Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1676
Views
5
Helpful
5
Replies

ERSPAN not working

ibrunello
Level 1
Level 1

‎03-24-2009 07:04 AM - edited ‎03-06-2019 04:46 AM

I've been setting up an ERSPAN using 6500s.

I hope I have done my homework, but it seems not to work.

here are the source:

<snip>

interface GigabitEthernet4/3

description source

switchport

switchport access vlan 70

switchport mode access

no ip address

load-interval 30

no snmp trap link-status

<snip>

monitor session 50 type erspan-source

source interface Gi4/3

destination

erspan-id 150

ip address 10.20.1.146

ip ttl 50

origin ip address 10.92.0.4

<snip>

and this is the destination:

interface FastEthernet4/3

description OMIF424 eth3 - Test Remote Span

switchport

switchport access vlan 70

switchport trunk encapsulation dot1q

no ip address

load-interval 30

no snmp trap link-status

monitor session 50 type erspan-destination

destination interface Fa4/3

source

erspan-id 150

ip address 10.20.1.146

interfaces are both loopback

routing has been checked.

inbound traffic is 400kbps

outbound traffic is 0kbps

source is a tap, destination is an aggregation IDS.

any hint?

TIA

Ivan

Labels:
0 Helpful
5 Replies 5

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎03-24-2009 07:50 AM

Hello Ivan,

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/span.html#wp1059619

The following supervisor engines support ERSPAN:

-Supervisor engines manufactured with PFC3B and PFC3BXL support ERSPAN.

-A WS-SUP720 (a Supervisor Engine 720 manufactured with a PFC3A) can only support ERSPAN if it has hardware version 3.2 or higher. Enter the show module version | include WS-SUP720-BASE command to display the hardware version. For example:

Router# show module version | include WS-SUP720-BASE

7 2 WS-SUP720-BASE SAD075301SZ Hw :3.2

verify what type of sup720 are on the two chassis

Hope to help

Giuseppe

0 Helpful

ibrunello
Level 1
Level 1
In response to Giuseppe Larosa

‎03-24-2009 08:13 AM

source is a SUP720 w/ PFC3B

destination is a SUP32 w/ PFC3B

0 Helpful

ibrunello
Level 1
Level 1
In response to ibrunello

‎03-26-2009 02:38 AM

update.

the problem seems to be the source being a TAP.

in fact, when I connect a normal pc, and do some ping to nowhere, the frames are copied.

using TAP results in nothing copied.

there should be something with the packets not going to PFC, and hence not being copied.

0 Helpful

ibrunello
Level 1
Level 1
In response to ibrunello

‎03-26-2009 09:31 AM

SOLVED.

the tap turned to be a nortel switch using the 6500 as a destination span port.

the issue was solved simply disabling spanning-tree packets between the nortel and the Cisco.

interface GigabitEthernet4/3

switchport

switchport access vlan 70

switchport mode access

switchport nonegotiate

no ip address

load-interval 30

spanning-tree bpdufilter enable

no shutdown

exit

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to ibrunello

‎03-26-2009 11:18 AM

Hello Ivan,

nice news you have solved, and it is good that you have shared on the forum the solution of this issue this can help somebody else.

Best Regards

Giuseppe

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card