[c-nsp] FWSM span question

barney gumbo barney.gumbo at gmail.com
Thu Jan 4 17:12:18 EST 2007


I'm trying to span an FWSM on a 6509 and have had reports of packets showing
up on the span dst aka monitor port that are not expected.  Unfortunately
this is being done remotely on a box with limited maintenance access so it's
difficult to troubleshoot in real time.

The 6509 is a sup720 running hybrid mode so it's CatOS.

I've set it up so the span src is the FWSM, and the dst is the monitoring
port.  I put the dst port in vlan99, which is the "outside" vlan, as far as
the FWSM and the 6509 are concerned.  I only want to see "outside" traffic
on the span dst port, which is monitoring, however  I'm told the host
connected to the monitoring port is seeing "inside" traffic as well.  The
host connected to the monitoring port is an IDS/IPS of sorts.  tcpdump on
the IDS/IPS box is how we're seeing the packets which aren't expected.

Are there any caveats or gotchas when it comes to setting up a span session
on a 6509 where an FWSM is the src?

Should I set the dst port up as a trunk with vlan99 as the native vlan
instead?

Should I just set the src port up as vlan99 and not the FWSM, and leave the
dst port, as currently configured, alone?

Any thoughts or suggestions or clue-bat swings would be appreciated.


misterswitchy> (enable) sh span

Permit List     : disabled
Permit Port List: None

Destination     : Port 1/5
Admin Source    : Port 3/1-6
Oper Source     : Port 3/1-6
Direction       : transmit/receive
Incoming Packets: disabled
Learning        : enabled
Multicast       : enabled
Filter          : -

Session Number  : 1


misterswitchy> (enable) sh port stat 1/5
# = 802.1X Authenticated Port Name.

Port  Name                 Status     Vlan       Duplex Speed       Type
----- -------------------- ---------- ---------- ------ -----------
------------
 1/5  AAAAAAAAAA MON PORT  monitor    99           full        1000
1000BaseSX
misterswitchy> (enable)


More information about the cisco-nsp mailing list