Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3646
Views
0
Helpful
2
Replies

SPAN port on distribution 6500 VSS

habeebuddin786
Level 1
Level 1

‎07-14-2012 01:44 AM - edited ‎03-07-2019 07:46 AM

Hello folks,

We would like to capture the traffic from the access switch 4510 on security appliance which has sniffer installed. It has 10G ports on it. I tried configuring on distribution 6500 VSS to capture the traffic from the access switch 4510 but nothing has observed. Its weird to notice that the security appliance is receiving the packets but not seeing any data capture.

Distribution switch 6500 VSS port Te1/2/13 is configured for security appliance:

int Te1/2/13

description sniffer (monitoring)

switchport

no shut

sh int Te1/2/13 observed the interface is up up in default vlan 1.

Run the following commad to capture the traffic. Source interface is downlinks to access switch (4510), in this case its Te1/2/3 and Te2/2/3 is configured as etherchannel 7.

6500-dist-vss(config)#monitor session 1 source interface te1/2/3 both  ------------------------> Tried giving one interface of access-switch 4510 but doesn't take it as its a member of port-channel7

% Etherchannel member(s) Te1/2/3 cannot be monitor source

6500-dist-vss(config)#

6500-dist-vss(config)#monitor session 1 source interface po 7 both  -----------------------------> given both after port-channel 7

6500-dist-vss(config)#monitor ses

6500-dist-vss(config)#monitor session 1 des

6500-dist-vss(config)#monitor session 1 destination inter te 1/2/13

6500-dist-vss#sh monitor session 1

Session 1

---------

Type                   : Local Session

Source Ports           :

    Both               : Po7

Destination Ports      : Te1/2/13

Egress SPAN Replication State:

Operational mode       : Centralized

Configured mode        : Centralized (default)

6500-dist-vss#sh int Te1/2/13

TenGigabitEthernet1/2/13 is up, line protocol is down (monitoring)

  Hardware is C6k 10000Mb 802.3, address is 649e.f3a5.5d44 (bia 649e.f3a5.5d44)

  MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Full-duplex, 10Gb/s

  Transport mode LAN (10GBASE-R, 10.3125Gb/s), media type is 10Gbase-LR

  input flow-control is on, output flow-control is off

  Clock mode is auto

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input never, output 00:00:22, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 986000 bits/sec, 184 packets/sec

     0 packets input, 0 bytes, 0 no buffer

     Received 0 broadcasts (0 multicasts)

     0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     0 watchdog, 0 multicast, 0 pause input

     0 input packets with dribble condition detected

     56724 packets output, 38271128 bytes, 0 underruns

     0 output errors, 0 collisions, 3 interface resets

     0 babbles, 0 late collision, 0 deferred

     0 lost carrier, 0 no carrier, 0 PAUSE output

     0 output buffer failures, 0 output buffers swapped out

6500-dist-vss#

----------------------------------------------------------------------------------------------

6500-dist-vss(config)#monitor session 1 source int po7 rx --------------------------------> Tried giving Receive at port-channel 7 from access switch 4510

6500-dist-vss(config)#monitor session 1 destination interface Te1/2/13

6500-dist-vss(config)#^Z

6500-dist-vss#sh monito

6500-dist-vss#sh monitor ses

6500-dist-vss#sh monitor session

% Incomplete command.

6500-dist-vss#sh monitor session 1

Session 1

---------

Type                   : Local Session

Source Ports           :

    RX Only            : Po7

Destination Ports      : Te1/2/13

Egress SPAN Replication State:

Operational mode       : Centralized

Configured mode        : Centralized (default)

6500-dist-vss#sh int Te1/2/13

TenGigabitEthernet1/2/13 is up, line protocol is down (monitoring)

  Hardware is C6k 10000Mb 802.3, address is 649e.f3a5.5d44 (bia 649e.f3a5.5d44)

  MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Full-duplex, 10Gb/s

  Transport mode LAN (10GBASE-R, 10.3125Gb/s), media type is 10Gbase-LR

  input flow-control is on, output flow-control is off

  Clock mode is auto

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input never, output 00:10:06, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 3854000 bits/sec, 1008 packets/sec

     0 packets input, 0 bytes, 0 no buffer

     Received 0 broadcasts (0 multicasts)

     0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     0 watchdog, 0 multicast, 0 pause input

     0 input packets with dribble condition detected

     3523947 packets output, 2309711951 bytes, 0 underruns

     0 output errors, 0 collisions, 4 interface resets

     0 babbles, 0 late collision, 0 deferred

     0 lost carrier, 0 no carrier, 0 PAUSE output

     0 output buffer failures, 0 output buffers swapped out

I thought since portchannel7 is 20 Gig and destination interface is 10Gig this might causing some issue or some bottleneck so I tried changing the source interface from po7 to te1/5/5 which is uplink to core 6500 and  this link is not member of port channel and its 10Gig:

6500-dist-vss(config)#monitor session 1 source int te 1/5/5 tx

6500-dist-vss(config)#monit

6500-dist-vss(config)#monitor sess

6500-dist-vss(config)#monitor session 1 des

6500-dist-vss(config)#monitor session 1 destination int te1/2/13 ?

  ,        Specify another range of interfaces

  -        Specify a range of interfaces

  ingress  Enable ingress traffic forwarding

  <cr>

6500-dist-vss(config)#monitor session 1 destination int te1/2/13

6500-dist-vss#sh monitor session 1

Session 1

---------

Type                   : Local Session

Source Ports           :

    TX Only            : Te1/5/5

Destination Ports      : Te1/2/13

Egress SPAN Replication State:

Operational mode       : Centralized

Configured mode        : Centralized (default)

But still no luck, the issue remains. Is something I am missing configuring the distination port. Kindly suggest.

Thanks,

-Ahmed

Labels:
0 Helpful
2 Replies 2

walter baziuk
Level 5
Level 5

‎09-26-2013 10:20 AM

i have the same issue!!!!

any soln yet

0 Helpful

Kevin Dorrell
Level 10
Level 10

‎02-16-2017 06:52 AM

"Its weird to notice that the security appliance is receiving the packets but not seeing any data capture."

I remember seeing somethig like this once.  It turned out the traffic I was trying to capture was dot1q tagged, and the NIC of my capture device was discarding it 'cos it wasn't expecting to see the tag.  I cannot remember how I overcame the problem, but it was something to do with the NIC driver in the capture device.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card