Monitor session - RSPAN - no output

Unanswered Question
Jul 9th, 2009

I am having difficulties with getting RSPAN traffic over my trunk link.

Here's the setup .

PC1 ---Gi1/0/1--- Core Sw -Gi1/0/2---Gi1/0/1--- Access switch ---Gi1/0/2--- PC2

PC3 ---Gi1/0/3--------|

PC 3 is sniffer.

PC1: 192.168.1.1/24

Core switch: 192.168.1.2/24 (Gi1/0/1)

Core Switch: 192.168.2.2/24 (Gi1/0/2)

Access switch: 192.168.2.1/24 (Gi1/0/1)

Access switch: 192.168.3.1/24 (Gi1/0/2)

PC2: 192.168.3.2/24

Cisco IOS 3750

Core sw

Interface Gi1/0/1

no switchport

ip address 192.168.1.2 255.255.255.0

no shut

Interface Gi1/0/2

no switchport

ip address 192.168.2.2 255.255.255.0

no shut

monitor session 1 source remote vlan 999

monitor session 1 destination interface Gi1/0/3

monitor session 2 source interface Gi1/0/1 rx

monitor session 2 destination remote vlan 999

Cisco IOS 3750

Access switch

Interface Gi1/0/1

no switchport

ip address 192.168.2.1 255.255.255.0

no shut

Interface Gi1/0/2

no switchport

ip address 192.168.3.1 255.255.255.0

no shut

monitor session 1 source interface gi1/0/2 rx

monitor session 1 destination remote vlan 999

I'm trying to ping from PC 2 to PC 1. Aparently, it wasn't captured on PC3 for some reason.

Could anyone help look at whether my "monitor session" statements are correctly configured.

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
xcz504d1114 Thu, 07/09/2009 - 06:49

You need to tell the VLAN he is a remote span VLAN.

conf t

vlan 199

remote span

verify the remote-span vlan by using "show vlan remote-span" it should be a remote span vlan on all switches. Make sure no other traffic is using that VLAN.

HTH,

Craig

alanchia2000 Thu, 07/09/2009 - 07:06

That command i think is a 6500 switch command. Is there a 3750 equivalent command?

xcz504d1114 Thu, 07/09/2009 - 07:09

I just verified it on my 3750, works fine.

IOS 12.2(46)SE Adv IP Services image.

HTH,

Craig

alanchia2000 Thu, 07/09/2009 - 07:18

Thanks Craig.

I will try it out tomorrow first thing in the morning. Will keep ya posted.

alanchia2000 Thu, 07/09/2009 - 18:35

monitor session 1 source remote vlan 999

monitor session 1 destination interface Gi1/0/3

monitor session 2 source interface Gi1/0/1 rx

monitor session 2 destination remote vlan 999

I have gotten the output from remote vlan. But it doesn't have all the output I want. Seems like nothing is coming out from

monitor session 2 source interface Gi1/0/1 rx

monitor session 2 destination remote vlan 999

For the above statement,

Is it right to copy the traffic to the remote vlan 999 and have the remote vlan 999 traffic go to destination port on the same switch? The reason I'm asking is because I am not getting any output from the above 2 statements.

xcz504d1114 Fri, 07/10/2009 - 06:20

Is there a reason you are sending it to an RSPAN on the same switch? I don't know if that would work.

What I would recommend (since the 3750 supports 2 source span sessions):

monitor session 1 source interface gi 1/0/3

monitor session 1 destination interface gi 1/0/3

monitor session 2 source interface gi 1/0/1

monitor session 2 destination remote vlan 999

This would send traffic to the gi 1/0/3 interface as well as the RSPAN.

HTH,

Craig

Amit Singh Fri, 07/10/2009 - 07:36

In order to carry the RSPAN traffic accross the switch you need to have RSPAN Vlan configured on all the switches. Also Please make sure that you have L2 trunk link between all the switches for RSPAN to work. It looks like you are configuring the link between the switches as L3 links and I wonder that it will not work the same way as you are expecting. Do the following:

A. Please remove the L3 port interface config from the switches.

B. Assign the same IP to the Vlan SVI's.

C. Create trunk link between all the switches and make sure that RSPAN vlan exists on all the switches.

This should work fine and in case of any problem, paste your config.

HTH,

-amit singh

wilson_1234_2 Fri, 07/10/2009 - 07:53

amit,

I don't mean to hijack this thread, but I have a question regarding SPAN sessions and the direction of traffic.

According to Cisco documentation:

"Monitored Traffic Direction

You can configure local SPAN sessions, RSPAN source sessions, and ERSPAN source sessions to monitor ingress traffic (called ingress SPAN), or to monitor egress traffic (called egress SPAN), or to monitor traffic flowing in both directions.

Ingress SPAN copies traffic received by the source ports and VLANs for analysis at the destination port. Egress SPAN copies traffic transmitted from the source ports and VLANs. When you enter the both keyword, SPAN copies the traffic received and transmitted by the source ports and VLANs to the destination port."

I can understand how either direction of traffic on a port is mirrored to the destination port.

But if you have a layer three switch and you desiginate the direction of traffic like so:

monitor session 1 source vlan 2-20 rx

monitor session 1 destination interface Gi1/1

It the traffic mirrored from the layer 2 vlan or the SVI of the vlan on the switch?

If it is the layer 2 vlan, what is considered the ingress or egress point of the layer 2 vlan?

