Interpreting RSPAN traffic

Kevin Dorrell · ‎03-27-2008

This is going to sound like a dumb question, 'cos I should know this.

When you do an RSPAN (on a 4500), and you source from a VLAN, do you see each packet twice ... once as it enters and once as it exits the switch? That's what I seem to be seeing. Each and every packet appears on the trace twice, seperated by 10 to 20 microseconds.

Furthermore, for packets that I am re-marking DSCP on ingress, I see both versions, once as received from the host, and once after re-marking. Is that normal?

I have checked that I only have one source for the monitor session. If I "no" the "monitor session source" command, the trace stops, so I don't think I am monitoring more than one point.

Kevin Dorrell

Luxembourg

mattcalderon · ‎03-27-2008

I found this on RSPAN in the config guide. It seems that it is sent out and then looped back.

So it seems it is sent twice.

Traffic sent out through the source port is also sent out on the reflector port. Because the reflector port is an access (non-trunking) port in loopback mode, the traffic is switched out with no VLAN tag and is immediately sent back to the switch. In the loopback, the traffic is encoded into the RSPAN VLAN. A switch with an RSPAN destination session receives the traffic (see Figure 26-2).

Kevin Dorrell · ‎03-27-2008

Mmm, I think this is a bit different. In the case of the 4500 there is no need for a reflector port. Maybe there is a hidden one implemented in the ASIC.

But my question was more about the behavior when monitoring a VLAN:

monitor session 1 source vlan 2

monitor session 1 destination remote vlan 40

In this case, I seem to see every packet on the VLAN 2 twice. I know they are the same packets because the UDP ids are the same. However, the DSCP markings are different with re-marking the packet, which is what makes me suspect that it monitors once on ingress and once again on egress (on vlan 2).

Can anyone confirm these observations?

Kevin Dorrell

Luxembourg

sundar.palaniappan · ‎03-27-2008

Kevin,

From the explanation below my interpretation of what you are seeing is the rx traffic of vlan 2 and tx traffic of destination port. Another reason why I think this may be the case is due to the fact you can only monitor rx traffic when your monitor source is a VLAN itself.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/5.x/configuration/guide/span.html

In some SPAN configurations, multiple copies of the same source packet are sent to the SPAN destination port. For example, a bidirectional (both ingress and egress) SPAN session is configured for sources a1 and a2 to a destination port d1. If a packet enters the switch through a1 and gets switched to a2, both incoming and outgoing packets are sent to destination port d1; both packets would be the same (if a Layer-3 rewrite occurrs, the packets are different). Similarly, for RSPAN sessions with sources distributed in multiple switches, the destination ports might forward multiple copies of the same packet.

HTH

Sundar

padramas · ‎03-27-2008

Hello Kevin,

Have you tried the option rx /tx to capture one way traffic ?

monitor session 1 source vlan 2 [rx/tx]

by default, traffic in both directions are captured of a source vlan/interface.

HTH

Padmanabhan

sundar.palaniappan · ‎03-27-2008

Kevin,

Thinking a little further I guess this behavior may be due to the fact your monitor source is VLAN, which can span multiple switches.

Can you try setting a port, instead of VLAN 2, as the source with the same RSPAN setup that you have now and check whether you see the same behavior.

HTH

Sundar

Kevin Dorrell · ‎03-28-2008

Sundar,

Yes, you are right. It seems that if you source from a VLAN, and a packet eneters by that VLAN and leaves by the same VLAN, then the monitor will see it twice: once as it enters the switch and once as it leaves.

Of course, if it leaves by a different VLAN because it has been routed, then you will only see it once.

That is useful, because you can see the "before and after" effects of re-marking the packet. But it did take me by surprise when I thought I was seeing double.

If you want to see each packet only once, then you have to specify rx (to see the packets as they ingress) or tx (to see packets as they egress).

Kevin Dorrell

Luxembourg

Kevin Dorrell · ‎03-28-2008

That's a good idea. I tried with just rx and with just tx, and I got only one copy of each packet.

It is interesting, because in the case of a VLAN source the rx and the tx are not really about traffic direction. They are about coming into the switch and leaving the switch.

If you specify rx, then you get to see the packets as they ingress the switch. Packets for a particular flow are entering by port A and leaving by port B. In the other direction, they are entering by port B and leaving by port A. The SPAN gets to see the ingress traffic, i.e. the traffic as it enters port A for one direction, and the traffic as it enters port B for the other direction.

If you specify tx, then you get to see the packets as they egress the switch. Packets for a particular flow are entering by port A and leaving by port B. In the other direction, they are entering by port B and leaving by port A. The SPAN gets to see the egress traffic, i.e. the traffic as it leaves port B for one direction, and the traffic as it leaves port B for the other direction.

If you don't specify rx or tx, then you get to see both. Each packet is monitored twice: once as it enters the switch at port A, and once as it leaves it at port B. And vice versa for the other direction.

Kevin Dorrell

Luxembourg