RSPAN on 3750 - getting only rx traffic

Unanswered Question
May 14th, 2010
User Badges:

Hi,


I'm doing rspan between two 3750G connected  by trunk on etherchannel running  version 12.2(44)SE5.

I only get receive traffic from the remote span vlan. I have create the remote span vlans and allowed it on the trunk interface on both sides.


Switch 1

Session 1
---------
Type                   : Remote Source Session
Source Ports           :
    Both               : Gi1/0/17
Dest RSPAN VLAN        : 4094


monitor session 1 source interface Gi1/0/17
monitor session 1 destination remote vlan 4094


Switch 2

Session 1
---------
Type                   : Remote Source Session
Source Ports           :
    Both               : Gi1/0/17
Dest RSPAN VLAN        : 4094


Session 2
---------
Type                   : Remote Destination Session
Source RSPAN VLAN      : 4094
Destination Ports      : Gi1/0/27
    Encapsulation      : Native
          Ingress      : Disabled



monitor session 1 source interface Gi1/0/17
monitor session 1 destination remote vlan 4094
monitor session 2 destination interface Gi1/0/27
monitor session 2 source remote vlan 4094


If I do local span then I get all the  transmit/receive traffic from the source interface.


Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
jbrenesj Tue, 05/18/2010 - 08:03
User Badges:
  • Silver, 250 points or more

Pretty much what you are trying to do is RSPAN the same switch´s traffic tying to fool the switch to send it´s own interface traffic to the rspan vlan and then capture it again with another monitor session. Unfortunately this is not possible.

I have seen it working a couple of times but you will get unexpected results.


It looks like you´ll need a third switch for this task.


- Jorge

satendrak Sat, 08/14/2010 - 02:53
User Badges:

Hi,


I have added a third switch 3750-24P running 12.2(46)SE and trunked to my switch1 allowing RSPAN VLAN 4094 on the trunk. Now my issue is the destination port on switch3 does not receive any traffic, I see taffic coming in on the trunk interface.


switch3#sh monitor
Session 1
---------
Type                   : Remote Destination Session
Source RSPAN VLAN      : 4094
Destination Ports      : Fa1/0/1
    Encapsulation      : Native
          Ingress      : Disabled


Trunk:


switchs3#sh int fa1/0/24
FastEthernet1/0/24 is up, line protocol is up (connected)


  30 second input rate 3019000 bits/sec, 614 packets/sec
  30 second output rate 3000 bits/sec, 4 packets/sec

Destination port:


switch3#sh int fa1/0/1
FastEthernet1/0/1 is down, line protocol is down (monitoring)


  30 second input rate 0 bits/sec, 0 packets/sec
  30 second output rate 0 bits/sec, 0 packets/sec

monitor session 1 destination interface Fa1/0/1
monitor session 1 source remote vlan 4094

Any ideas what am I missing here?


Thanks

Nagaraja Thanthry Sat, 08/14/2010 - 08:40
User Badges:
  • Cisco Employee,

Hello,


Can you please post the output of "show vlan" from both switches?


Regards,


NT

satendrak Sat, 08/14/2010 - 18:53
User Badges:

Hi,


Output from both switches below:


switch1#sh vlan remote-span

Remote SPAN VLANs
------------------------------------------------------------------------------
4094


switch3#sh vlan remote

Remote SPAN VLANs
------------------------------------------------------------------------------
4094


Thanks.

Nagaraja Thanthry Sat, 08/14/2010 - 19:06
User Badges:
  • Cisco Employee,

Hello,


Can you try removing the local span session that sends traffic to remote

VLAN and see if that helps?


Regards,


NT

satendrak Sat, 08/14/2010 - 19:38
User Badges:

Hi,


Since the addition of switch3, switch 1 and 2 only have the following configured:


monitor session 1 source interface Gi1/0/17
monitor session 1 destination remote vlan 4094


cheers

Nagaraja Thanthry Sat, 08/14/2010 - 19:41
User Badges:
  • Cisco Employee,

Hello,


Does the third switch also have VLAN 4094 configured as RSPAN VLAN?


Regards,


NT

satendrak Sat, 08/14/2010 - 19:58
User Badges:

Hi,


Yes it has, as in one of replies above:


switch3#sh vlan remote

Remote SPAN VLANs
------------------------------------------------------------------------------
4094


Thanks,

rcongani Mon, 11/08/2010 - 13:58
User Badges:
  • Cisco Employee,

Hello Satendark,


What you are seeing is expected behavior with the folllowing configurations, this is a limitation on 3750


monitor session 1 source interface Gi1/0/17
monitor session 1 destination remote vlan 4094
monitor session 2 destination interface Gi1/0/27
monitor session 2 source remote vlan 4094


You cannot copy local source  gig 1/0/17 traffic to rpsan vlan and again create a another monitor session copying that traffic to destination on the same source switch. This can be done on 6500 series switches.


But there is a hack, here is waht you need to do.



monitor session 1 source interface Gi1/0/17
monitor session 1 destination remote vlan 4094


( you dont need the second monitor session )



Rspan traffic is flooded on trunks , so you can configure the sniffer port ( destination port Gi1/0/27 as following.)


interface  Gi1/0/27
switchport trunk encapsulation dot1q
switchport trunk native vlan 4096
switchport mode trunk
switchport trunk allowed vlan 4096
spanning-tree portfast trunk


You will see all your trafffic.


Thanks and let me know how it goes.


Ruvin

Actions

This Discussion

Related Content