Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1284
Views
0
Helpful
3
Replies

EAPoL not showing in RSPAN session

Go to solution
payala
Level 1
Level 1

‎04-24-2017 11:32 AM - edited ‎03-11-2019 12:39 AM

Hello,

I hope that you can help me figuring out why am I not able to see any EAPoL messages on my remote SPAN port configuration, this is my scenario:

Laptop (authenticating) -- Switch1 -- Switch2 -- Laptop (Monitor)

For more detail scenario
Laptop -- <port g0/2> Switch1 (Cisco 3560-CG) <port g0/10> -- <port g1/0/15> Switch2 (Cisco 3750G) <port g2/0/2>

The configuration from switch1:
monitor session 1 source interface Gi0/1 - 7
monitor session 1 destination remote vlan 101

The configuration from Switch2:
monitor session 2 destination interface Gi2/0/2
monitor session 2 source remote vlan 101

AS you can see I'm using remote span configuration and using remote vlan 101 to carry all my traffic.

When I turn on tshark or wireshark and make a filter eapol or eth.type == 0x888e I can't see anything, no packets coming to that port.

Now what's important to mention is that if I use a local port on the 3560-CG, without any remote span am able to see all the packets, eapol and eth.type... What am I missing, should the cisco SPAN port forward all packets? There are no other commands for the cisco to configure special fields.

Thanks and I hope that someone can help me.

Regards

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andrewswanson
Level 7
Level 7
In response to payala

‎04-26-2017 02:27 PM

Hi

See the following Cisco documenmtation:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swspan.html#wp1073772

It states that "RSPAN does not support BPDU packet monitoring or other Layer 2 switch protocols." whereas SPAN does

EAPOL would fall under this category so wouldn't be supported by RSPAN. Better explantion of this can be seen in the following blog:

https://mellowd.co.uk/ccie/?p=2403

hth
Andy

View solution in original post

0 Helpful
3 Replies 3

Go to solution
jan.nielsen
Level 7
Level 7

‎04-24-2017 02:35 PM

As far as i know EAP packets, are not captured on switch ports at all. At least not when i last tried it. you probably will need to use another "hub" between the switch and the device.

0 Helpful

Go to solution
payala
Level 1
Level 1
In response to jan.nielsen

‎04-24-2017 02:41 PM

Actually you can, only if I connect the SPAN port in the same switch, attached is the screenshots from the captures:

Preview file
42 KB
Preview file
42 KB
0 Helpful

Go to solution
andrewswanson
Level 7
Level 7
In response to payala

‎04-26-2017 02:27 PM

Hi

See the following Cisco documenmtation:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swspan.html#wp1073772

It states that "RSPAN does not support BPDU packet monitoring or other Layer 2 switch protocols." whereas SPAN does

EAPOL would fall under this category so wouldn't be supported by RSPAN. Better explantion of this can be seen in the following blog:

https://mellowd.co.uk/ccie/?p=2403

hth
Andy

0 Helpful
Customers Also Viewed These Support Documents