cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3937
Views
0
Helpful
14
Replies

VLAN info not showing up on span session

whiteford
Level 1
Level 1

Hi,

I have a Cisco 3750 and I'm spanning a couple of ports to a single port where our Observer (packet capture server) is. These 2 ports I'm monitoring are in Vlan 2 and Vlan 3 but in Observer it shows no VLAn info, however I can all the other traffic data.

The Observer consultant says it has to be the switch as he has seen this all working before.

Port 1/0/48 is the destination span port and it's in no vlan:

interface FastEthernet1/0/47

shutdown

!

interface FastEthernet1/0/48

!

interface GigabitEthernet1/0/1

shutdown

This is the span, I have to have session 1 for our Wensense server, session 2 is what I'm on about and the 2 source ports are the inside and outside of our Cisco ASA firewall.

monitor session 1 source interface Fa1/0/3

monitor session 1 destination interface Fa1/0/6

monitor session 2 source interface Fa1/0/3 , Fa1/0/9

monitor session 2 destination interface Fa1/0/48

Any ideas as this is behond my knowledge.

Thanks

14 Replies 14

ericn8484_2
Level 1
Level 1

If you want to grab the VLAN information and not just the data on the two ports, you are going to need to span the VLAN's instead of the ports. However this is going to give you all data that is passing through the VLAN and not just the two ports that you are currently trying to investigate.

c3750_remote(config)#monitor session 1 source vlan < Remote RSPAN VLAN ID >

c3750_remote(config)#monitor session 1 destination interface < Interface ID >

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml')">http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml

Hi,

I did try also using the VLAN to span but I got the same result, this is what I did:

c3750_remote(config)#monitor session 2 source vlan 2,3

c3750_remote(config)#monitor session 2 destination interface 1/0/48

Again port 48 is in no VLAN and the NIC for this server has no IP etc.

Thanks

Are these VLAN's trunked to another location? You might be able to perform a port monitoring on the Trunk interface and grab the Dot1Q headers.

How strange, this is the trunk port info, however vlan 2 isn't on there?? Eventhough it works? This trunk port goes to the ASA firewall.

interface FastEthernet1/0/1

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 3,4,6,7,9,10,300

switchport mode trunk

ASA:

ASA5520-1# sh vlan

4, 6-7 , 9-10 , 300

3750

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa1/0/19, Fa1/0/20, Fa1/0/21, Fa1/0/22, Fa1/0/27, Fa1/0/28, Fa1/0/35, Fa1/0/36

