2 VLAN's on 1 Port SPAN - CIsco 6500

Discussion in 'Cisco' started by sillz, Dec 21, 2007.

  1. sillz

    sillz Guest

    Currently, I have 2 VLAN's that I'm SPAN'ing using monitor session. I
    have 2 monitor sessions -- 1 for each VLAN. I have a need now to use
    a port SPAN for something else, but my 6509 has a limit of 2 monitor
    sessions.

    I need to free up a SPAN so that I can install an IDS. Can I monitor
    the 2 VLAN's in 1 session as long as traffic bursts don't overwhelm
    the SPAN port?

    IOS Version 12.2(18)SXD7
    2 SUP2 Engines
    2 GigE 48 Port modules
    FlexWan Module / Router
    PFC2
    MSFC2

    Thanks,

    Beth
     
    sillz, Dec 21, 2007
    #1
    1. Advertising

  2. sillz

    Guest

    On Dec 21, 10:08 am, sillz <> wrote:
    > Currently, I have 2 VLAN's that I'm SPAN'ing using monitor session. I
    > have 2 monitor sessions -- 1 for each VLAN. I have a need now to use
    > a port SPAN for something else, but my 6509 has a limit of 2 monitor
    > sessions.
    >
    > I need to free up a SPAN so that I can install an IDS. Can I monitor
    > the 2 VLAN's in 1 session as long as traffic bursts don't overwhelm
    > the SPAN port?
    >
    > IOS Version 12.2(18)SXD7
    > 2 SUP2 Engines
    > 2 GigE 48 Port modules
    > FlexWan Module / Router
    > PFC2
    > MSFC2
    >
    > Thanks,
    >
    > Beth


    Beth,

    It's definitely possible to have multiple VLANs as a source. But like
    you said, you have to be careful not to oversubscribe or you'll miss
    some data due to queue drops (or worse, spike the CPU).

    HTH,
    neteng
    http://blog.humanmodem.com
     
    , Dec 21, 2007
    #2
    1. Advertising

  3. sillz

    Thrill5 Guest

    "" <> wrote in message
    news:...
    > On Dec 21, 10:08 am, sillz <> wrote:
    >> Currently, I have 2 VLAN's that I'm SPAN'ing using monitor session. I
    >> have 2 monitor sessions -- 1 for each VLAN. I have a need now to use
    >> a port SPAN for something else, but my 6509 has a limit of 2 monitor
    >> sessions.
    >>
    >> I need to free up a SPAN so that I can install an IDS. Can I monitor
    >> the 2 VLAN's in 1 session as long as traffic bursts don't overwhelm
    >> the SPAN port?
    >>
    >> IOS Version 12.2(18)SXD7
    >> 2 SUP2 Engines
    >> 2 GigE 48 Port modules
    >> FlexWan Module / Router
    >> PFC2
    >> MSFC2
    >>
    >> Thanks,
    >>
    >> Beth

    >
    > Beth,
    >
    > It's definitely possible to have multiple VLANs as a source. But like
    > you said, you have to be careful not to oversubscribe or you'll miss
    > some data due to queue drops (or worse, spike the CPU).
    >
    > HTH,
    > neteng
    > http://blog.humanmodem.com


    No need to worry about spiking the CPU, the 6500 doesn't use the CPU to
    switch packets or to mirror ports. It's more likely that the IDS will get
    overloaded long before the 6500 starts dropping packets because of an
    oversubscribed GIG interface.
     
    Thrill5, Dec 21, 2007
    #3
  4. sillz

    CeykoVer Guest

    "sillz" <> wrote in message
    news:...
    > Currently, I have 2 VLAN's that I'm SPAN'ing using monitor session. I
    > have 2 monitor sessions -- 1 for each VLAN. I have a need now to use
    > a port SPAN for something else, but my 6509 has a limit of 2 monitor
    > sessions.
    >
    > I need to free up a SPAN so that I can install an IDS. Can I monitor
    > the 2 VLAN's in 1 session as long as traffic bursts don't overwhelm
    > the SPAN port?
    >
    > IOS Version 12.2(18)SXD7
    > 2 SUP2 Engines
    > 2 GigE 48 Port modules
    > FlexWan Module / Router
    > PFC2
    > MSFC2
    >
    > Thanks,
    >
    > Beth


    In the interest of planning ahead - you may need to look into "VACLs". If
    you ever need a 3rd session...that is a decent solution.
     
    CeykoVer, Dec 21, 2007
    #4
  5. sillz

    Guest

    On Dec 21, 10:46 am, "Thrill5" <> wrote:
    > "" <> wrote in message
    >
    > news:...
    >
    >
    >
    > > On Dec 21, 10:08 am, sillz <> wrote:
    > >> Currently, I have 2 VLAN's that I'm SPAN'ing using monitor session. I
    > >> have 2 monitor sessions -- 1 for each VLAN. I have a need now to use
    > >> a port SPAN for something else, but my 6509 has a limit of 2 monitor
    > >> sessions.

