Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Monitor session - RSPAN - no output

I am having difficulties with getting RSPAN traffic over my trunk link.

Here's the setup .

PC1 ---Gi1/0/1--- Core Sw -Gi1/0/2---Gi1/0/1--- Access switch ---Gi1/0/2--- PC2

PC3 ---Gi1/0/3--------|

PC 3 is sniffer.

PC1: 192.168.1.1/24

Core switch: 192.168.1.2/24 (Gi1/0/1)

Core Switch: 192.168.2.2/24 (Gi1/0/2)

Access switch: 192.168.2.1/24 (Gi1/0/1)

Access switch: 192.168.3.1/24 (Gi1/0/2)

PC2: 192.168.3.2/24

Cisco IOS 3750

Core sw

Interface Gi1/0/1

no switchport

ip address 192.168.1.2 255.255.255.0

no shut

Interface Gi1/0/2

no switchport

ip address 192.168.2.2 255.255.255.0

no shut

monitor session 1 source remote vlan 999

monitor session 1 destination interface Gi1/0/3

monitor session 2 source interface Gi1/0/1 rx

monitor session 2 destination remote vlan 999

Cisco IOS 3750

Access switch

Interface Gi1/0/1

no switchport

ip address 192.168.2.1 255.255.255.0

no shut

Interface Gi1/0/2

no switchport

ip address 192.168.3.1 255.255.255.0

no shut

monitor session 1 source interface gi1/0/2 rx

monitor session 1 destination remote vlan 999

I'm trying to ping from PC 2 to PC 1. Aparently, it wasn't captured on PC3 for some reason.

Could anyone help look at whether my "monitor session" statements are correctly configured.

Thanks.

22 REPLIES
Bronze

Re: Monitor session - RSPAN - no output

You need to tell the VLAN he is a remote span VLAN.

conf t

vlan 199

remote span

verify the remote-span vlan by using "show vlan remote-span" it should be a remote span vlan on all switches. Make sure no other traffic is using that VLAN.

HTH,

Craig

New Member

Re: Monitor session - RSPAN - no output

That command i think is a 6500 switch command. Is there a 3750 equivalent command?

Bronze

Re: Monitor session - RSPAN - no output

I just verified it on my 3750, works fine.

IOS 12.2(46)SE Adv IP Services image.

HTH,

Craig

New Member

Re: Monitor session - RSPAN - no output

Thanks Craig.

I will try it out tomorrow first thing in the morning. Will keep ya posted.

New Member

Re: Monitor session - RSPAN - no output

monitor session 1 source remote vlan 999

monitor session 1 destination interface Gi1/0/3

monitor session 2 source interface Gi1/0/1 rx

monitor session 2 destination remote vlan 999

I have gotten the output from remote vlan. But it doesn't have all the output I want. Seems like nothing is coming out from

monitor session 2 source interface Gi1/0/1 rx

monitor session 2 destination remote vlan 999

For the above statement,

Is it right to copy the traffic to the remote vlan 999 and have the remote vlan 999 traffic go to destination port on the same switch? The reason I'm asking is because I am not getting any output from the above 2 statements.

Bronze

Re: Monitor session - RSPAN - no output

Is there a reason you are sending it to an RSPAN on the same switch? I don't know if that would work.

What I would recommend (since the 3750 supports 2 source span sessions):

monitor session 1 source interface gi 1/0/3

monitor session 1 destination interface gi 1/0/3

monitor session 2 source interface gi 1/0/1

monitor session 2 destination remote vlan 999

This would send traffic to the gi 1/0/3 interface as well as the RSPAN.

HTH,

Craig

Cisco Employee

Re: Monitor session - RSPAN - no output

In order to carry the RSPAN traffic accross the switch you need to have RSPAN Vlan configured on all the switches. Also Please make sure that you have L2 trunk link between all the switches for RSPAN to work. It looks like you are configuring the link between the switches as L3 links and I wonder that it will not work the same way as you are expecting. Do the following:

A. Please remove the L3 port interface config from the switches.

B. Assign the same IP to the Vlan SVI's.

C. Create trunk link between all the switches and make sure that RSPAN vlan exists on all the switches.

This should work fine and in case of any problem, paste your config.

HTH,

-amit singh

New Member

Re: Monitor session - RSPAN - no output

amit,

I don't mean to hijack this thread, but I have a question regarding SPAN sessions and the direction of traffic.

According to Cisco documentation:

"Monitored Traffic Direction

You can configure local SPAN sessions, RSPAN source sessions, and ERSPAN source sessions to monitor ingress traffic (called ingress SPAN), or to monitor egress traffic (called egress SPAN), or to monitor traffic flowing in both directions.

Ingress SPAN copies traffic received by the source ports and VLANs for analysis at the destination port. Egress SPAN copies traffic transmitted from the source ports and VLANs. When you enter the both keyword, SPAN copies the traffic received and transmitted by the source ports and VLANs to the destination port."

I can understand how either direction of traffic on a port is mirrored to the destination port.

But if you have a layer three switch and you desiginate the direction of traffic like so:

monitor session 1 source vlan 2-20 rx

monitor session 1 destination interface Gi1/1

It the traffic mirrored from the layer 2 vlan or the SVI of the vlan on the switch?

If it is the layer 2 vlan, what is considered the ingress or egress point of the layer 2 vlan?

If it is the SVI of the vlan, would the mirrored traffic be the traffic received on the SVI from the devices in the vlan using the SVI as a default gateway?

Bronze

Re: Monitor session - RSPAN - no output

It the traffic mirrored from the layer 2 vlan or the SVI of the vlan on the switch?

