My network has about 5 network subnets (vlans), all created on the Firewall and trunked on the core switch. Other switches are uplinked to the core switch. A ping from 10.2.100.19 to 10.2.100.16, when filtered on wireshark doesn't capture this ICMP, while ping from 10.2.100.19 to 172.16.27.225 (another vlan) appeared on wireshark. This was tested with a couple of ips and it seemed activity between same subnet were not been captured. The SPAN created on the core switch is a vlan source session. Please assist here as it's imperative to capture this traffic. What could be wrong? IS this a known issue? COuld there be packet loss? Assist please. asked 27 Aug '13, 09:11  ikpo |
One Answer:
When the traffic is within the same vlan and the systems are connected to the same access switch, the traffic will not pass the core (as it does not need to be routed by the FW and it does not need to be switched between access switches). Therefor, you will not see it in the span session. The span session with source vlan on the core switch will only mirror traffic that enters the core switch on that particular vlan, but this traffic never enters the core switch. You will need to create a local span session on the access-switch or create a RSPAN session on the access switch and forward the traffic in the capture vlan over the trunk to the switch where your capture device is located. answered 27 Aug '13, 09:36  SYN-bit ♦♦ |
It's a common misconception that spanning a VLAN will force all packets of that VLAN anywhere on the network to come over and exit the one switch through the SPAN port :-)