Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

RSPAN only forwards broadcast traffic to destination port

Hello all,

I have configured an RSPAN monitoring session on a 2950 switch. I have configured a remote-span VLAN from the VTP server switch, and checked on my monitoring source switch (VTP client in the domain) that the VLAN shows up as a remote-span VLAN.

I have configured the reflector port on the client, and the destination port and source remote-vlan on the server.

No matter what VLAN I assign to the destination port - remote-span VLAN, vlan of the monitored source-port, no VLAN id at all, I only get Broadcast and multicast traffic forwarded to my monitor (wireshark).

I've seen various discussions of this over the last coupe of years, but no definitive answe (e.g. https://supportforums.cisco.com/message/544295#147017)

Has anyone got any further thoughts?

Many thanks,

Pete

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

Re: RSPAN only forwards broadcast traffic to destination port

Hello Pete,

RSPAN is supported only on enhanced image:

To use the RSPAN feature described in this section, you must have the EI installed on your switch. Follow these guidelines when configuring RSPAN:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22_ea11x/configuration/guide/swspan.html#wp1415108

what image have you got?

post sh ver | inc image

Hope to help

Giuseppe

Hall of Fame Super Silver

Re: RSPAN only forwards broadcast traffic to destination port

Hello Pete,

you have been kind to provide a feedback on this issue.

Probably other people may meet the same problem.

Best Regards

Giuseppe

16 REPLIES
Hall of Fame Super Silver

Re: RSPAN only forwards broadcast traffic to destination port

Hello Pete,

RSPAN is supported only on enhanced image:

To use the RSPAN feature described in this section, you must have the EI installed on your switch. Follow these guidelines when configuring RSPAN:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22_ea11x/configuration/guide/swspan.html#wp1415108

what image have you got?

post sh ver | inc image

Hope to help

Giuseppe

New Member

Re: RSPAN only forwards broadcast traffic to destination port

Many thanks for replying Giuseppe - I have tried on 2950's running EI.

What is of note, is that if I configure a new trunk, while runnign a constant ping against a target on the monitored source port, I get a single solitary Unicast packet through when the new trunk transitions to "Up", then nothing - I have tried this several time and the behaviour is constant.

New Member

Re: RSPAN only forwards broadcast traffic to destination port

OK, buried in one of the 2950 IOS release notes:

RSPAN Limitation

In a Remote Switched Port Analyzer (RSPAN) session, if at least one Catalyst 2950 switch is used as an

intermediate or destination switch

and if traffic for a port is monitored in both directions, traffic does

not reach the destination switch. (CSCdy38476)

These are the workarounds:

Use a Catalyst 3550 or Catalyst 6000 switch as an intermediate or destination switch.

Monitor traffic in only one direction if a Catalyst 2950 switch is used as an intermediate or

destination switch.

As soon as Iconfigure a 3750 as the destination for RSPAN it all works.

Hall of Fame Super Silver

Re: RSPAN only forwards broadcast traffic to destination port

Hello Pete,

you have been kind to provide a feedback on this issue.

Probably other people may meet the same problem.

Best Regards

Giuseppe

New Member

Re: RSPAN only forwards broadcast traffic to destination port

Hi Guys,

I know this thread is already answered but I have the same problem (only recieving Broadcast/Multicast) on my RSPAN session and I'm running it on all 6500's. All Switches are running Adv Enterprise IOS. Any ideas?

Hall of Fame Super Silver

Re: RSPAN only forwards broadcast traffic to destination port

Hello Paul,

have you configured the RSPAN vlan as rspan ?

something like:

conf t

vlan 999

remote-span

in all devices including intermediate switches

Hope to help

Giuseppe

New Member

Re: RSPAN only forwards broadcast traffic to destination port

Hi Giuseppe

I'm receiving the traffic but only Broadcast/Multicast so I take it that my RSPAN is working just that I'm not receiving all traffic.

The RSPAN VLAN is configured on 3 switches, The source, the intermediary and the destination. All 3 have "remote-span" enabled on the correct vlan which can be proven by running "show vlan remote-span". This does not show in the configuration as the VLANs are not configured at interface level.

I thought it might be the lack of the "reflector port" command on the source switch but the console would not accept this command and I have read somewhere that you only need the reflector port on some older or smaller switches.

Cheers.

Hall of Fame Super Silver

Re: RSPAN only forwards broadcast traffic to destination port

Hello Paul,

>> I thought it might be the lack of the "reflector port" command on the source switch but the console would not accept this command and I have read somewhere that you only need the reflector port on some older or smaller switches.

This is correct you don't need reflector port on C6500 switches

post sh monitor session all on first and last switch

Hope to help

Giuseppe

New Member

Re: RSPAN only forwards broadcast traffic to destination port

Only interested in Session 2 on both switches.

Source:

HOSTNAME#sh monitor session all
Session 2
---------
Type                   : Remote Source Session
Source Ports           :
    Both               : Gi1/1
Dest RSPAN VLAN        : 999

Egress SPAN Replication State:
Operational mode       : Centralized
Configured mode        : Centralized (default)

Session 9
---------
Type                   : Local Session
Source Ports           :
    Both               : Gi2/1
Destination Ports      : Gi2/48

Egress SPAN Replication State:
Operational mode       : Centralized
Configured mode        : Centralized (default)

Destination:

HOSTNAME#sh monitor session all
Session 2
---------
Type                   : Remote Destination Session
Source RSPAN VLAN      : 999
Destination Ports      : Gi1/1

Why is the Egress SPAN Replication State missing here??

Session 3
---------
Type                   : Local Session
Source Ports           :
    Both               : Fa2/1
Destination Ports      : Gi1/2

Egress SPAN Replication State:
Operational mode       : Centralized
Configured mode        : Centralized (default)

FYI the config on the Destination switch is:

monitor session 2 destination interface Gi1/1
monitor session 2 source remote vlan 999

New Member

Re: RSPAN only forwards broadcast traffic to destination port

Also this:

HOSTNAME#sh monitor session remote detail
Session 2
---------
Type                   : Remote Destination Session
Description            : -
Source Ports           :
    RX Only            : None
    TX Only            : None
    Both               : None
Source VLANs           :
    RX Only            : None
    TX Only            : None
    Both               : None
Source RSPAN VLAN : 999
Destination Ports      : Gi1/1
Filter VLANs           : None
Dest RSPAN VLAN        : None
Source IP Address      : None
Source IP VRF          : None
Source ERSPAN ID       : None
Destination IP Address : None
Destination IP VRF     : None
Destination ERSPAN ID  : None
Origin IP Address      : None
IP QOS PREC            : 0
IP TTL                 : 255

Hall of Fame Super Silver

Re: RSPAN only forwards broadcast traffic to destination port

Hello Paul,

what kind of supervisors and PFCs are in your switches?

take in account the following restrictions, there are more limits with sup2/PFC2

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/span.html#wp1033684

the show output shows correctly for session 2

Hope to help

Giuseppe

New Member

Re: RSPAN only forwards broadcast traffic to destination port

All Switches are Sup720, PFC3A.

I can not open that link.

New Member

Re: RSPAN only forwards broadcast traffic to destination port

I located the link:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/span.html#wp1033684

...and I could not see any of these restrictions being hit.

Hall of Fame Super Silver

Re: RSPAN only forwards broadcast traffic to destination port

Hello Paul,

I agree there are some limitations for ERSPAN with PFC3A but not for RSPAN

I suppose you have checked that the RSPAN vlan is permitted on L2 trunks between the three switches or you are using dedicated links allowing the RSPAN vlan.

Hope to help

Giuseppe

New Member

Re: RSPAN only forwards broadcast traffic to destination port

Hi again Giuseppe and thanks very much for your help/

The Broadcast/Multicast traffic that I am seeing via the RSPAN is from the the correct switchport (IP addresses are local to this port only) so the RSPAN is working... just not all traffic is being captured.

The RSPAN VLAN is allowed on all Trunk links in between.

mk
New Member

Re: RSPAN only forwards broadcast traffic to destination port

Have been playing around with exactly this in the lab.

2950 as intermediate and/or destination switch..

It doesn't work as per the IOS note, not even with just Rx or Tx source.

Only random packets get through, very few of them.

Plugged in a 3550 and the issue disappeared immediately.

3014
Views
5
Helpful
16
Replies
CreatePlease to create content