Traffic is mirrored from the Layer 2 VLAN, in effect it really just adds all the ports that are assigned to VLAN 2 including trunk interfaces.

If it is the layer 2 vlan, what is considered the ingress or egress point of the layer 2 vlan?

Either ingress, egress or both, again you are just monitoring all the ports in the specified VLAN.

If it is the SVI of the vlan, would the mirrored traffic be the traffic received on the SVI from the devices in the vlan using the SVI as a default gateway?

Not the SVI, any traffic routed will not be monitored, whether ingress or egress.

HTH,

Craig

New Member

Re: Monitor session - RSPAN - no output

Hi amit,

Besides the L3 ports, I have trunk ports between switches configured. They work fine.

Apparently it works for the one part (Access switch to core) , and the part (RSPAN on core switch) that doesn't work is the one which I have mentioned.

I understand remote span works across switches. But it seems to me that copying traffic from a source port to a desintation remote span vlan on the same switch didn't give any output. So I was just clarify what I didn't do right.

Bronze

Re: Monitor session - RSPAN - no output

Sorry, just looked over my post, I mistyped one of your interfaces.

monitor session 1 source interface gi 1/0/1

monitor session 1 destination interface gi 1/0/3

monitor session 2 source interface gi 1/0/1

monitor session 2 destination remote vlan 999

First line should have been a source interface of gi 1/0/1, so this would send span traffic to Gi 1/0/3 and to your RSPAN for int gi 1/0/1.

Craig

New Member

Re: Monitor session - RSPAN - no output

Thanks Craig,

So uisng this explanation:

"Traffic is mirrored from the Layer 2 VLAN, in effect it really just adds all the ports that are assigned to VLAN 2 including trunk interfaces.

If it is the layer 2 vlan, what is considered the ingress or egress point of the layer 2 vlan?

Either ingress, egress or both, again you are just monitoring all the ports in the specified VLAN.'

And with this config:

monitor session 1 source vlan 2-20 rx

monitor session 1 destination interface Gi1/1

We can say that all traffic on the ingress of each individual port in vlans 2-20 will be mirrored to interface Gi1/1?

and conversely,

We can say that all traffic on the egress of each individual port in vlans 2-20 will be mirrored to interface Gi1/1 with this config:

monitor session 1 source vlan 2-20 tx

monitor session 1 destination interface Gi1/1

Bronze

Re: Monitor session - RSPAN - no output

Absolutely, and here is a link that probably explains it better than I did :)

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/13ew/configuration/guide/span.html#wp1020390

Craig

New Member

Re: Monitor session - RSPAN - no output

I would like to monitor both PC 1 and 2 and copy the traffic to Gi1/0/3. How does the following lines do that?

Am I right in saying that based on the following lines proposed? I won't be monitoring traffic from remote vlans since I don't see "source remote vlan 999" in the proposed line.

#####################

monitor session 1 source interface gi 1/0/1

monitor session 1 destination interface gi 1/0/3

monitor session 2 source interface gi 1/0/1

monitor session 2 destination remote vlan 999

First line should have been a source interface of gi 1/0/1, so this would send span traffic to Gi 1/0/3 and to your RSPAN for int gi 1/0/1.

#####################

Bronze

Re: Monitor session - RSPAN - no output

Ah, ok I see what you are trying to do, I thought you were just monitoring just the one port.

In that case,

monitor session 1 source interface gi 1/0/1

monitor session 1 source remote vlan 999

monitor session 1 destination interface gi 1/0/3

Craig

New Member

Re: Monitor session - RSPAN - no output

Hi Craig,

I think I have tried the commands you suggested, but the system allowed only either the source interface or source remote span session. What IOS version are you using on your 3750. I don't think I'm using the latest version.

Alan

New Member

Re: Monitor session - RSPAN - no output

Does anyone know if the following 3 commands on all Cisco 3750s ? I don't think it works on mine?

monitor session 1 source interface gi 1/0/1

monitor session 1 source remote vlan 999

monitor session 1 destination interface gi 1/0/3

Bronze

Re: Monitor session - RSPAN - no output

That was my bad, you can't combine both RSPAN and an interface in the same monitor session, it is either a RSPAN or not and RSPAN, not both.

Unfortunately I can't think of any other way to get the traffic you are wanting... I'm sure there is something I'm missing from the puzzle, maybe I will hit a eureka moment in the middle of the night :)

Maybe try:

monitor session 1 source int gi 1/0/1

monitor session 1 destination remote vlan 998

monitor session 2 source remote vlan 999

monitor session 2 source remote vlan 998

monitor session 2 destination int gi 1/0/3

You can have as many sources as you want, just a maximum number of 2 sessions, can't mix interfaces with VLAN's, so that meets all of the requirements...

HTH,

Craig

New Member

Re: Monitor session - RSPAN - no output

Hi Craig,

Appreciate your help in this matter.

I've tried

monitor session 2 source remote vlan 999

monitor session 2 source remote vlan 998

monitor session 2 destination int gi 1/0/3

But it seems that only 1 source remote vlan was allowed on my Cisco 3750 though. Won't work in my scenario. Does it work over your end?

Bronze

Re: Monitor session - RSPAN - no output

I've been out of my office for a few days, and my terminal server has been hung up, I'll have someone reset it and see what I can come up with.

Craig

New Member

Re: Monitor session - RSPAN - no output

Hi, anyone able to help ?

Thanks in advance.

New Member

Re: Monitor session - RSPAN - no output

Hello, appreciate any help :)

434
Views
15
Helpful
22
Replies