03-10-2011 08:15 AM - edited 08-23-2017 10:22 PM
The purpose of this document is to explain quickly how to capture packets on the trunk between the ACE ad the Catalyst hosting the module.
This one of the most used procedures used by TAC to troubleshoot what enters and exits the module.
Traffic should be captured from the backplane port connecting to the ACE module. Ideally, the captured traffic should be sent to a port configured as trunk to ensure VLAN tags are preserved. Note that some network adapters or drivers strip the VLAN tag before sending it to the capture application.
The sniff can be done by filtering just the vlan of interest. This way we just keep off the capture the intra VLAN traffic that does not travere the ACE module and in whch we are not interested.
When using a capture application, the following settings can limit the amount of storage required to capture the traffic:
The few steps are:
Router(config)#monitor session 1 source interface TenGigabitEthernet 5/1 both
Router(config)#monitor session 1 destination interface GigabitEthernet 7/29
Router(config)#monitor session 1 filter vlan 100,200 <<<< (optional)
Configure the destination port as a trunk port so that the VLAN IDs will be preserved:
Router(config)#interface GigabitEthernet7/29
Router(config-if)#switchport
Router(config-if)#switchport trunk encapsulation dot1q
Router(config-if)#switchport mode trunk
Router(config-if)#switchport nonegotiate
NOTE: When connecting to GigabitEthernet 7/29 be sure to use a network capture device that can monitor VLAN tagging (a trunked port).
In this way, VLAN tags will be preserved, and we will be able to clearly see which VLAN a packet arrived on, and which VLAN it exited on.
The following links are useful to preserve the VLAN tags for different operating systems:
http://wiki.wireshark.org/CaptureSetup/VLAN
The number of files to rotate the captures depends on the amount of storage available.
An alternative method of limiting the captured traffic is to use VACLs or VLAN ACLs. An IP access-list can be used to specify traffic to capture.
ip access-list extended ALL_TRAFFIC
permit ip any any
ip access-list extended CAPTURE-HTTP
permit tcp any any eq www
vlan access-map HTTP_MAP 10
match ip address CAPTURE-HTTP
action forward capture
vlan access-map HTTP_MAP 20
match ip address ALL_TRAFFIC
action forward
vlan filter HTTP_MAP vlan-list 803-804
interface FastEthernet8/10
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
switchport capture
switchport capture allowed vlan 803,804
no ip address
NOTE 1: Please note that on the packet trace tool (WireShark, Ethereal, SnifferPro) the frame snap size should be set to unlimited otherwise, only the first 68 bytes of each frame may be captured.
NOTE 2: The monitor session will span the entire packet and hence the throughput of each VLAN you filter will be summed up to the bandwidth available on the destination port.
Local SPAN, RSPAN, and ERSPAN sessions allow you to monitor traffic on one or more ports, or one or more VLANs, and send the monitored traffic to one or more destination ports. A local SPAN session is an association of source ports and source VLANs with one or more destination ports. You configure a local SPAN session on a single switch. Local SPAN does not have separate source and destination sessions. RSPAN supports source ports, source VLANs, and destination ports on different switches, which provides remote monitoring of multiple switches across your network. RSPAN consists of an RSPAN source session, an RSPAN VLAN, and an RSPAN destination session. ERSPAN supports source ports, source VLANs, and destination ports on different switches, which provides remote monitoring of multiple switches across your network. ERSPAN consists of an ERSPAN source session, routable ERSPAN GRE-encapsulated traffic, and an ERSPAN destination session.
More info regarding the configuring the SPAN:
Intel cards:
http://www.intel.com/support/network/sb/CS-005897.htm
Load Balance Multiple Networks on ACE Sharing a Common VLAN
Insert WWW in the URL of client request using ACE
Hello.
on some platforms there is the "monitor session 1 destination interface GigabitEthernet xx/yy encapsulation replicate" option. Is it mandatory to configure the destination port as an explicit 802.1q trunk ?
Hi Surya,
on the 6500 is mandatory since on that platform I'm not aware of the option you mentioned.
The options above in the document make sure we are able in the captures to access the vlan identification used on the trunk between the ACE and the Catalyst.
The "encapsulation replicate" should replicate all kind of tags included ISL tags and available on lower platform than 6500.
As long as the option "encapsulation dot1q" is available and used on the destination port is available, this should preserve the VLAN tags.
I hope this answers your question.
Alessandro
Thanks, Alessandro, for this useful write up.
We were scratching our heads over how to effectively span ACE traffic befroe finding this. I had forgotten that the ACE module actually has an internal 10 Gbps port on the Catalyst chassis.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: