FWeston
asked on
SPAN output and regular traffic on the same switchport?
I have a 3750 series switch that I'm trying to use along with ntop to monitor bandwidth usage by inside host on our network.
The ntop host has 1 NIC and is connected to G1/0/13 on the 3750. G1/0/13 is an access port on VLAN 1, and I can communicate with the ntop host with no problems before I set up the SPAN session.
Our firewall's inside interface is on VLAN 208, and the 3750 is doing IP routing between our different VLANs, so I set up a SPAN session like this:
monitor session 1 source vlan 208
monitor session 1 destination interface Gi1/0/13 ingress untagged vlan 1
That seems to work as far as getting all of the packets sent to/from our firewall to ntop, however as soon as I set up the monitor session I can no longer ping the ntop host. I thought the ingress keyword would permit traffic from the ntop host back into the switch and dump it on VLAN 1, but apparently that's not the case.
What do I need to do so I can send the output of the monitor session to the ntop host, AND still be able to communicate with the ntop host?
The ntop host has 1 NIC and is connected to G1/0/13 on the 3750. G1/0/13 is an access port on VLAN 1, and I can communicate with the ntop host with no problems before I set up the SPAN session.
Our firewall's inside interface is on VLAN 208, and the 3750 is doing IP routing between our different VLANs, so I set up a SPAN session like this:
monitor session 1 source vlan 208
monitor session 1 destination interface Gi1/0/13 ingress untagged vlan 1
That seems to work as far as getting all of the packets sent to/from our firewall to ntop, however as soon as I set up the monitor session I can no longer ping the ntop host. I thought the ingress keyword would permit traffic from the ntop host back into the switch and dump it on VLAN 1, but apparently that's not the case.
What do I need to do so I can send the output of the monitor session to the ntop host, AND still be able to communicate with the ntop host?
ASKER
I thought about that, but the system ntop is running on is a SFF desktop, so I'd have to purchase a special low-profile NIC. Since this should work, I'd like to figure this out before I spend money on something I shouldn't need.
What should I do to figure out why the above isn't working as I thought it should?
What should I do to figure out why the above isn't working as I thought it should?
Personally I don't like mixing the capture and management traffic as you end up with the management and "normal" host traffic mixed in with your results.
If the SFF desktop has USB, here is a cheap option to add a second NIC:
http://www.newegg.com/Product/Product.aspx?Item=N82E16833124335&nm_mc=OTC-Froogle&cm_mmc=OTC-Froogle-_-Network+-+Interface+Cards-_-Linksys-_-33124335
Otherwise, I'll try to replicate this and see if it works for me. Standby...
If the SFF desktop has USB, here is a cheap option to add a second NIC:
http://www.newegg.com/Product/Product.aspx?Item=N82E16833124335&nm_mc=OTC-Froogle&cm_mmc=OTC-Froogle-_-Network+-+Interface+Cards-_-Linksys-_-33124335
Otherwise, I'll try to replicate this and see if it works for me. Standby...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can always use a second NIC in the nTop host and plug it into VLAN1 to be used for communication to the host and leave the g1/0/13 NIC as the capture only NIC.