If it is the SVI of the vlan, would the mirrored traffic be the traffic received on the SVI from the devices in the vlan using the SVI as a default gateway?

xcz504d1114 Fri, 07/10/2009 - 08:24

It the traffic mirrored from the layer 2 vlan or the SVI of the vlan on the switch?

Traffic is mirrored from the Layer 2 VLAN, in effect it really just adds all the ports that are assigned to VLAN 2 including trunk interfaces.

If it is the layer 2 vlan, what is considered the ingress or egress point of the layer 2 vlan?

Either ingress, egress or both, again you are just monitoring all the ports in the specified VLAN.

If it is the SVI of the vlan, would the mirrored traffic be the traffic received on the SVI from the devices in the vlan using the SVI as a default gateway?

Not the SVI, any traffic routed will not be monitored, whether ingress or egress.

HTH,

Craig

alanchia2000 Fri, 07/10/2009 - 08:11

Hi amit,

Besides the L3 ports, I have trunk ports between switches configured. They work fine.

Apparently it works for the one part (Access switch to core) , and the part (RSPAN on core switch) that doesn't work is the one which I have mentioned.

I understand remote span works across switches. But it seems to me that copying traffic from a source port to a desintation remote span vlan on the same switch didn't give any output. So I was just clarify what I didn't do right.

xcz504d1114 Fri, 07/10/2009 - 09:20

Sorry, just looked over my post, I mistyped one of your interfaces.

monitor session 1 source interface gi 1/0/1

monitor session 1 destination interface gi 1/0/3

monitor session 2 source interface gi 1/0/1

monitor session 2 destination remote vlan 999

First line should have been a source interface of gi 1/0/1, so this would send span traffic to Gi 1/0/3 and to your RSPAN for int gi 1/0/1.

Craig

wilson_1234_2 Fri, 07/10/2009 - 09:43

Thanks Craig,

So uisng this explanation:

"Traffic is mirrored from the Layer 2 VLAN, in effect it really just adds all the ports that are assigned to VLAN 2 including trunk interfaces.

If it is the layer 2 vlan, what is considered the ingress or egress point of the layer 2 vlan?

Either ingress, egress or both, again you are just monitoring all the ports in the specified VLAN.'

And with this config:

monitor session 1 source vlan 2-20 rx

monitor session 1 destination interface Gi1/1

We can say that all traffic on the ingress of each individual port in vlans 2-20 will be mirrored to interface Gi1/1?

and conversely,

We can say that all traffic on the egress of each individual port in vlans 2-20 will be mirrored to interface Gi1/1 with this config:

monitor session 1 source vlan 2-20 tx

monitor session 1 destination interface Gi1/1

alanchia2000 Fri, 07/10/2009 - 09:49

I would like to monitor both PC 1 and 2 and copy the traffic to Gi1/0/3. How does the following lines do that?

Am I right in saying that based on the following lines proposed? I won't be monitoring traffic from remote vlans since I don't see "source remote vlan 999" in the proposed line.

#####################

monitor session 1 source interface gi 1/0/1

monitor session 1 destination interface gi 1/0/3

monitor session 2 source interface gi 1/0/1

monitor session 2 destination remote vlan 999

First line should have been a source interface of gi 1/0/1, so this would send span traffic to Gi 1/0/3 and to your RSPAN for int gi 1/0/1.

#####################

xcz504d1114 Fri, 07/10/2009 - 10:09

Ah, ok I see what you are trying to do, I thought you were just monitoring just the one port.

In that case,

monitor session 1 source interface gi 1/0/1

monitor session 1 source remote vlan 999

monitor session 1 destination interface gi 1/0/3

Craig

alanchia2000 Fri, 07/10/2009 - 18:56

Hi Craig,

I think I have tried the commands you suggested, but the system allowed only either the source interface or source remote span session. What IOS version are you using on your 3750. I don't think I'm using the latest version.

Alan

ciscohappy Tue, 07/14/2009 - 17:14

Does anyone know if the following 3 commands on all Cisco 3750s ? I don't think it works on mine?

monitor session 1 source interface gi 1/0/1

monitor session 1 source remote vlan 999

monitor session 1 destination interface gi 1/0/3

xcz504d1114 Tue, 07/14/2009 - 18:57

That was my bad, you can't combine both RSPAN and an interface in the same monitor session, it is either a RSPAN or not and RSPAN, not both.

Unfortunately I can't think of any other way to get the traffic you are wanting... I'm sure there is something I'm missing from the puzzle, maybe I will hit a eureka moment in the middle of the night :)

Maybe try:

monitor session 1 source int gi 1/0/1

monitor session 1 destination remote vlan 998

monitor session 2 source remote vlan 999

monitor session 2 source remote vlan 998

monitor session 2 destination int gi 1/0/3

You can have as many sources as you want, just a maximum number of 2 sessions, can't mix interfaces with VLAN's, so that meets all of the requirements...

HTH,

Craig

alanchia2000 Tue, 07/14/2009 - 23:40

Hi Craig,

Appreciate your help in this matter.

I've tried

monitor session 2 source remote vlan 999

monitor session 2 source remote vlan 998

monitor session 2 destination int gi 1/0/3

But it seems that only 1 source remote vlan was allowed on my Cisco 3750 though. Won't work in my scenario. Does it work over your end?

xcz504d1114 Wed, 07/15/2009 - 09:32

I've been out of my office for a few days, and my terminal server has been hung up, I'll have someone reset it and see what I can come up with.

Craig

Actions

This Discussion