Fa1/0/37, Fa1/0/38, Fa1/0/39, Fa1/0/40, Fa1/0/41, Fa1/0/42, Fa1/0/43, Fa1/0/44

Fa1/0/45, Fa1/0/47, Fa1/0/48, Gi1/0/1, Gi1/0/2, Gi1/0/3, Fa2/0/2, Fa2/0/19

Fa2/0/20, Fa2/0/21, Fa2/0/22, Fa2/0/27, Fa2/0/28, Fa2/0/35, Fa2/0/36, Fa2/0/37

Fa2/0/38, Fa2/0/39, Fa2/0/40, Fa2/0/41, Fa2/0/42, Fa2/0/43, Fa2/0/44, Fa2/0/45

Fa2/0/47, Gi2/0/1, Gi2/0/2, Gi2/0/3, Gi2/0/4

2 VLAN0002 active Fa1/0/3, Fa1/0/4, Fa1/0/5, Fa1/0/6, Fa1/0/7, Fa1/0/8, Fa1/0/33, Fa1/0/34

Fa2/0/3, Fa2/0/4, Fa2/0/5, Fa2/0/6, Fa2/0/7, Fa2/0/8, Fa2/0/33, Fa2/0/34

3 VLAN0003 active Fa1/0/9, Fa1/0/10, Fa1/0/11, Fa1/0/12, Fa1/0/13, Fa1/0/14, Fa1/0/15, Fa1/0/16

Fa2/0/9, Fa2/0/10, Fa2/0/11, Fa2/0/12, Fa2/0/13, Fa2/0/14, Fa2/0/15, Fa2/0/16

Fa2/0/48

4 VLAN0004 active Fa1/0/17, Fa1/0/18, Fa2/0/17, Fa2/0/18

6 VLAN0006 active

7 VLAN0007 active Fa1/0/23, Fa1/0/24, Fa1/0/25, Fa1/0/26, Fa2/0/23, Fa2/0/24, Fa2/0/25, Fa2/0/26

8 VLAN0008 active

9 VLAN0009 active Fa1/0/31, Fa1/0/32, Fa2/0/29, Fa2/0/30, Fa2/0/31, Fa2/0/32

10 VLAN0010 active

100 VLAN0100 active

200 VLAN0200 active

300 VLAN0300 active Fa1/0/46, Fa2/0/46

I think you'll resolve your issue by enabliing the encapsulation type when creating the destination port for the SPAN:

"monitor session x dest int xyz encapsulation 'dot1q/isl'"

I am pretty sure this passes the VLAN tagging to the port.

Let us know if it works.

Cheers,

Mario

No change, Observer just sees VLAN 1.

Does int 1/0/48 (span destination port) need to have any trunk settings?

I can only think my NIC on the server is rubbish, it's a Broadcom 5708 NIC on a Dell 2950 server.

This is what I have:

interface FastEthernet1/0/1

description Trunk to Firewall

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 3,4,6,7,9,10,300

switchport mode trunk

interface FastEthernet1/0/3

description Link to Inside Firewall

switchport access vlan 2

interface FastEthernet1/0/9

description Outside Firewall

switchport access vlan 3

interface FastEthernet1/0/48

switchport trunk encapsulation dot1q

switchport mode trunk

monitor session 2 source interface Fa1/0/3 , Fa1/0/9

monitor session 2 destination interface Fa1/0/48 encapsulation dot1q

Whiteford,

Interesting you say you are using Observer to monitor as I've just started a trial last week on their latest version...

Couple questions:

1) I am sure I read something in Observer's release notes or online tech info about the VLAN info missing - Have a look at their websites FAQ? I'll try and find the link again.

2) Do you need to use the Broadcom card? Can you test this with a differnet nic on /off the server (maybe make the destination another port?

3) In the configuration for fa1/0/48, why don't you just change it to a standard switchport rather than have the trunking and encapsulation in place?

Mario

Hi,

1.) Yeah I've been through it with them, looks like it is a Broadcom issue, however today Broadcom are saying it's a simple registry change to stop the VLAN tags being removed on the dot1q header, just waiting foe there example tp come back again as the first made no sense at all :)

2.) If all fails I will buy the recommended Intel cards.

3.) Tried that too :(

Observer 13 is fantastic, I can do monitor anything, nothing gets past it (well apart from VLAN info on mine) :)

Hi,

I might be wrong, but as your source interfaces are access ones, the SPAN session wil probably NOT add the 802.1q header to the monitored frames.

The configuration guide

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/configuration/guide/swspan.html#wp1036829

is showing the

"encapsulation replicate" keyword, but it will also not help here, I'm afraid.

BR,

Milan

Hi,

Yeah I'm already using the "encapsulation replicate" on the monitored destination port and still no VLAN tag info.

I'm starting to think it's the Broadcom NIC on the server, then again I have tried an Intel card too.

Well, then I might be right and the SPAN session does not add the 802.1q header to the frames which were captured on an access port.

If you try to use a trunk as a SPAN session source port, you would prove/disprove this idea.

BR,

Milan

I've just added fas1/0/1 which it the trunk to the ASA firewall and all I see is VLAN1 now and everything else is in the novlan group in Observer.

I should see many more VLAN's

Hi,

I managed to get a Broadcom reg fix that means my Nic doesn't remove the vlan tags now. If span a trunk port I see all the Vlans now, however if I span the 2 ports in question I do get the vlan info.

This is what I have:

interface FastEthernet1/0/3

switchport access vlan 2

interface FastEthernet1/0/3

switchport access vlan 3

monitor session 2 source interface Fa1/0/3 , Fa1/0/9

monitor session 2 destination interface Fa1/0/48 encapsulation replicate

Do I need to add anything else to the 2 interfaces?

Also I get this messege when adding:

monitor session 2 destination interface Fa1/0/48 encapsulation dot1q

% Warning: One or more specified dest port does not support requested encapsulation.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: