Solved

Cisco SPAN Configuration

Posted on 2011-09-08
10
1,216 Views
Last Modified: 2012-05-12
We are using Websense to monitor and filter web traffic so we setup SPAN session to monitor web traffic on the Catalyst switch stack and everything was working fine then we upgraded Websense to 7.6 and upgraded the switch's IOS to 15.0 and after a while it stopped working.
I just wanted to know if I am now required to insert a new piece of code to the existing one because the SPAN configuration is not working. This is what I had to make the port a SPAN monitoring port:

monitor session 1 source interface FastEthernet1/0/1
monitor session 1 destination interface FastEthernet1/0/15 encapsulation replicate

Both are in the default same VLan
this is the output of sho monitor

Type : Local Session
Source Ports :
Both : Fa1/0/1
Destination Ports : Fa1/0/15
Encapsulation : Native
Ingress : Disabled
0
Comment
Question by:Maximus54
  • 6
  • 2
  • 2
10 Comments
 
LVL 22

Expert Comment

by:eeRoot
ID: 36506984
Your config appears correct.  Is it possible that the websense unit lost a settings in its config due to the upgrade?  Also, verify that port 15 did not shut down for some reason.
0
 

Author Comment

by:Maximus54
ID: 36507726
eeRoot, I have removed and uninstalled Websense and checked all of the settings and I dont think that is the problem. I suspected that it was the SPAN setting, I did a check on the destination port to see if traffic was being sent there( #show int Fa1/0/15 summary) and the Rx(ingress) shows up as 0 when the source port show more numbers. It sounds that the destination port is not getting any Rx traffic or is the Rx supposed to be 0.
0
 
LVL 22

Accepted Solution

by:
eeRoot earned 250 total points
ID: 36508215
Rx would be 0 because nothing is coming into the port from the Websense.  Although I've never heard of a monitor seession getting locked up, you may want to remove and re-add it.  Also, there is a piece of software called Wireshark, you can load it onto a laptop and then connect the laptop to the Fa1/0/15 interface and see if Wireshark shows any packets being sent out.  If not, then the problem lies with the switch
0
 

Author Comment

by:Maximus54
ID: 36510524
eeRoot, good idea. I will try and let you know. thanks
0
 
LVL 8

Expert Comment

by:amatson78
ID: 36511378
I would run a wireshark test but if you are using the SPAN port for the Websense Network Agent there will be no return traffic because the Network Agent only "Sniffs" which is why it is not required to have an IP address. It is only a monitor port. Is this a Standalone Websense Install?
0
Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

 

Author Comment

by:Maximus54
ID: 36511676
I did plug in wireshark and it is picking up traffic after I took out the encapsulation replicate portion of the code from the destination port. In fact I am getting Request, Blocked and RTSU numbers on Websense counters but it is still not blocking. I have 2 NIC cards, both are configured with IP addresses, the NIC 1 connected to the listening port only has an IP and Mask (No gateway or DNS) and the NIC 2 connected to the destination has all the IP configuration in it. I set up NIC 1 as the monitoring NIC and NIC 2 as the blocking NIC. is there something wrong with the setup. It used to work.
And yes it is a standalone Websense install.
0
 

Author Comment

by:Maximus54
ID: 36511707
That's strange after I took out the encapsulation replicate portion in the switch code, the Real-Time Monitor mode works and I can see traffic which I was not able to before. Let me flip the blocking NIC
0
 
LVL 8

Assisted Solution

by:amatson78
amatson78 earned 250 total points
ID: 36511734
I am not a cisco guru by any means but I know Websense works with just the default span command. Like you said you have a blocking NIC and a monitoring NIC. The monitoring NIC just sits there and listens to the incoming traffic. If it cannot see or read the traffic then it will not be able to perform its job.:)
0
 

Author Comment

by:Maximus54
ID: 36511744
SO amatson78, should I also make the monitoring NIC the Blocking NIC then, I have not done it yet as I do not want to mess it up since part of is now working.
0
 

Author Comment

by:Maximus54
ID: 36511805
Never mind it works now, I guess the solution is to take out the encapsulation replicate portion, this may be due to the IOS 15.0 upgrade. I left the NICs as is and it works One monitors, the other blocks. Thanks for all of your help guys, you lead me in the right direction.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Office 365 setting for security 4 64
Recommendations for cloud-based web filtering 4 74
Can't get access/ownership to folder 3 89
Unifi AP 4 53
An overview of HIPAA and guidance on this topic that Experts Exchange members can offer.
A customer recently asked me about anti-malware and the different deployment options available for his business. Daily news about cyberattacks, zero-day vulnerabilities, and companies that suffered a security breach made him wonder if the endpoint a…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now