cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1367
Views
0
Helpful
7
Replies

Unicast Flooding in 6500

Hi,

I have a question regarding access ports, monitor ports, switchport trunk allowed vlan on a C6500 with VSS 12.2(33)SXI3. In this catalyst we have generated unidirectional traffic by accident. This traffic was in one VLAN (i.e. 123). The monitor destination port was assigned to a different VLAN (321) and the initial mode in the config was "switchport mode access". When sending the monitor traffic to the interface we always saw the double rate of the input interface on the output counter of the monitor destination.

Now we entered "switchport trunk allowed vlan remove 123" and the rate went down to the same value as on the input side. Unortunately we did not look at any other interfaces (we will redo the test), so we are not sure, if this was a known behaviour of monitor interfaces or if we have some weird behavior of the C6500 in terms of flooding out of access ports.

If anyone has some idea how this is supposed to work, please let me know. Any input is greatly appreciated.

Regards,

Mat

1 Accepted Solution

Accepted Solutions

Hi Ganesh,

thanks for you reply, it answers a lot of functionality of the SPAN feature. But my observation is that the egress interface is copying the traffic from the source interface twice: once as untagged frames and once with tags. And that's what I find strange. And that's what I'm trying to find out why it happens.

Kind regards,

Mat

Hi Mat,

Really starnge  but for your query  we can test by monitoring the trunk port as well then check  what exactly is the behaivor, anyway when you monitor a trunk port as a source port, all VLANs active on the trunk are monitored by default. You can use VLAN filtering in order to limit SPAN traffic monitoring on trunk source ports to specific VLANs.

Hope this can give some light on your query !!

If helpful do rate

Ganesh.H

View solution in original post

7 Replies 7

Ganesh Hariharan
VIP Alumni
VIP Alumni

Hi,

I have a question regarding access ports, monitor ports, switchport trunk allowed vlan on a C6500 with VSS 12.2(33)SXI3. In this catalyst we have generated unidirectional traffic by accident. This traffic was in one VLAN (i.e. 123). The monitor destination port was assigned to a different VLAN (321) and the initial mode in the config was "switchport mode access". When sending the monitor traffic to the interface we always saw the double rate of the input interface on the output counter of the monitor destination.

Now we entered "switchport trunk allowed vlan remove 123" and the rate went down to the same value as on the input side. Unortunately we did not look at any other interfaces (we will redo the test), so we are not sure, if this was a known behaviour of monitor interfaces or if we have some weird behavior of the C6500 in terms of flooding out of access ports.

If anyone has some idea how this is supposed to work, please let me know. Any input is greatly appreciated.

Regards,

Mat

Hi Mat,

As per the information as the source port is on different vlan and destination port is different vlan what i can think is the traffic of other vlan is also coming to the destination port aprat from same vlan traffic and once you said after  removing the vlan from runk port everything comes to normal rate.

But my question is only one source was configured for span session and once you configured a destination port for monitoring it will become a monitoring port rather access port.

HTH


Ganesh.H

Hi Ganesh,

thanks for your fast reply. I probably was not clear in my description of the situation. As you assumed I have only one monitor source port which is in "switchport mode access" and "switchport access vlan 123". The monitor destination is "switchport mode access" and "switchport access vlan 321".

The rate on the monitor destination interface is double of the rate on the monitor input interface. When I issue a "switchport trunk allowed vlan remove 123" command on the monitor destination port, the traffic rates are the same on input and on output of the span session. The way it seems to me the switch sends out untagged and tagged frames to the monitor destination when the all vlan are allowed.

It is clear to me that a monitor interface works different than an access interface. I am just trying to get a clear undrestanding how it works. This way I am able to use it properly.

Kind regards and thanks again,

Mat

Hi Ganesh,

thanks for your fast reply. I probably was not clear in my description of the situation. As you assumed I have only one monitor source port which is in "switchport mode access" and "switchport access vlan 123". The monitor destination is "switchport mode access" and "switchport access vlan 321".

The rate on the monitor destination interface is double of the rate on the monitor input interface. When I issue a "switchport trunk allowed vlan remove 123" command on the monitor destination port, the traffic rates are the same on input and on output of the span session. The way it seems to me the switch sends out untagged and tagged frames to the monitor destination when the all vlan are allowed.

It is clear to me that a monitor interface works different than an access interface. I am just trying to get a clear undrestanding how it works. This way I am able to use it properly.

Kind regards and thanks again,

Mat

Hi Mat,

In genral if you see the traffic flow in monitoring session by default, local SPAN monitors all network traffic, including multicast and bridge protocol data unit (BPDU) frames. RSPAN does not support BPDU monitoring.

Ingress SPAN copies network traffic received by the source ports and VLANs for analysis at the destination port. Egress SPAN copies network traffic transmitted from the source ports and VLANs. When you enter the both keyword, SPAN copies the network traffic received and transmitted by the source ports and VLANs to the destination port and if you configured as source vlan then a source VLAN is a VLAN monitored for network traffic analysis. VLAN-based SPAN (VSPAN) uses a VLAN as the SPAN source. All the ports in the source VLANs become source ports.

and yes switch sends all the permitted vlans over the trunk.

HTH

If helpful do rate the valauble post !!

Ganesh.H

Hi Ganesh,

thanks for you reply, it answers a lot of functionality of the SPAN feature. But my observation is that the egress interface is copying the traffic from the source interface twice: once as untagged frames and once with tags. And that's what I find strange. And that's what I'm trying to find out why it happens.

Kind regards,

Mat

Hi Ganesh,

thanks for you reply, it answers a lot of functionality of the SPAN feature. But my observation is that the egress interface is copying the traffic from the source interface twice: once as untagged frames and once with tags. And that's what I find strange. And that's what I'm trying to find out why it happens.

Kind regards,

Mat

Hi Mat,

Really starnge  but for your query  we can test by monitoring the trunk port as well then check  what exactly is the behaivor, anyway when you monitor a trunk port as a source port, all VLANs active on the trunk are monitored by default. You can use VLAN filtering in order to limit SPAN traffic monitoring on trunk source ports to specific VLANs.

Hope this can give some light on your query !!

If helpful do rate

Ganesh.H

Hi Ganesh,

please do not answer anymore since you don't seem to read my postings. I know how SPAN normally works but I have a strange behaviour that I would like to have an explanation for. You did not answer any of this.

Since you wanted some points, here they are. I pushed the button accidentually.

Kind regards

Mat

Hi Ganesh,

please do not answer anymore since you don't seem to read my postings. I know how SPAN normally works but I have a strange behaviour that I would like to have an explanation for. You did not answer any of this.

Since you wanted some points, here they are. I pushed the button accidentually.

Kind regards

Mat

Mat,

I am really sorry if my suggestion are not valuble and its just a wirte up which i used to do to rate a post in all answers and i am not interested even getting any rating from this dicussion .so just remove the rating and wait for other experts to answer your query.

Hope that clear.

Ganesh.H

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco