cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2916
Views
5
Helpful
4
Replies

RSPAN cisco + hp procurve 6120xg

Maxim Bezzubov
Level 1
Level 1

hi

 

I need a copy internet trafic.
Have a such network topology from Cisco to VM:

 

2960 - 3750 - cisco 3120 -

                                                            - VMWare dSwitch - vNic VM

                   - hp procurve 6120xg -

 

//RSPAN on the 2960 
 
vlan 61 
 remote-vlan 

 interface FastEthernet0/2 
  description ===== Internet-inside ===== 
  switchport access vlan 950 
  switchport mode access 

//this port connected to the 3750. 

interface FastEthernet0/12 
  description ===== SPAN_INET ===== 
  switchport trunk allowed vlan 61 
  switchport mode trunk 
 
//this port is also connected to the 3750. 

monitor session 1 source interface Fa0/2 
monitor session 1 destination remote vlan 61 


3750: 
//different vtp domain

vlan 61 
remote-vlan 

 interface GigabitEthernet2/0/3 
  description ===== Internet ===== 
  switchport access vlan 193
 switchport mode access 
 
//port fa0/2 from 2960 with Internet-traffic. 

interface GigabitEthernet3/0/10 
  description ===== SPAN_INET ===== 
  switchport trunk encapsulation dot1q 
  switchport trunk allowed vlan 61 
  switchport mode trunk 

//port fa0/2 from 2960 with copy Internet-traffic.

interface TenGigabitEthernet3/0/1
 description ===== BLADE_TRUNK_MEMBER 6120s09 =====
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 500
 switchport trunk allowed vlan 1,2,4,5,7,50,51,60-62
 switchport mode trunk
 switchport nonegotiate

//trunk to the hp 6120xg

on the hp procurve 6120xg:
vlan 61 
    name "SPAN" 
    tagged 1-16,22 
    no ip address 
    exit 
//1-16 ports - is a host's, 22- trunk to the 3750

 

I did some research and figured out that if Vm is on the physical host behind hp procurve blade switch 6120xg - no mirrored trafic at all. Although if Vm is on the physical host behind Cisco blade switch - have mirrored traffic on VM vNIC.  I've checked out with wireshark on Windows OS.

 

Is smth wrong with 6120xg tagging? Maybe 6120xg somehow wiping original vlan of frame... 

No problem with CIsco blade switch. 

Have a lot of vlan on production procurve and in setting it on Vmware portGroup - have no problem, problem is with RSPAN Vlan only. 

1 Accepted Solution

Accepted Solutions

Hitesh, Maxim,

Hitesh: You are correct that if the destination switch was a Cisco switch, Maxim would need to configure a destination RSPAN session. However, the destination switch is a HP switch and it is not certain if it supports anything similar to RSPAN.

Maxim: In my opinion, the primary reason why your VMs do not see the mirrored traffic is that the HP switch does not handle VLAN 61 in any special way. However, the biggest operational difference of a RSPAN VLAN to regular VLANs is that in RSPAN VLAN, no MAC address learning shall be performed so that the mirrored traffic is always flooded across the whole RSPAN VLAN, wherever the destination switch might be. If your HP switch performs MAC address learning in VLAN 61, it most probably does not flood the mirrored traffic to the monitoring device simply because the destination MAC address seems to be connected elsewhere.

The first thing you should try to find out is to check whether the HP switch also has a concept of RSPAN VLAN (note that it can be called differently - I have no idea about the possible name, though), and if so, make sure that the VLAN 61 is treated as an RSPAN VLAN by the HP switch. If not, try to find out whether it is at least possible to deactivate MAC address learning in VLAN 61 on the HP switch.

Best regards,
Peter

View solution in original post

4 Replies 4

Hitesh Vinzoda
Level 4
Level 4

I think you would need to create destination SPAN from RSPAN VLAN

 

Creating an RSPAN Destination Session and Enabling Ingress Traffic

Beginning in privileged EXEC mode, follow these steps to create an RSPAN destination session, to specify the source RSPAN VLAN, and to enable ingress traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance):

 

 
 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

monitor session session_number source remote vlan vlan-id

Specify the RSPAN session and the source RSPAN VLAN.

For session_number, specify 1 or 2.

For vlan-id, specify the source RSPAN VLAN to monitor.

Step 3 

monitor session session_number destination interfaceinterface-id [encapsulation {dot1q [ingress vlan vlan id] | ISL[ingress]} | ingress vlan vlan id]

Specify the RSPAN session, the destination port, the packet encapsulation, and the ingress VLAN.

For session_number, specify 1 or 2.

For interface-id, specify the destination port. Valid interfaces include physical interfaces.

(Optional) Specify the encapsulation of the packets transmitted on the RSPAN destination port. If no encapsulation is specified, all transmitted packets will be sent in native format (untagged).

Enter encapsulation dot1q to send native VLAN packets untagged and all other VLAN txpackets tagged dot1q.

Enter encapsulation isl to send all tx packets encapsulated using ISL.

(Optional) Specify whether forwarding is enabled for ingress traffic on the SPAN destination port.

For native (untagged) and dot1q encapsulation, specify ingress vlan vlan id to enable ingress forwarding with vlan id as the native VLAN; vlan id will also be used as the native VLAN for transmitted packets.

Specify ingress to enable ingress forwarding when using ISL encapsulation.

Step 4 

end

Return to privileged EXEC mode.

Step 5 

show monitor [session session_number]

Verify your entries.

Step 6 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

 

This example shows how to configure VLAN 901 as the source remote VLAN and how to configure the destination port for ingress traffic on VLAN 5 by using a security device that supports 802.1Q encapsulation:

Switch(config)# monitor session 1 source remote vlan 901

Switch(config)# monitor session 1 destination interface fastEthernet0/5 ingress vlan 5

Switch(config)# end

Hitesh, Maxim,

Hitesh: You are correct that if the destination switch was a Cisco switch, Maxim would need to configure a destination RSPAN session. However, the destination switch is a HP switch and it is not certain if it supports anything similar to RSPAN.

Maxim: In my opinion, the primary reason why your VMs do not see the mirrored traffic is that the HP switch does not handle VLAN 61 in any special way. However, the biggest operational difference of a RSPAN VLAN to regular VLANs is that in RSPAN VLAN, no MAC address learning shall be performed so that the mirrored traffic is always flooded across the whole RSPAN VLAN, wherever the destination switch might be. If your HP switch performs MAC address learning in VLAN 61, it most probably does not flood the mirrored traffic to the monitoring device simply because the destination MAC address seems to be connected elsewhere.

The first thing you should try to find out is to check whether the HP switch also has a concept of RSPAN VLAN (note that it can be called differently - I have no idea about the possible name, though), and if so, make sure that the VLAN 61 is treated as an RSPAN VLAN by the HP switch. If not, try to find out whether it is at least possible to deactivate MAC address learning in VLAN 61 on the HP switch.

Best regards,
Peter

As Peter Paluch said, traffic in RSPAN VLAN is copied to all ports in that VLAN except for incoping port. So switches that don't support RSPAN conception must act like hubs for that VLAN. Since hubs as layer 1 devices don't support MACs we only need to disable MAC learning for particular VLAN on managed switches.

For example for H3C models it could be done like:

vlan xxx
 mac-address mac-learning disable

BUT if switch already learned some MACs after disabling learning we need to delete them in order to switch start sending packets into other ports. It could be done from system-view like:

undo mac-address vlan xxx

Maxim Bezzubov
Level 1
Level 1

Peter.

in RSPAN VLAN, no MAC address learning shall be performed so that the mirrored traffic is always flooded across the whole RSPAN VLAN

Yes. Your are so close to correct answer. I have found out that the problem was in the enabled storm (broadcast) control on the HP Procurve switch. And that dumb switch didn't know anything about RSPAN VLAN. It have to increase level of permited flood trafic or disable this feature at all to resolve an issue. Thanks for you opinion and help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: