RSPAN Help Needed

Unanswered Question
Jul 12th, 2010

Three Cat3560 switches, I'll call them A,B, and C. We're setting up for voice recording, but are only seeing one side of the RTP stream.

On switch A:

monitor session 1 source vlan 20
monitor session 1 destination remote vlan 100

(Switch B is providing a trunk only)

Switch C

monitor session 1 source remote vlan 100

monitor session 1 destination interface Gi0/18

Any help would be appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (4 ratings)
Loading.
Jayakrishna Mada Mon, 07/12/2010 - 19:27

Brian,

Can you post "show vlan id 100" from all the switches and "show mon sess 1 detail" from switch A and B and show int fa/gi x/y from the trunk links connecting the switch.

And the version that you are running.

JayaKrishna

jorge.calvo Tue, 07/13/2010 - 00:17

Hello,

Please, make sure you configure VLAN 100 as remote-span VLAN:

switch(config)#vlan 100

switch(config-vlan)#remote-span

Regards.

Brian Carscadden Tue, 07/13/2010 - 13:07

JayaKrishna,

Thanks for your help ... here's the info:

"SWITCH A"#sh vlan id 100

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

100  RSPAN                            active    Fa0/1, Fa0/2, Fa0/3, Fa0/4

                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8

                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12

                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16

                                                Fa0/18, Fa0/19, Fa0/20, Fa0/21

                                                Fa0/22, Fa0/23, Fa0/24, Gi0/1

                                                Gi0/2

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

100  enet  100100     1500  -      -      -        -    -        0      0  

Remote SPAN VLAN

----------------

Enabled

Primary Secondary Type              Ports

------- --------- ----------------- ------------------------------------------

"SWITCH A"#sh mon sess 1 detail

Session 1

---------

Type              : Remote Source Session

Source Ports      :

    RX Only       : None

    TX Only       : None

    Both          : None

Source VLANs      :

    RX Only       : None

    TX Only       : None

    Both          : 20

Source RSPAN VLAN : None

Destination Ports : None

Filter VLANs      : None

Dest RSPAN VLAN   : 100

"SWITCH B"#sh vlan id 100

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

100  RSPAN                            active    Fa0/1, Fa0/2, Fa0/3, Fa0/4

                                                Fa0/6, Fa0/7, Fa0/8, Fa0/9

                                                Fa0/10, Fa0/11, Fa0/12, Fa0/13

                                                Fa0/14, Fa0/17, Fa0/20, Fa0/21

                                                Fa0/23, Fa0/24, Fa0/25, Fa0/26

                                                Fa0/27, Fa0/29, Fa0/31, Fa0/32

                                                Fa0/33, Fa0/34, Fa0/35, Fa0/36

                                                Fa0/37, Fa0/38, Fa0/39, Fa0/41

                                                Fa0/42, Fa0/43, Fa0/44, Gi0/1

                                                Gi0/2, Gi0/3, Gi0/4

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

100  enet  100100     1500  -      -      -        -    -        0      0  

Remote SPAN VLAN

----------------

Enabled

Primary Secondary Type              Ports

------- --------- ----------------- ------------------------------------------

"SWITCH B#sh mon sess 1 detail

No SPAN configuration is present in the system for session [1].

"SWITCH C"#sh vlan id 100

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

100  RSPAN                            active    Gi0/24

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

100  enet  100100     1500  -      -      -        -    -        0      0  

Remote SPAN VLAN

----------------

Enabled

Primary Secondary Type              Ports

------- --------- ----------------- ------------------------------------------

"SWITCH C"#sh mon sess 1 detail

Session 1

---------

Type                   : Remote Destination Session

Description            : -

Source Ports           :

    RX Only            : None

    TX Only            : None

    Both               : None

Source VLANs           :

    RX Only            : None

    TX Only            : None

    Both               : None

Source RSPAN VLAN      : 100

Destination Ports      : Gi0/18

    Encapsulation      : Native

          Ingress      : Disabled

Filter VLANs           : None

Dest RSPAN VLAN        : None

Jayakrishna Mada Tue, 07/13/2010 - 14:15

The configutaiton of RSPAN looks correct but one thing I noticed that you have mapped the RSPAN vlan (100) to some ports on all the switches.

