customer has lost functionality.
Thanks,
Ben

SPAN/RSPAN issues

Hi All,
I'm looking in to a problem regarding slow response to a file server, post implementation of RSPAN source changes.
SCENARIO
The LAN is a stack of 2/3 3750's on each floor, with a data Vlan per floor and a network wide voice Vlan 300. These access switches are gig fibre connected to two core switches, 6506's. Nortel IP handsets have been deployed and the voice Vlan 300 is being SPAN'ed to record to an IP voice recorder server. No problems there.
However, now there are Softphones deployed on various PC's and in order to facilitate staff relocation throughout the building, WITHOUT having to reconfigure any switch ports each time, the Data Vlan on each floor has also been specified as a source.
Having put additional config in to capture the data Vlan, there appears to be slow response when accessing a file server on a different Vlan. A ping -t that runs while copying a file to the Win 2003 file server actually drops and the copy hangs. If you try this again having either suspended the access switch RSPAN or shifting the file server to the other core switch, it seems to be OK and the difference in the ping response is very apparent
QUESTION
Has anyone come across any performance problems such as this and if so could you shed some light please?
Here's the config from only one of the floors:
DATA Vlan 112
VOICE Vlan 300
Remote SPAN dest Vlan 30
monitor session 1 source vlan 112 , 300
monitor session 1 destination remote vlan 30
Here's the config from the core switch where the voice recorder sits;
interface GigabitEthernet4/2
description *** SPAN destination for Witness CSS01 NIC 1 ***
no ip address
speed 100
duplex full
switchport
spanning-tree portfast
monitor session 1 destination interface Gi4/2
monitor session 1 source remote vlan 30
Kind Regards
Ali

Hello Ali,
I expirienced trouble with 3750 using 1000-BASE-SX and 1000-BASE-LH lasers that gave poor peformance with file transfers.
This was the case on switches that had MLS QoS enabled for IP phones.
The symptoms are described in bug toolkit CSCeg29704. There is a workaround. Upgrading to 12.2(25)SED or higher resolves the problem.
Release Notes
After enabling QOS on 3750 and 3560 switches, certain application (mostly bursty
and TCP based) experience significant performance degradation due to unexpected
packet drops on some of the egress queues.
This is due to initial default egress queue threshold settings
(when qos enabled) not optimized for this type of traffic pattern.
This initial default queue threshold settings (when qos enabled)
thus need to be changed to accommodate these traffic.
Workaround:
Tune the egress queue thresholds parameters to
allocate more to the affected queues.
Specifically, egress queue 2 thresholds need to have the following settings:
Thresholds1 = 200
Thresholds2 = 200
Reserved = 50
Maximum = 400
e.g.
mls qos queue-set output 1 threshold 2 200 200 50 400
mls qos queue-set output 2 threshold 2 200 200 50 400
HTH
Leon
* Please rate useful posts.

SPAN on 3560s, RSPAN instead?

Need a little help with this since I am not too familiar with RSPAN. Here is the situation in a nutshell. We have a Voice and Data network over multiple 3560 switches configured with several VLANs as follows:
VLAN 2 - Voice
VLAN 3 - Data
VLAN 10 - Voice
We use an IPCC recording server attached to the second switch to record calls on VLAN 10 (hence the two voice VLAN's). The phones that are on VLAN 10 are spread out between all 5 switches. The port on the second switch is tagged to VLAN 20 and is the only port on VLAN 20. Currently I have the monitor setup on Switch 1 as follows:
#show monitor
Session 1
Type : Remote Source Session
Source VLANs :
Both : 10
Dest RSPAN VLAN : 20
monitor session 1 source vlan 10
monitor session 1 destination remote vlan 20
The problem is two fold. Not all of the phones on VLAN 10 are able to be recorded on the server. We are also able to record some of the phones from VLAN 2 even though they should not be able to.
Its been suggested that doing this via RSPAN would fix the problem. If thats the case then what should the RSPAN config look like?

When you say VLAN 100 do you mean VLAN 99?
From what I am gathering the basic config for all the switches where the destination port/vlan is not on would be as follows:
create vlan 99 with:
vlan 99
remote-span
then setup the monitor:
monitor session 1 source vlan 10
monitor session 1 destination vlan 99
On the switch where the destination would be is:
create vlan 99 with:
vlan 99
remote-span
then setup the monitor:
monitor session 1 source vlan 10
monitor session 1 destination vlan 99
then setup the second monitor:
monitor session 2 source vlan 99
monitor session 2 desination interface fa0/20
By doing it that way I basically get ride of vlan 20 that I was using before in favor of a specific port.

SPAN RSPAN Monitoring Software

Dear Experts,
Looking for SPAN/RSPAN like solarwind / Ciscoworks.
Which can generate reports
Manage Graphs
Create Custom Reports
Any good software please advice...
Jawad

For SPAN/RSPAN/ERSPAN/NETFLOW and some similar traffic analysis and graphical represntation of such data is done using using Cisco' Hardware/Software - Network Analysis Module, aka, NAM.
However for SPAN/RSPAN and other feature you need to be selective on which NAM would suite you. You can check NAM Deployment guide to explore different NAM options.
For more details you can check :
http://www.cisco.com/en/US/products/ps5740/Products_Sub_Category_Home.html
NAM Deployment Guide:
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/white_paper_c07-505273.html

SPAN or RSPAN

Similar Messages

Maybe you are looking for