    >
    > >> I need to free up a SPAN so that I can install an IDS. Can I monitor
    > >> the 2 VLAN's in 1 session as long as traffic bursts don't overwhelm
    > >> the SPAN port?

    >
    > >> IOS Version 12.2(18)SXD7
    > >> 2 SUP2 Engines
    > >> 2 GigE 48 Port modules
    > >> FlexWan Module / Router
    > >> PFC2
    > >> MSFC2

    >
    > >> Thanks,

    >
    > >> Beth

    >
    > > Beth,

    >
    > > It's definitely possible to have multiple VLANs as a source. But like
    > > you said, you have to be careful not to oversubscribe or you'll miss
    > > some data due to queue drops (or worse, spike the CPU).

    >
    > > HTH,
    > > neteng
    > >http://blog.humanmodem.com

    >
    > No need to worry about spiking the CPU, the 6500 doesn't use the CPU to
    > switch packets or to mirror ports. It's more likely that the IDS will get
    > overloaded long before the 6500 starts dropping packets because of an
    > oversubscribed GIG interface.


    Good point. Thanks Thrill5.

    neteng
    http://blog.humanmodem.com
     
    , Dec 21, 2007
    #5
  6. sillz

    sillz Guest

    On Dec 21, 1:45 pm, ""
    <> wrote:
    > On Dec 21, 10:46 am, "Thrill5" <> wrote:
    >
    >
    >
    >
    >
    > > "" <> wrote in message

    >
    > >news:...

    >
    > > > On Dec 21, 10:08 am, sillz <> wrote:
    > > >> Currently, I have 2 VLAN's that I'm SPAN'ing using monitor session.  I
    > > >> have 2 monitor sessions -- 1 for each VLAN.  I have a need now to use
    > > >> a port SPAN for something else, but my 6509 has a limit of 2 monitor
    > > >> sessions.

    >
    > > >> I need to free up a SPAN so that I can install an IDS.  Can I monitor
    > > >> the 2 VLAN's in 1 session as long as traffic bursts don't overwhelm
    > > >> the SPAN port?

    >
    > > >> IOS Version 12.2(18)SXD7
    > > >> 2 SUP2 Engines
    > > >> 2 GigE 48 Port modules
    > > >> FlexWan Module / Router
    > > >> PFC2
    > > >> MSFC2

    >
    > > >> Thanks,

    >
    > > >> Beth

    >
    > > > Beth,

    >
    > > > It's definitely possible to have multiple VLANs as a source. But like
    > > > you said, you have to be careful not to oversubscribe or you'll miss
    > > > some data due to queue drops (or worse, spike the CPU).

    >
    > > > HTH,
    > > > neteng
    > > >http://blog.humanmodem.com

    >
    > > No need to worry about spiking the CPU, the 6500 doesn't use the CPU to
    > > switch packets or to mirror ports.  It's more likely that the IDS will get
    > > overloaded long before the 6500 starts dropping packets because of an
    > > oversubscribed GIG interface.

    >
    > Good point. Thanks Thrill5.
    >
    > netenghttp://blog.humanmodem.com- Hide quoted text -
    >
    > - Show quoted text -


    Thanks, I've seen some stuff on VACL's. So I can use a VACL to
    capture and filtered traffic? In this case it would need to be all
    traffic on VLAN1. Could you give me an example of how I could capture
    VLAN1 traffic and send that the a port where I have the collector/
    sniffer?

    Beth
     
    sillz, Dec 21, 2007
    #6
  7. sillz

    Brian V Guest

    "sillz" <> wrote in message
    news:...
    On Dec 21, 1:45 pm, ""
    <> wrote:
    > On Dec 21, 10:46 am, "Thrill5" <> wrote:
    >
    >
    >
    >
    >
    > > "" <> wrote in message

    >
    > >news:...

    >
    > > > On Dec 21, 10:08 am, sillz <> wrote:
    > > >> Currently, I have 2 VLAN's that I'm SPAN'ing using monitor session. I
    > > >> have 2 monitor sessions -- 1 for each VLAN. I have a need now to use
    > > >> a port SPAN for something else, but my 6509 has a limit of 2 monitor
    > > >> sessions.

    >
    > > >> I need to free up a SPAN so that I can install an IDS. Can I monitor
    > > >> the 2 VLAN's in 1 session as long as traffic bursts don't overwhelm
    > > >> the SPAN port?

    >
    > > >> IOS Version 12.2(18)SXD7
    > > >> 2 SUP2 Engines
    > > >> 2 GigE 48 Port modules
    > > >> FlexWan Module / Router
    > > >> PFC2
    > > >> MSFC2

    >
    > > >> Thanks,

    >
    > > >> Beth

    >
    > > > Beth,

    >
    > > > It's definitely possible to have multiple VLANs as a source. But like
    > > > you said, you have to be careful not to oversubscribe or you'll miss
    > > > some data due to queue drops (or worse, spike the CPU).