You cannot have ports mapped to RSPAN vlan .

Please look at the second point in the following link:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/swspan.html#wp1073772

Remove those interfaces from RSPAN vlan 100 and see if that works or use a different RSPAN vlan.

JayaKrishna

michael.leblanc Tue, 07/13/2010 - 08:06

Brian:

Noticed that you are using a VLAN as a source on Switch A.

The following excerpt is from the Catalyst 3550 Multilayer Switch Software Configuration Guide (page 24-6).

Although this is not the same platform you are using, the behavioral limits might be the same.

VLAN-Based SPAN


VLAN-based SPAN (VSPAN) is the monitoring of the network traffic in one or more VLANs. You can configure VSPAN to monitor only received (Rx) traffic, which applies to all the ports for that VLAN.

Perhaps you are being hindered by the limits of VLAN-Based SPAN  (monitoring of only received (Rx) traffic).

Might want  to take a look at the other usage guidelines in that section as well.

Best Regards,

Mike

Brian Carscadden Tue, 07/13/2010 - 12:52

Mike,

Good catch, I'll dig a little deeper on this one. I guess I can switch to source the ports, then trim the data VLAN traffic off. I'm not at the client site, so I can't validate this one right away, but will follow up with the outcome.

Regards,

Brian

michael.leblanc Tue, 07/13/2010 - 14:04

Brian:

The show command output subsequently provided, implies that your platform supports both RX and TX when using a VLAN as the SPAN source.

SWITCH A"#sh mon sess 1 detail

Source VLANs:
    RX Only       : None
    TX Only       : None
    Both          : 20

I took a quick look at the Catalyst 3560 Multilayer Switch Software Configuration Guide, Release 12.2(52)SE, and found the following statements:

Monitored Traffic

SPAN sessions can monitor these traffic types:

• Receive (Rx) SPAN—The goal of receive (or ingress) SPAN is to monitor as much as possible all the packets received by the source interface or VLAN before any modification or processing is performed by the switch.

• Transmit (Tx) SPAN—The goal of transmit (or egress) SPAN is to monitor as much as possible all the packets sent by the source interface after all modification and processing is performed by the switch.

• Both—In a SPAN session, you can also monitor a port or VLAN for both received and sent packets. This is the default.

Note: I find the absence of a reference to "VLAN" in the Transmit (Tx) SPAN statement suspicious, despite it being mentioned in the Both statement.


Source VLANs

VSPAN has these characteristics:

• All active ports in the source VLAN are included as source ports and can be monitored in either or both directions.


I think I'd still test a local SPAN session on switch A, with a VLAN specified as the source, and prove that the functionality is as claimed in the documentation.

Note: Keep in mind that the documentation referenced is for 12.2(52)SE, and I'm not sure which IOS is in use.

Best Regards,
Mike

Brian Carscadden Wed, 07/14/2010 - 11:58

Issue solved, in short there is no problem. Both streams were spanned to the monitoring port, however Wireshark sniffer didn't seem to show it. While I'm familiar with certain changes that may be needed on the NIC and Wireshark, a test last week with a different customer using SPAN and using the same laptop worked fine. While I'm puzzled as to what's wrong with the PC/Wireshark setup, I'm glad that all is well with the RSPAN setup. The client's voice recording vendor hooked up their system and said they see all the traffic.

Sincere thanks to those who assisted.

Regards,

Brian

michael.leblanc Wed, 07/14/2010 - 12:30

Brian:

Glad it worked out.

Any chance you were using display filters with Wireshark?

Perhaps filtering on source or destination port only (E.g.: udp.dstport == xx), rather than a port without directional specifity (E.g.: udp.port == xx), which would be relevant (if) the application did not use the same port number on each end of the connection.

Best Regards,

Mike

Actions

This Discussion