cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1487
Views
10
Helpful
8
Replies

VTP Traffic not seen on SPAN port on 3750's

RonaldNutter
Level 1
Level 1

Been dealing with a strange problem for several days now.  It started out with a problem that I thought was VTP related but ended up being something else.  I setup a span port on a 3750 that I am connected to that was mirroring the trunk connection coming into the switch.

Never saw an VTP traffic come across the connection but doing a sh vtp status indicated the traffic was arriving and getting processed.  When I found some debug commands (debug sw-lan vtp), I was also able to see the packets go between switches.  Seeing this issue concerns me that there is other traffic that isnt showing up during a span session.

I know that doing a span on a switch, especially using a trunk port as a source, isnt a good idea.  Since I didnt have a TAP at time, this was my only choice.  I have since borrowed a NetOptics TP-CU3 tap from a good friend and was able to confirm the VTP traffic was going across the trunk connection between switches.

I had seen a posting on a website/blog confirming that someone else had seen this same problem but cant find that link now.  All of my 3750's are running 12.2.55.SE.

Has anyone else seen this problem ?

1 Accepted Solution

Accepted Solutions

krahmani323
Level 3
Level 3

Hi Ronald

Do you also have configured the 'encapsulation replicate' keyword on the SPAN destination configuration line ?

monitor session 1 destination interface Gi 1/0/11 encapsulation replicate

=====================================================================

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/swspan.html#wp1204187

The default configuration for local SPAN session ports is to send all  packets untagged. SPAN also does not normally monitor bridge protocol  data unit (BPDU) packets and Layer 2 protocols, such as Cisco Discovery  Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol  (DTP), Spanning Tree Protocol (STP), and Port Aggregation Protocol  (PAgP).

However, when you enter the encapsulation replicate keywords when configuring a destination port, these changes occur:

Packets  are sent on the destination port with the same encapsulation—untagged,  IEEE 802.1Q, or Inter-Switch Link (ISL)—that they had on the source  port.

Packets of all types, including BPDU and Layer 2 protocol packets are monitored.

Therefore, a local SPAN session with encapsulation replicate enabled can  have a mixture of untagged, 802.1Q, and ISL tagged packets appear on  the destination port.

Regards.

Karim

=====================================================================

View solution in original post

8 Replies 8

zabeelmusa
Level 1
Level 1

Are you spanning a trunk port as a source and the destination port being an access vlan? Access vlans will only see traffic from a single vlan. ??

What monitor commands are you using ?

Sent from Cisco Technical Support iPhone App

Can you also say what's the strange problem?

Fabio:

To me, not being able to see VTP traffic on a spanned interface is "strange" because I am seeing everything else.

Zabeelmusa:

Yes, I am spanning a trunk port as a source.  The destination port has no configuration commands on it other than what you would see on a freshly powered up switch.

I am using monitor session 1 source interface gi1/0/1 on the trunked connection and monitor session 1 destination interface fa1/0/1.

Sweta:

I am working with this in a lab situation and have no pruning on the trunk.  In reading up on this, even if vlan 1 is pruned, traffic such as cdp and vtp will still use it and be accepted by the switch.

Karim:

I will try the keywords you have suggested.  What surprises me is that I thought I was seeing CDP and STP traffic.  Will go back into the lab and see what this change shows me.

Thanks to all and I will post an update once I have done additional testing later today.

Ron

smogra
Cisco Employee
Cisco Employee

What about pruning on that trunk link?

krahmani323
Level 3
Level 3

Hi Ronald

Do you also have configured the 'encapsulation replicate' keyword on the SPAN destination configuration line ?

monitor session 1 destination interface Gi 1/0/11 encapsulation replicate

=====================================================================

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/swspan.html#wp1204187

The default configuration for local SPAN session ports is to send all  packets untagged. SPAN also does not normally monitor bridge protocol  data unit (BPDU) packets and Layer 2 protocols, such as Cisco Discovery  Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol  (DTP), Spanning Tree Protocol (STP), and Port Aggregation Protocol  (PAgP).

However, when you enter the encapsulation replicate keywords when configuring a destination port, these changes occur:

Packets  are sent on the destination port with the same encapsulation—untagged,  IEEE 802.1Q, or Inter-Switch Link (ISL)—that they had on the source  port.

Packets of all types, including BPDU and Layer 2 protocol packets are monitored.

Therefore, a local SPAN session with encapsulation replicate enabled can  have a mixture of untagged, 802.1Q, and ISL tagged packets appear on  the destination port.

Regards.

Karim

=====================================================================

Are you using wireshark to filter vtp traffic?

Fabio:

I am capturing with Wireshark.  Tried filtering for vtp and not filtering for vtp and didnt see any vtp traffic either way.

Ron

Karim:

The encapsulation replicate keyword at the end of the monitor setup allowed me to see the vtp traffic.  That is the only traffic that I was having a problem in seeing.

Here is the port config that I was using for the trunk ports -

switchport trunk encapsulation dot1q

switchport mode trunk

Here is the port config for the destination port where my sniffer pc was plugged into -

int fa1/0/24

! no configuration lines

This is the config I was using in the lab.  My production network is using 6509's and 3750's with a native vlan of something other than 1 and I do have vlan pruning going on.  I went with this simple config to reduce the variables I was fighting.

Thanks for the help,

Ron

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco