• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2786
  • Last Modified:

Problems Using Port Spanning on Cisco 3550

Hi All,

I have purchased a copy of Network Instruments Observer suite, but am having problems with my port spanning on my Catalyst 3550.

Here's my set up.

In the server room, we have a 24 Port Catalyst 3550 which is our core switch, all the servers and other switches are linked through this one.

I have a cable patched into Port 1 on the switch to my machine down here, which has a Network Instruments PCMCIA card in (promiscuous)

If want to port span one of the ports to monitor it and send the traffic through to this port I am entering the following (Port 16 is the example in this)

CATALYST_9#conf t
CATALYST_9(config)#monitor session 1 source interface Fa0/16
CATALYST_9(config)#monitor session 1 destination interface Fa0/1
CATALYST_9#show monitor session 1

Session 1
Type              : Local Session
Source Ports      :
    Both          : Fa0/16
Destination Ports : Fa0/1
    Encapsulation : Native
          Ingress: Disabled

So all looks OK, but as soon as I make these changes, it effectively disables the PCMCIA card connection that is plugged into Port 1

How do I stop this? I can't even ping anything, to get my connection back I have to hyperterminal in from another machine and remove the monitor ports.

Many Thanks
6 Solutions
This is normal operation.  The destination SPAN port on the switch does not receive traffic.  You must have two network cards in the "destination" machine if you want it to also act as a "normal" network host.  One card dedicated to the SPAN traffic, the other card acting as your regular network connection.
My good friend JFrederick29 is correct. This is normal behavior. Notice the "Ingress:Disabled" that means no packets from your PC will be allowed in the span port. It is now a one-way port. Your Observer application will work just fine if you fire it up, you'll see all the traffic that you have mirrored to it.
A4eITAuthor Commented:
Thanks for the replies guys, The problem still exists when I've got the secondary network card running on the same network as my regular network connection.

But as soon as I enable the promiscuous card, it cuts off all my network traffic!! what could be causing that?

For example, I have a continuous ping to one of the fileservers using the regular connection, but the moment I connect my promiscuous card it starts timing out.
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

enable ingress traffic on port fa0/1
ingress traffic on a destination port is not supported on the 3550:

"When you configure a switch port as a SPAN destination port, it is no longer a normal switch port; only monitored traffic passes through the SPAN destination port. "

It just does not make sense to me that if you have network access with NIC#1 plugged into switch port 0/X and you enable NIC#2 in promiscuous mode that is plugged into port 0/1, that NIC#1 will stop functioning..

A4eITAuthor Commented:

Anyone else know why this would be cutting off all my other network connections? It doesn't make sense!
Just a suggestion: strip the TCP/IP Protocol and all related driver enhancements off of the PCMCIA NIC so that it is not participating in the local machine's networking.  The promiscuous mode driver will still allow the NIC to capture traffic.  If that fails, I'd say that you have an application/configuration issue -- I do not have any experience with Observer (besides a trial version I toyed with many moons ago) so I'm not quite sure what configuration parameters there are, but it sounds like its grabbing more control than it should.

What is your hardware and OS that you are running Observer on?
A4eITAuthor Commented:
I just tried that but it won't capture any traffic that's not TCP/IP (almost everything) :O(

It's running on my  HP Compaq NC6000 running Windows XP SP2
make sure that the promiscuous/listening nic doesn't have a default route in it's ip stack configured.

SP2? personal firewall disabled?

This might help:

A4eITAuthor Commented:
Hi guys, turns out my machine was locking up, as 512MB wasn't enough to handle it
A4eITAuthor Commented:

I am closing this on behhalf of my colleauge.

I have split the points fairly between all respondents with a slight bias towards lrmoore for the most feedback.

Thanks again.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now