RSPAN NOT WORKING

cyberpete · ‎02-06-2006

We have couple of trunked 6509s. I am trying to remote span (RSPAN) a port from one to the other. To no avail. The RSPAN vlan is 40. I can see that from the source switch if I "show vlan counters 40" that there are rapidly incrementing counters (source port is a 1GVB access port). So the source switch and port are chucking out loads of packets. But when I telnet over to the 2nd 6509 and issue the same command the vlan 40 counters remain at zero. In other words the traffic does not seem to be reaching the 2nd switch. I am running Ethereal for capturing the session but there is no inbound traffic to the destination port. (Just the Ethereal laptop attempting bootp/dhcp requests for an ip address). The source and dest ports are not in vlan 40. The config looks solid. I have tried mirroring not only the port but also an entire vlan and also another port - same outcome.

Question - why is RSPAN not port mirroring correctly to the 2nd switch? This will be a killer solution if I can get it to work as our switch fabric is widely dispersed.

Thanks in advance.

Peter@it-123.co.uk

mheusinger · ‎02-06-2006

Hello,

did you setup trunking for VLAN 40 properly?

Can you post your config regarding RSPAN?

Regards, Martin

nethelper · ‎02-06-2006

Hi,

I happened to just help somebody with a similar problem. This might not apply to you, but make sure that in the following configuration on the source switch:

monitor session 1 destination vlan 40 reflector-port f0/24

the port specified as the reflector-port (FastEthernet0/24 in this case) is an UNUSED port on the source switch. Apparently that piece of information is missing from the documentation somehow.

My apologies if that does not apply to you in your current situation...as Martin suggested, your configs might reveal something.

Regards,

Nethelper

cyberpete · ‎02-06-2006

Apolgies for any formatting issues below...

This is the RSPAN config from "source" side:-

6509SW> (enable) sh rspan

Rspan Type : Destination

Destination : Port 5/36

Rspan Vlan : 40

Admin Source : -

Oper Source : -

Direction : -

Incoming Packets: disabled

Learning : enabled

Multicast : -

Filter : -

Status : active

This is the "sh vlan 40 "source" side:-

-----------------------------------------

6509SW>> (enable) sh vlan 40

VLAN Name Status IfIndex Mod/Ports, Vlans

40 VLAN0040 active

267

4/1-4 15/1 (both trunks)

VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ ------ ---- -------- ------ ------

40 enet 100040 1500 - - - - - 0 0

VLAN MISTP-Inst DynCreated RSPAN

---- ---------- ---------- --------

40 - static enabled

-----------------------------------

WILL FORWARD SAME FOR DEST SIDE IN A MOMENT

cyberpete · ‎02-06-2006

from dest switch

------------------

6509-sw2>(enable) sh span

Destination : Port 5/21

Admin Source : VLAN 240

Oper Source : Port 1/2,2/2,3/1,3/5-6,4/1-4,5/18-19,5/22,5/28-31,5/34,5/41-45

,5/47-48,6/21-27,6/29,6/31-32,6/36-39,6/41,6/44-48,7/6-8,7/12-13,7/15-16,7/23-24

,7/27-36,7/39,7/43-44,7/47-48,8/1,8/3-4,8/9-11,8/17,8/19,8/21,8/23,8/29,8/31,8/3

5,8/43,8/48,9/9,9/11,9/13-15,15/1

Direction : transmit/receive

Incoming Packets: enabled

Learning : enabled

Multicast : enabled

Filter : -

Status : active

Total local span sessions: 1

This is the show trunk output from dest switch

-----------------------------------------------

sh trunk

* - indicates vtp domain mismatch

# - indicates dot1q-all-tagged enabled on the port

Port Mode Encapsulation Status Native vlan

-------- ----------- ------------- ------------ -----------

1/2 on isl trunking 1

2/2 on isl trunking 1

4/1 nonegotiate dot1q trunking 1

4/2 nonegotiate dot1q trunking 1

4/3 nonegotiate dot1q trunking 1

4/4 nonegotiate dot1q trunking 1

5/34 nonegotiate dot1q trunking 1

5/43 nonegotiate dot1q trunking 1

5/44 nonegotiate dot1q trunking 1

5/45 nonegotiate dot1q trunking 1

5/48 on dot1q trunking 1

6/36 nonegotiate dot1q trunking 1

6/44 nonegotiate dot1q trunking 1

6/48 nonegotiate dot1q trunking 1

15/1 nonegotiate isl trunking 1

Port Vlans allowed on trunk

-------- ---------------------------------------------------------------------

1/2 1,240,242,244-247

2/2 1,240,242,244-247

4/1 1-1005

4/2 1-1005

4/3 1-1005

4/4 1-1005

5/34 240,242,246-247

5/43 240,242,246-247

5/44 240,242,246-247

5/45 240,242,246-247

5/48 1,240-242,244-247

6/36 240,242,246-247

6/44 240,242,246-247

6/48 240,242,246-247

15/1 1-1005,1025-4094

Port Vlans allowed and active in management domain

-------- ---------------------------------------------------------------------

1/2 1,240,242,244-247

2/2 1,240,242,244-247

4/1 1,40,101,240,242,244-248,309-312,395-398,803,999

4/2 1,40,101,240,242,244-248,309-312,395-398,803,999

4/3 1,40,101,240,242,244-248,309-312,395-398,803,999

4/4 1,40,101,240,242,244-248,309-312,395-398,803,999

5/34 240,242,246-247

5/43 240,242,246-247

5/44 240,242,246-247

5/45 240,242,246-247

5/48 1,240,242,244-247

6/36 240,242,246-247

6/44 240,242,246-247

6/48 240,242,246-247

15/1 240,242,244-246,309,311,397,803

Port Vlans in spanning tree forwarding state and not pruned

-------- ---------------------------------------------------------------------

1/2 1,240,242,244-247

2/2 1,240,242,244-247

4/1 1,40,101,240,242,244-248,309-312,395-398,803,999

4/2 1,40,101,240,242,244-248,309-312,395-398,803,999

4/3 1,40,101,240,242,244-248,309-312,395-398,803,999

4/4 1,40,101,240,242,244-248,309-312,395-398,803,999

5/34 240,242,246-247

5/43 240,242,246-247

5/44 240,242,246-247

5/45 240,242,246-247

5/48 1,240,242,244-247

6/36 240,242,246-247

6/44 240,242,246-247

6/48 240,242,246-247

15/1 240,242,244-246,309,311,397,803

mheusinger · ‎02-06-2006

Hello,

The output of sw2 tells:

6509-sw2>(enable) sh span

Destination : Port 5/21

Admin Source : VLAN 240

Should that not be VLAN 40? Which one are you trying to monitor? Make sure the ports are in the same VLAN.

Hope this helps! Please rate all posts.

Regards, Martin

cyberpete · ‎02-06-2006

Im going to try the previous post shortly but cisco.com docs seem to say that the source and dest ports must not be in the rspan vlan - as if the rspan vlan is seperate mechanism?

nethelper · ‎02-06-2006

Hi,

that is what I thought too. Make sure your RSPAN traffic is directed to port 5/21. So, on the source switch you would have to configure:

Switch>(enable) set rspan source X 40

where ´X´ is the VLAN to be monitored, and 40 is your RSPAN VLAN.

On the destination switch you would configure:

Switch>(enable) set rspan destination 5/21 40

in order to direct traffic from the RSPAN VLAN to the port where your monitoring tool is connected to, 5/21 in your case...

Regards,

Nethelper

Richard Burts · ‎02-06-2006

Perhaps I missed something. But why is the source switch doing rspan and the destination switch doing span? When I have done it it was rspan on both ends?

HTH

Rick

HTH

Rick

cyberpete · ‎02-06-2006

Sorry guys - I typed "sh span" and I should have typed "sh RSPAN"

There's an extra ingredient here in that someone else here is running an ongoing long term SPAN session - all local. Using SPAN (and spanning a vlan).

It is me who is trying to do a remote span. I don't THINK there will be conflict between concurrent span and rspan - at least, the destination port I am using is completely free and available for my sniffer.

Earlier in the thread there is a comment about using a "monitor session" command – hmm. Can't find that on the 6509 switch at all. So, my understanding is this - you go to the switch that hosts the source port and tell it to create an rspan session using a special rspan vlan number and state the source port - on that same switch. You then go over to the other switch (the one from which you will be doing the sniff) and tell it to create an rspan session for the special rspan vlan - to a specific destination port on that 2nd switch.

The ONLY way I got ANY packets appearing on the 2nd switch on the destination monitor port (5/36) was if I stated a source of 3/1 40 (i.e. port 3/1 vlan 40) ON the 2nd switch.

But of course I am really seeing traffic from 3/1 port on the 2nd switch or traffic from 3/1 on the 1st switch (that hosts the source port)?

nethelper · ‎02-06-2006

Hello,

the ´monitor session´ is for IOS switches, so that wouldn´´t apply to you....

Can you post the full configurations of both switches ? Somewhere there must be something that is configured wrong.

Also, check this document for configuration guidelines and instructions:

Configuring SPAN and RSPAN

http://www.cisco.com/en/US/customer/products/hw/switches/ps708/products_configuration_guide_chapter09186a00801a5b33.html

Regards,

Nethelper