Datasheet
© 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 14
interface input snmp index: 10608
interface output snmp index: 10202
Symmetrically a flow with the same data link, IPv4 and transport information is computed for inbound monitored
traffic:
LAYER 2 DESTINATION VLAN ID: 20
DATALINK ETHERTYPE: 0x0800
MAC SOURCE ADDRESS: 503d.e5fb.adcb
MAC DESTINATION ADDRESS: 0000.0400.0003
IPV4 SOURCE ADDRESS: 11.1.10.102
IPV4 DESTINATION ADDRESS: 11.1.10.103
TRNS SOURCE PORT: 1024
TRNS DESTINATION PORT: 80
The MAC source and destination in the preceding flows clearly show the two Layer 2 hops: the first to the Switch
Virtual Interface (SVI) on the distribution switch, the second to the destination workstation.
Deployment with Remote SPAN and Flow-Based SPAN
Analyzing locally switched or routed traffic can also be achieved by sending a copy of the traffic through the service
module ports by enabling Switched Port Analyzer (SPAN) monitoring. Compared to the PVLAN deployment, this
solution does not require the access switch to act as a Layer 2 only device. Furthermore, the mirrored traffic can
also include CPU and ACL dropped traffic that would not reach the service module ASIC otherwise.
A remote SPAN (RSPAN) session is configured on the access and distribution switches to monitor the access
VLAN(s) received traffic. With flow-based SPAN, locally switched traffic characteristics can be exactly matched
with an ACL filter applied to the RSPAN session. The locally switched traffic is mirrored on a remote SPAN
destination VLAN and carried on the service module ports configured as trunks.
The configuration example in Figure 3 takes into account the same scenario addressed in the example with
PVLAN: locally switched traffic is exchanged between two workstations in the same subnet, both connected to a
stack of Cisco Catalyst 3750-X switches.