cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2218
Views
15
Helpful
22
Replies

Monitor session - RSPAN - no output

alanchia2000
Level 1
Level 1

I am having difficulties with getting RSPAN traffic over my trunk link.

Here's the setup .

PC1 ---Gi1/0/1--- Core Sw -Gi1/0/2---Gi1/0/1--- Access switch ---Gi1/0/2--- PC2

PC3 ---Gi1/0/3--------|

PC 3 is sniffer.

PC1: 192.168.1.1/24

Core switch: 192.168.1.2/24 (Gi1/0/1)

Core Switch: 192.168.2.2/24 (Gi1/0/2)

Access switch: 192.168.2.1/24 (Gi1/0/1)

Access switch: 192.168.3.1/24 (Gi1/0/2)

PC2: 192.168.3.2/24

Cisco IOS 3750

Core sw

Interface Gi1/0/1

no switchport

ip address 192.168.1.2 255.255.255.0

no shut

Interface Gi1/0/2

no switchport

ip address 192.168.2.2 255.255.255.0

no shut

monitor session 1 source remote vlan 999

monitor session 1 destination interface Gi1/0/3

monitor session 2 source interface Gi1/0/1 rx

monitor session 2 destination remote vlan 999

Cisco IOS 3750

Access switch

Interface Gi1/0/1

no switchport

ip address 192.168.2.1 255.255.255.0

no shut

Interface Gi1/0/2

no switchport

ip address 192.168.3.1 255.255.255.0

no shut

monitor session 1 source interface gi1/0/2 rx

monitor session 1 destination remote vlan 999

I'm trying to ping from PC 2 to PC 1. Aparently, it wasn't captured on PC3 for some reason.

Could anyone help look at whether my "monitor session" statements are correctly configured.

Thanks.

22 Replies 22

xcz504d1114
Level 4
Level 4

You need to tell the VLAN he is a remote span VLAN.

conf t

vlan 199

remote span

verify the remote-span vlan by using "show vlan remote-span" it should be a remote span vlan on all switches. Make sure no other traffic is using that VLAN.

HTH,

Craig

That command i think is a 6500 switch command. Is there a 3750 equivalent command?

I just verified it on my 3750, works fine.

IOS 12.2(46)SE Adv IP Services image.

HTH,

Craig

Thanks Craig.

I will try it out tomorrow first thing in the morning. Will keep ya posted.

monitor session 1 source remote vlan 999

monitor session 1 destination interface Gi1/0/3

monitor session 2 source interface Gi1/0/1 rx

monitor session 2 destination remote vlan 999

I have gotten the output from remote vlan. But it doesn't have all the output I want. Seems like nothing is coming out from

monitor session 2 source interface Gi1/0/1 rx

monitor session 2 destination remote vlan 999

For the above statement,

Is it right to copy the traffic to the remote vlan 999 and have the remote vlan 999 traffic go to destination port on the same switch? The reason I'm asking is because I am not getting any output from the above 2 statements.

Is there a reason you are sending it to an RSPAN on the same switch? I don't know if that would work.

What I would recommend (since the 3750 supports 2 source span sessions):

monitor session 1 source interface gi 1/0/3

monitor session 1 destination interface gi 1/0/3

monitor session 2 source interface gi 1/0/1

monitor session 2 destination remote vlan 999

This would send traffic to the gi 1/0/3 interface as well as the RSPAN.

HTH,

Craig

Amit Singh
Cisco Employee
Cisco Employee

In order to carry the RSPAN traffic accross the switch you need to have RSPAN Vlan configured on all the switches. Also Please make sure that you have L2 trunk link between all the switches for RSPAN to work. It looks like you are configuring the link between the switches as L3 links and I wonder that it will not work the same way as you are expecting. Do the following:

A. Please remove the L3 port interface config from the switches.

B. Assign the same IP to the Vlan SVI's.

C. Create trunk link between all the switches and make sure that RSPAN vlan exists on all the switches.

This should work fine and in case of any problem, paste your config.

HTH,

-amit singh

amit,

I don't mean to hijack this thread, but I have a question regarding SPAN sessions and the direction of traffic.

