Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
725
Views
0
Helpful
2
Replies

RSPAN failed on 2960/3560

akw
Level 1
Level 1

‎02-11-2008 12:26 AM - edited ‎03-05-2019 09:04 PM

Hello.

I have set of 2960/3560 switches uplinked to 3750 core switch. When configuring RSPAN for TX&RX traffic on 2960/3560 switch everything works fine until CDP packet is received on monitored interface. After that NO UNICAST TX (egress) traffic from monitored port is copied to RSPAN VLAN. Only broadcasts and multicasts are copied. RX (ingress) traffic is copied to RSPAN VLAN normally.

Does anyone experienced this issue? Is it a configuration problem or IOS bug?

My config:

2960/3560:

monitor session 1 source interface Fa0/12

monitor session 1 destination remote vlan 401

output of sh vlan remote-span:

Remote SPAN VLANs

------------------------------------------------------------------------------

401

3750:

monitor session 1 source remote vlan 401

monitor session 1 destination interface g1/0/1

output of sh vlan remote-span:

Remote SPAN VLANs

------------------------------------------------------------------------------

401

VTP is enbaled an all switches for VLAN management.

Thanks for help.

Andrzej Kowalczyk

Labels:
0 Helpful
2 Replies 2

gauravshar
Level 2
Level 2

‎02-11-2008 03:08 AM

Hi,

Your config looks perfect to me. Let us know what IOS you are using in all the switches.

--gaurav

0 Helpful

akw
Level 1
Level 1
In response to gauravshar

‎02-11-2008 07:29 AM

The newest one: 12.2(44)SE

I made additional research and got results:

1. Everything is fine when device connected to monitored interface does not have CDP enbaled.

2. The problem appears when CDP packet is received from monitored host.

Look at the following scenario (S1) with RSPAN enabled for MonitoredHost and VLAN 401:

MonitoredHost----C3750_1----Trunk(with RSPAN VLAN 401)---Sniffer(with VLAN support)

In this case sniffer is receiving on VLAN 401 all(TX&RX) packets copied from interface having MonitoredHost connected to.

Now look at the following scenario (S2a):

MonitoredHost----C3750_1----Trunk(with RSPAN VLAN 401)---C3750_2--RSPANDest----Sniffer

In this case Sniffer receive unicast egress frames (transmited to monitored host) for MonitoredHost until first CDP packet sent by MonitoredHost.

"show cdp neighbours" issued on C3750_2 shows MonitoredHost as CDP neighbour along with C3750_1 - probably because copied (by RSAPN) CDP frame received on trunk interface.

-- Andrzej

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card