3

Suppose I had two Cisco switches each outputting some network traffic to a SPAN port, and I needed to send the sum of all that traffic to a third device for monitoring that traffic via libpcap. The easiest way to accomplish this would be to have two NIC's in the target device and send one SPAN port to each, but suppose the target device only contained a single NIC and was not expandable.

Obviously I can't route the SPAN traffic through a switch or router since the switch won't passively send all the traffic to my monitoring device disregarding MAC, IP, ARP, etc. However, thats exactly what an old school "Passive" Hub would do.

Will two SPAN ports "play nice" outputting to a single hub or will they "talk over" each other and ignore resource contention,etc. I know a SPAN port operating as a normal ethernet device in that it can't receive any traffic, respond to ARP requests, etc, but does it keep enough of the Ethernet smarts to coexist with other transmitters on the same circuit, or would it need to be the only transmitter on the wire?

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
bk.
  • 768
  • 1
  • 4
  • 13
  • That's a good question. My guess is that there would be talk over. I'd be interested in hearing a definitive answer to this. – user228546 Feb 10 '16 at 22:15

1 Answers1

1

SPAN ports on a switch will only send traffic out - they will drop any inbound traffic. Try this out in a lab environment.

Have a look at RSPAN - http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/span.pdf - which may help you by trunking your SPANned traffic across to another switch and down a single SPANned port.

Poggs
  • 39
  • 1
  • Thanks, I've used RSPAN before at locations where its available,but at the site this installation is for, they only have two separate SPAN ports. I know they will both only send traffic, my question if if they can both sent traffic out over the same passive hub without interfering with each other. Constructing the lab environment to try this out is going to require purchasing equipment, which I'm not allowed to do without expectation that it will work, which I won't know without purchasing equipment... and so on, which Is why I'm asking here first. – bk. Apr 01 '12 at 12:33