According to Cisco documentation:

"Monitored Traffic Direction

You can configure local SPAN sessions, RSPAN source sessions, and ERSPAN source sessions to monitor ingress traffic (called ingress SPAN), or to monitor egress traffic (called egress SPAN), or to monitor traffic flowing in both directions.

Ingress SPAN copies traffic received by the source ports and VLANs for analysis at the destination port. Egress SPAN copies traffic transmitted from the source ports and VLANs. When you enter the both keyword, SPAN copies the traffic received and transmitted by the source ports and VLANs to the destination port."

I can understand how either direction of traffic on a port is mirrored to the destination port.

But if you have a layer three switch and you desiginate the direction of traffic like so:

monitor session 1 source vlan 2-20 rx

monitor session 1 destination interface Gi1/1

It the traffic mirrored from the layer 2 vlan or the SVI of the vlan on the switch?

If it is the layer 2 vlan, what is considered the ingress or egress point of the layer 2 vlan?

If it is the SVI of the vlan, would the mirrored traffic be the traffic received on the SVI from the devices in the vlan using the SVI as a default gateway?

It the traffic mirrored from the layer 2 vlan or the SVI of the vlan on the switch?

Traffic is mirrored from the Layer 2 VLAN, in effect it really just adds all the ports that are assigned to VLAN 2 including trunk interfaces.

If it is the layer 2 vlan, what is considered the ingress or egress point of the layer 2 vlan?

Either ingress, egress or both, again you are just monitoring all the ports in the specified VLAN.

If it is the SVI of the vlan, would the mirrored traffic be the traffic received on the SVI from the devices in the vlan using the SVI as a default gateway?

Not the SVI, any traffic routed will not be monitored, whether ingress or egress.

HTH,

Craig

Hi amit,

Besides the L3 ports, I have trunk ports between switches configured. They work fine.

Apparently it works for the one part (Access switch to core) , and the part (RSPAN on core switch) that doesn't work is the one which I have mentioned.

I understand remote span works across switches. But it seems to me that copying traffic from a source port to a desintation remote span vlan on the same switch didn't give any output. So I was just clarify what I didn't do right.

Sorry, just looked over my post, I mistyped one of your interfaces.

monitor session 1 source interface gi 1/0/1

monitor session 1 destination interface gi 1/0/3

monitor session 2 source interface gi 1/0/1

monitor session 2 destination remote vlan 999

First line should have been a source interface of gi 1/0/1, so this would send span traffic to Gi 1/0/3 and to your RSPAN for int gi 1/0/1.

Craig

Thanks Craig,

So uisng this explanation:

"Traffic is mirrored from the Layer 2 VLAN, in effect it really just adds all the ports that are assigned to VLAN 2 including trunk interfaces.

If it is the layer 2 vlan, what is considered the ingress or egress point of the layer 2 vlan?

Either ingress, egress or both, again you are just monitoring all the ports in the specified VLAN.'

And with this config:

monitor session 1 source vlan 2-20 rx

monitor session 1 destination interface Gi1/1

We can say that all traffic on the ingress of each individual port in vlans 2-20 will be mirrored to interface Gi1/1?

and conversely,

We can say that all traffic on the egress of each individual port in vlans 2-20 will be mirrored to interface Gi1/1 with this config:

monitor session 1 source vlan 2-20 tx

monitor session 1 destination interface Gi1/1

Absolutely, and here is a link that probably explains it better than I did :)

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/13ew/configuration/guide/span.html#wp1020390

Craig

I would like to monitor both PC 1 and 2 and copy the traffic to Gi1/0/3. How does the following lines do that?

Am I right in saying that based on the following lines proposed? I won't be monitoring traffic from remote vlans since I don't see "source remote vlan 999" in the proposed line.

#####################

monitor session 1 source interface gi 1/0/1

monitor session 1 destination interface gi 1/0/3

monitor session 2 source interface gi 1/0/1

monitor session 2 destination remote vlan 999

First line should have been a source interface of gi 1/0/1, so this would send span traffic to Gi 1/0/3 and to your RSPAN for int gi 1/0/1.

#####################

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco