Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

RSPAN configuration question

Hello,

I have setup a RSPAN vlan over 2960 switches.  Everything seem to be working great, except that I only receive the Tx traffic, no Rx, is there something worng in my config?

typical access port:

interface FastEthernet0/10
switchport mode access
ip arp inspection limit rate 30
no logging event link-status
duplex full
authentication control-direction in
authentication event fail retry 1 action authorize vlan 999
authentication event no-response action authorize vlan 999
authentication order dot1x
authentication port-control auto
authentication violation protect
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout tx-period 20
dot1x timeout supp-timeout 10
storm-control broadcast level 30.00 15.00
storm-control action shutdown
storm-control action trap
spanning-tree portfast
spanning-tree bpduguard enable
ip dhcp snooping limit rate 30

Source:

monitor session 1 source interface Fa0/10
monitor session 1 destination remote vlan 9

Destination:

monitor session 1 destination interface Fa0/1
monitor session 1 source remote vlan 9

Any help would be appreciated, have been scratching my head on this one  :-)

13 REPLIES

Re: RSPAN configuration question

Hey Martin,

Source:

monitor session 1 source interface Fa0/10
monitor session 1 destination remote vlan 9

Destination:

monitor session 1 destination interface Fa0/1
monitor session 1 source remote vlan 9

As far as i know you cannot have the destination port as a vlan. it must be a physical port. Also you need to have a dedicated RSPAN vlan trunked between your switches and also you cannot enable RSPAN on the same switch.

See for example http://aconaway.com/tag/rspan/

Re: RSPAN configuration question

Re: RSPAN configuration question

sorry link may not work.

monitor session session source interface type/slot/port [, | - | rx | tx | both]

monitor session session source {interface type | vlan vlan-id [rx | tx | both] | remote vlan rspan-vlan-id}

Mike

Re: RSPAN configuration question

Hello Mike,

The direction of traffic to monitor is Optional "[both | rx | tx] are optional"

If a direction is not specify, the source interface sneds both sent and received traffic so in that case "both" is used.

So in Martin's example he should be receving both sent and received traffic.

Francisco

New Member

Re: RSPAN configuration question

Hey thanks guys.  It is a remote-span VLAN.  I think my setup is ok becaus

e I do receive the trace, but I only see the traffic comming

in the interface I'm sniffing.  In other word, only the tra

ffic comming out of the user PC, and not the traffic received by the user PC.

Also "both" was issued, but since it's the default it's not apearing.

Re: RSPAN configuration question

Martin,

Not sure if this may be related to your problem but statement below i got from Cisco Doc related to RSPAN.

Routing—SPAN does not monitor routed traffic. VSPAN only monitors traffic that enters or exits the switch, not traffic that is routed between VLANs. For example, if a VLAN is being

Rx-monitored and the switch routes traffic from another VLAN to the monitored VLAN, that traffic is not monitored and not received on the SPAN destination port

Regards

Francisco

Cisco Employee

Re: RSPAN configuration question

Hey Martin,

config looks good. You say that you only see uni-directional traffic? With the configuration that you have, you should not have a problem. Have you tried breaking it down to a local span session and see if the problem persists?

Would it be possible for you to post the show version from the switch here?

And what is the destination switch, is it a 2960 as well?

Thanks

New Member

Re: RSPAN configuration question

I just tried a local span and I have the same issue.

this is the version I'm running:

Switch Ports Model              SW Version            SW Image                
------ ----- -----              ----------            ----------              
*    1 26    WS-C2960-24TC-L    12.2(50)SE1           C2960-LANBASEK9-M

Thanks for the help  :-)

New Member

Re: RSPAN configuration question

ok nevermind, found the problem, it's called McAfee lol

Cisco Employee

Re: RSPAN configuration question

Lol, I would say that this is not the first time I have seen a problem with the local PC firewall.

I handled a case some time back, when bunch of computers would not be able to ping their default gateway, however you could ping all of those hosts from the gateway itself. Who would ever think about such a mass attack from local firewall settings, however turning them off on all of them resolved the problem.

The reason I had asked you to configure local span, was that I wanted to verify whether both SPAN and RSPAN were broken or not. The extra thing with RSPAN is that it creates a dummy vlan which has the property of not learning a mac address, hence, I was trying to isolate whether its a problem with the vlan, or the replication capacity of the switch.

Thanks

Pronoy

New Member

Re: RSPAN configuration question

Hi,

for those reading this thread and not understanding what Martin is referring to ..... if the TCP/IP stack is altered by software such as McAffee or Checkpoint, Black Ice, firewall, etc. this is a symptom of what happens - one-way traffic captures. My apologies, I was trying to lead you in this direction on Friday but wasn't able to post my suggestion ...... which would have been to check if any type of software may be affecting the TCP/IP stack.

Steve

Re: RSPAN configuration question

Steve,

Good to know that.

Thanks for the insight in to Martin's problem..

Francisco.

New Member

Re: RSPAN configuration question

Thanks for the help people!  :-)

1887
Views
5
Helpful
13
Replies
CreatePlease login to create content