[c-nsp] FWSM span question

Tassos Chatzithomaoglou achatz at forthnet.gr
Fri Jan 5 06:49:24 EST 2007 

Hi barney,

According to your output, you're monitoring all six ports (3/1-6) of the fwsm, which means you're capturing both inside/outside 
traffic. So i guess it's normal what you're seeing.

Maybe you should try "set span 99 1/5" (use vlan instead of ports), but i don't know if generally it's possible to monitor this 
kind of traffic.

--
Tassos


barney gumbo wrote on 5/1/2007 12:12 πμ:
> I'm trying to span an FWSM on a 6509 and have had reports of packets showing
> up on the span dst aka monitor port that are not expected.  Unfortunately
> this is being done remotely on a box with limited maintenance access so it's
> difficult to troubleshoot in real time.
> 
> The 6509 is a sup720 running hybrid mode so it's CatOS.
> 
> I've set it up so the span src is the FWSM, and the dst is the monitoring
> port.  I put the dst port in vlan99, which is the "outside" vlan, as far as
> the FWSM and the 6509 are concerned.  I only want to see "outside" traffic
> on the span dst port, which is monitoring, however  I'm told the host
> connected to the monitoring port is seeing "inside" traffic as well.  The
> host connected to the monitoring port is an IDS/IPS of sorts.  tcpdump on
> the IDS/IPS box is how we're seeing the packets which aren't expected.
> 
> Are there any caveats or gotchas when it comes to setting up a span session
> on a 6509 where an FWSM is the src?
> 
> Should I set the dst port up as a trunk with vlan99 as the native vlan
> instead?
> 
> Should I just set the src port up as vlan99 and not the FWSM, and leave the
> dst port, as currently configured, alone?
> 
> Any thoughts or suggestions or clue-bat swings would be appreciated.
> 
> 
> misterswitchy> (enable) sh span
> 
> Permit List     : disabled
> Permit Port List: None
> 
> Destination     : Port 1/5
> Admin Source    : Port 3/1-6
> Oper Source     : Port 3/1-6
> Direction       : transmit/receive
> Incoming Packets: disabled
> Learning        : enabled
> Multicast       : enabled
> Filter          : -
> 
> Session Number  : 1
> 
> 
> misterswitchy> (enable) sh port stat 1/5
> # = 802.1X Authenticated Port Name.
> 
> Port  Name                 Status     Vlan       Duplex Speed       Type
> ----- -------------------- ---------- ---------- ------ -----------
> ------------
>  1/5  AAAAAAAAAA MON PORT  monitor    99           full        1000
> 1000BaseSX
> misterswitchy> (enable)
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list