RSPAN on 3750 - getting only rx traffic

satendrak · ‎05-14-2010

Hi,

I'm doing rspan between two 3750G connected by trunk on etherchannel running version 12.2(44)SE5.

I only get receive traffic from the remote span vlan. I have create the remote span vlans and allowed it on the trunk interface on both sides.

Switch 1

Session 1
---------
Type                   : Remote Source Session
Source Ports           :
    Both               : Gi1/0/17
Dest RSPAN VLAN        : 4094

monitor session 1 source interface Gi1/0/17
monitor session 1 destination remote vlan 4094

Switch 2

Session 1
---------
Type                   : Remote Source Session
Source Ports           :
    Both               : Gi1/0/17
Dest RSPAN VLAN        : 4094

Session 2
---------
Type                   : Remote Destination Session
Source RSPAN VLAN      : 4094
Destination Ports      : Gi1/0/27
    Encapsulation      : Native
          Ingress      : Disabled

monitor session 1 source interface Gi1/0/17
monitor session 1 destination remote vlan 4094
monitor session 2 destination interface Gi1/0/27
monitor session 2 source remote vlan 4094

If I do local span then I get all the transmit/receive traffic from the source interface.

Thanks.

jbrenesj · ‎05-18-2010

Pretty much what you are trying to do is RSPAN the same switch´s traffic tying to fool the switch to send it´s own interface traffic to the rspan vlan and then capture it again with another monitor session. Unfortunately this is not possible.

I have seen it working a couple of times but you will get unexpected results.

It looks like you´ll need a third switch for this task.

- Jorge

satendrak · ‎08-14-2010

Hi,

I have added a third switch 3750-24P running 12.2(46)SE and trunked to my switch1 allowing RSPAN VLAN 4094 on the trunk. Now my issue is the destination port on switch3 does not receive any traffic, I see taffic coming in on the trunk interface.

switch3#sh monitor
Session 1
---------
Type                   : Remote Destination Session
Source RSPAN VLAN      : 4094
Destination Ports      : Fa1/0/1
    Encapsulation      : Native
          Ingress      : Disabled

Trunk:

switchs3#sh int fa1/0/24
FastEthernet1/0/24 is up, line protocol is up (connected)

30 second input rate 3019000 bits/sec, 614 packets/sec
30 second output rate 3000 bits/sec, 4 packets/sec

Destination port:

switch3#sh int fa1/0/1
FastEthernet1/0/1 is down, line protocol is down (monitoring)

30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec

monitor session 1 destination interface Fa1/0/1
monitor session 1 source remote vlan 4094

Any ideas what am I missing here?

Thanks

Nagaraja Thanthry · ‎08-14-2010

Hello,

Can you please post the output of "show vlan" from both switches?

Regards,

NT

satendrak · ‎08-14-2010

Hi,

Output from both switches below:

switch1#sh vlan remote-span

Remote SPAN VLANs
------------------------------------------------------------------------------
4094

switch3#sh vlan remote

Remote SPAN VLANs
------------------------------------------------------------------------------
4094

Thanks.

Nagaraja Thanthry · ‎08-14-2010

Hello,

Can you try removing the local span session that sends traffic to remote

VLAN and see if that helps?

Regards,

NT

satendrak · ‎08-14-2010

Hi,

Since the addition of switch3, switch 1 and 2 only have the following configured:

monitor session 1 source interface Gi1/0/17
monitor session 1 destination remote vlan 4094

cheers

Nagaraja Thanthry · ‎08-14-2010

Hello,

Does the third switch also have VLAN 4094 configured as RSPAN VLAN?

Regards,

NT

satendrak · ‎08-14-2010

Hi,

Yes it has, as in one of replies above:

switch3#sh vlan remote

Remote SPAN VLANs
------------------------------------------------------------------------------
4094

Thanks,

rcongani · ‎11-08-2010

Hello Satendark,

What you are seeing is expected behavior with the folllowing configurations, this is a limitation on 3750

monitor session 1 source interface Gi1/0/17
monitor session 1 destination remote vlan 4094
monitor session 2 destination interface Gi1/0/27
monitor session 2 source remote vlan 4094

You cannot copy local source gig 1/0/17 traffic to rpsan vlan and again create a another monitor session copying that traffic to destination on the same source switch. This can be done on 6500 series switches.

But there is a hack, here is waht you need to do.

monitor session 1 source interface Gi1/0/17
monitor session 1 destination remote vlan 4094

( you dont need the second monitor session )

Rspan traffic is flooded on trunks , so you can configure the sniffer port ( destination port Gi1/0/27 as following.)

interface Gi1/0/27
switchport trunk encapsulation dot1q
switchport trunk native vlan 4096
switchport mode trunk
switchport trunk allowed vlan 4096
spanning-tree portfast trunk

You will see all your trafffic.

Thanks and let me know how it goes.

Ruvin