    >
    > > > HTH,
    > > > neteng
    > > >http://blog.humanmodem.com

    >
    > > No need to worry about spiking the CPU, the 6500 doesn't use the CPU to
    > > switch packets or to mirror ports. It's more likely that the IDS will
    > > get
    > > overloaded long before the 6500 starts dropping packets because of an
    > > oversubscribed GIG interface.

    >
    > Good point. Thanks Thrill5.
    >
    > netenghttp://blog.humanmodem.com- Hide quoted text -
    >
    > - Show quoted text -


    Thanks, I've seen some stuff on VACL's. So I can use a VACL to
    capture and filtered traffic? In this case it would need to be all
    traffic on VLAN1. Could you give me an example of how I could capture
    VLAN1 traffic and send that the a port where I have the collector/
    sniffer?

    Beth

    All you need to know and then some!
    http://www.cisco.com/en/US/docs/swi...ative/configuration/guide/vacl.html#wp1089072
     
    Brian V, Dec 22, 2007
    #7
  8. sillz

    Trendkill Guest

    On Dec 21, 7:05 pm, "Brian V" <> wrote:
    > "sillz" <> wrote in message
    >
    > news:...
    > On Dec 21, 1:45 pm, ""
    >
    >
    >
    > <> wrote:
    > > On Dec 21, 10:46 am, "Thrill5" <> wrote:

    >
    > > > "" <> wrote in message

    >
    > > >news:...

    >
    > > > > On Dec 21, 10:08 am, sillz <> wrote:
    > > > >> Currently, I have 2 VLAN's that I'm SPAN'ing using monitor session. I
    > > > >> have 2 monitor sessions -- 1 for each VLAN. I have a need now to use
    > > > >> a port SPAN for something else, but my 6509 has a limit of 2 monitor
    > > > >> sessions.

    >
    > > > >> I need to free up a SPAN so that I can install an IDS. Can I monitor
    > > > >> the 2 VLAN's in 1 session as long as traffic bursts don't overwhelm
    > > > >> the SPAN port?

    >
    > > > >> IOS Version 12.2(18)SXD7
    > > > >> 2 SUP2 Engines
    > > > >> 2 GigE 48 Port modules
    > > > >> FlexWan Module / Router
    > > > >> PFC2
    > > > >> MSFC2

    >
    > > > >> Thanks,

    >
    > > > >> Beth

    >
    > > > > Beth,

    >
    > > > > It's definitely possible to have multiple VLANs as a source. But like
    > > > > you said, you have to be careful not to oversubscribe or you'll miss
    > > > > some data due to queue drops (or worse, spike the CPU).

    >
    > > > > HTH,
    > > > > neteng
    > > > >http://blog.humanmodem.com

    >
    > > > No need to worry about spiking the CPU, the 6500 doesn't use the CPU to
    > > > switch packets or to mirror ports. It's more likely that the IDS will
    > > > get
    > > > overloaded long before the 6500 starts dropping packets because of an
    > > > oversubscribed GIG interface.

    >
    > > Good point. Thanks Thrill5.

    >
    > > netenghttp://blog.humanmodem.com-Hide quoted text -

    >
    > > - Show quoted text -

    >
    > Thanks, I've seen some stuff on VACL's. So I can use a VACL to
    > capture and filtered traffic? In this case it would need to be all
    > traffic on VLAN1. Could you give me an example of how I could capture
    > VLAN1 traffic and send that the a port where I have the collector/
    > sniffer?
    >
    > Beth
    >
    > All you need to know and then some!http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF...


    Setup a named security acl to capture all traffic that you want (could
    be ip any, but up to you). Then map this security acl to a VLAN or
    set of VLANs, and finally set a destination port to send the matches
    to. Do not forget to 'commit' the VACL, or it will not work. Here is
    some documentation.

    http://www.cisco.com/warp/public/473/vacl-catos6k.pdf
     
    Trendkill, Dec 23, 2007
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. joeblow
    Replies:
    3
    Views:
    2,584
    thrill5
    Feb 21, 2005
  2. Gary
    Replies:
    2
    Views:
    729
    Arnold Nipper
    Dec 2, 2005
  3. Replies:
    2
    Views:
    1,618
    Trendkill
    Oct 7, 2007
  4. mmark751969

    port span vlan

    mmark751969, May 20, 2008, in forum: Cisco
    Replies:
    2
    Views:
    2,888
    Trendkill
    May 20, 2008
  5. networkzman

    SPAN + cisco 6500

    networkzman, Jun 24, 2008, in forum: Cisco
    Replies:
    2
    Views:
    1,089
    networkzman
    Jun 25, 2008
Loading...

Share This Page