RSPAN configuration question

Unanswered Question
Mar 19th, 2010

Hello,

I have setup a RSPAN vlan over 2960 switches.  Everything seem to be working great, except that I only receive the Tx traffic, no Rx, is there something worng in my config?

typical access port:

interface FastEthernet0/10
switchport mode access
ip arp inspection limit rate 30
no logging event link-status
duplex full
authentication control-direction in
authentication event fail retry 1 action authorize vlan 999
authentication event no-response action authorize vlan 999
authentication order dot1x
authentication port-control auto
authentication violation protect
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout tx-period 20
dot1x timeout supp-timeout 10
storm-control broadcast level 30.00 15.00
storm-control action shutdown
storm-control action trap
spanning-tree portfast
spanning-tree bpduguard enable
ip dhcp snooping limit rate 30

Source:

monitor session 1 source interface Fa0/10
monitor session 1 destination remote vlan 9

Destination:

monitor session 1 destination interface Fa0/1
monitor session 1 source remote vlan 9

Any help would be appreciated, have been scratching my head on this one  :-)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
francisco_1 Fri, 03/19/2010 - 06:51

Hey Martin,

Source:

monitor session 1 source interface Fa0/10
monitor session 1 destination remote vlan 9

Destination:

monitor session 1 destination interface Fa0/1
monitor session 1 source remote vlan 9

As far as i know you cannot have the destination port as a vlan. it must be a physical port. Also you need to have a dedicated RSPAN vlan trunked between your switches and also you cannot enable RSPAN on the same switch.

See for example http://aconaway.com/tag/rspan/

burleyman Fri, 03/19/2010 - 07:04

sorry link may not work.

monitor session session source interface type/slot/port [, | - | rx | tx | both]

monitor session session source {interface type | vlan vlan-id [rx | tx | both] | remote vlan rspan-vlan-id}

Mike

francisco_1 Fri, 03/19/2010 - 07:16

Hello Mike,

The direction of traffic to monitor is Optional "[both | rx | tx] are optional"

If a direction is not specify, the source interface sneds both sent and received traffic so in that case "both" is used.

So in Martin's example he should be receving both sent and received traffic.

Francisco

martin.belisle@... Fri, 03/19/2010 - 07:46

Hey thanks guys.  It is a remote-span VLAN.  I think my setup is ok becaus

e I do receive the trace, but I only see the traffic comming

in the interface I'm sniffing.  In other word, only the tra

ffic comming out of the user PC, and not the traffic received by the user PC.

Also "both" was issued, but since it's the default it's not apearing.

francisco_1 Fri, 03/19/2010 - 07:55

Martin,

Not sure if this may be related to your problem but statement below i got from Cisco Doc related to RSPAN.

Routing—SPAN does not monitor routed traffic. VSPAN only monitors traffic that enters or exits the switch, not traffic that is routed between VLANs. For example, if a VLAN is being

Rx-monitored and the switch routes traffic from another VLAN to the monitored VLAN, that traffic is not monitored and not received on the SPAN destination port

Regards

Francisco

Pronoy Dasgupta Sun, 03/21/2010 - 08:17

Hey Martin,

config looks good. You say that you only see uni-directional traffic? With the configuration that you have, you should not have a problem. Have you tried breaking it down to a local span session and see if the problem persists?

Would it be possible for you to post the show version from the switch here?

And what is the destination switch, is it a 2960 as well?

Thanks

martin.belisle@... Mon, 03/22/2010 - 09:58

I just tried a local span and I have the same issue.

this is the version I'm running:

Switch Ports Model              SW Version            SW Image                
------ ----- -----              ----------            ----------              
*    1 26    WS-C2960-24TC-L    12.2(50)SE1           C2960-LANBASEK9-M

Thanks for the help  :-)

Pronoy Dasgupta Tue, 03/23/2010 - 09:24

Lol, I would say that this is not the first time I have seen a problem with the local PC firewall.

I handled a case some time back, when bunch of computers would not be able to ping their default gateway, however you could ping all of those hosts from the gateway itself. Who would ever think about such a mass attack from local firewall settings, however turning them off on all of them resolved the problem.

The reason I had asked you to configure local span, was that I wanted to verify whether both SPAN and RSPAN were broken or not. The extra thing with RSPAN is that it creates a dummy vlan which has the property of not learning a mac address, hence, I was trying to isolate whether its a problem with the vlan, or the replication capacity of the switch.

Thanks

Pronoy

stephenshaw Mon, 03/22/2010 - 10:50

Hi,

for those reading this thread and not understanding what Martin is referring to ..... if the TCP/IP stack is altered by software such as McAffee or Checkpoint, Black Ice, firewall, etc. this is a symptom of what happens - one-way traffic captures. My apologies, I was trying to lead you in this direction on Friday but wasn't able to post my suggestion ...... which would have been to check if any type of software may be affecting the TCP/IP stack.

Steve

francisco_1 Tue, 03/23/2010 - 09:29

Steve,

Good to know that.

Thanks for the insight in to Martin's problem..

Francisco.

Actions

This Discussion