02-06-2006 02:01 AM - edited 03-03-2019 11:39 AM
We have couple of trunked 6509s. I am trying to remote span (RSPAN) a port from one to the other. To no avail. The RSPAN vlan is 40. I can see that from the source switch if I "show vlan counters 40" that there are rapidly incrementing counters (source port is a 1GVB access port). So the source switch and port are chucking out loads of packets. But when I telnet over to the 2nd 6509 and issue the same command the vlan 40 counters remain at zero. In other words the traffic does not seem to be reaching the 2nd switch. I am running Ethereal for capturing the session but there is no inbound traffic to the destination port. (Just the Ethereal laptop attempting bootp/dhcp requests for an ip address). The source and dest ports are not in vlan 40. The config looks solid. I have tried mirroring not only the port but also an entire vlan and also another port - same outcome.
Question - why is RSPAN not port mirroring correctly to the 2nd switch? This will be a killer solution if I can get it to work as our switch fabric is widely dispersed.
Thanks in advance.
02-06-2006 02:11 AM
Hello,
did you setup trunking for VLAN 40 properly?
Can you post your config regarding RSPAN?
Regards, Martin
02-06-2006 02:23 AM
Hi,
I happened to just help somebody with a similar problem. This might not apply to you, but make sure that in the following configuration on the source switch:
monitor session 1 destination vlan 40 reflector-port f0/24
the port specified as the reflector-port (FastEthernet0/24 in this case) is an UNUSED port on the source switch. Apparently that piece of information is missing from the documentation somehow.
My apologies if that does not apply to you in your current situation...as Martin suggested, your configs might reveal something.
Regards,
Nethelper
02-06-2006 03:17 AM
Apolgies for any formatting issues below...
This is the RSPAN config from "source" side:-
6509SW> (enable) sh rspan
Rspan Type : Destination
Destination : Port 5/36
Rspan Vlan : 40
Admin Source : -
Oper Source : -
Direction : -
Incoming Packets: disabled
Learning : enabled
Multicast : -
Filter : -
Status : active
This is the "sh vlan 40 "source" side:-
-----------------------------------------
6509SW>> (enable) sh vlan 40
VLAN Name Status IfIndex Mod/Ports, Vlans
40 VLAN0040 active
267
4/1-4 15/1 (both trunks)
VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ ------ ---- -------- ------ ------
40 enet 100040 1500 - - - - - 0 0
VLAN MISTP-Inst DynCreated RSPAN
---- ---------- ---------- --------
40 - static enabled
-----------------------------------
WILL FORWARD SAME FOR DEST SIDE IN A MOMENT
02-06-2006 03:27 AM
from dest switch
------------------
6509-sw2>(enable) sh span
Destination : Port 5/21
Admin Source : VLAN 240
Oper Source : Port 1/2,2/2,3/1,3/5-6,4/1-4,5/18-19,5/22,5/28-31,5/34,5/41-45
,5/47-48,6/21-27,6/29,6/31-32,6/36-39,6/41,6/44-48,7/6-8,7/12-13,7/15-16,7/23-24
,7/27-36,7/39,7/43-44,7/47-48,8/1,8/3-4,8/9-11,8/17,8/19,8/21,8/23,8/29,8/31,8/3
5,8/43,8/48,9/9,9/11,9/13-15,15/1
Direction : transmit/receive
Incoming Packets: enabled
Learning : enabled
Multicast : enabled
Filter : -
Status : active
Total local span sessions: 1
This is the show trunk output from dest switch
-----------------------------------------------
sh trunk
* - indicates vtp domain mismatch
# - indicates dot1q-all-tagged enabled on the port
Port Mode Encapsulation Status Native vlan
-------- ----------- ------------- ------------ -----------
1/2 on isl trunking 1
2/2 on isl trunking 1
4/1 nonegotiate dot1q trunking 1
4/2 nonegotiate dot1q trunking 1
4/3 nonegotiate dot1q trunking 1
4/4 nonegotiate dot1q trunking 1
5/34 nonegotiate dot1q trunking 1
5/43 nonegotiate dot1q trunking 1
5/44 nonegotiate dot1q trunking 1
5/45 nonegotiate dot1q trunking 1
5/48 on dot1q trunking 1
6/36 nonegotiate dot1q trunking 1
6/44 nonegotiate dot1q trunking 1
6/48 nonegotiate dot1q trunking 1
15/1 nonegotiate isl trunking 1
Port Vlans allowed on trunk
-------- ---------------------------------------------------------------------
1/2 1,240,242,244-247
2/2 1,240,242,244-247
4/1 1-1005
4/2 1-1005
4/3 1-1005
4/4 1-1005
5/34 240,242,246-247
5/43 240,242,246-247
5/44 240,242,246-247
5/45 240,242,246-247
5/48 1,240-242,244-247
6/36 240,242,246-247
6/44 240,242,246-247
6/48 240,242,246-247
15/1 1-1005,1025-4094
Port Vlans allowed and active in management domain
-------- ---------------------------------------------------------------------
1/2 1,240,242,244-247
2/2 1,240,242,244-247
4/1 1,40,101,240,242,244-248,309-312,395-398,803,999
4/2 1,40,101,240,242,244-248,309-312,395-398,803,999
4/3 1,40,101,240,242,244-248,309-312,395-398,803,999
4/4 1,40,101,240,242,244-248,309-312,395-398,803,999
5/34 240,242,246-247
5/43 240,242,246-247
5/44 240,242,246-247
5/45 240,242,246-247
5/48 1,240,242,244-247
6/36 240,242,246-247
6/44 240,242,246-247
6/48 240,242,246-247
15/1 240,242,244-246,309,311,397,803
Port Vlans in spanning tree forwarding state and not pruned
-------- ---------------------------------------------------------------------
1/2 1,240,242,244-247
2/2 1,240,242,244-247
4/1 1,40,101,240,242,244-248,309-312,395-398,803,999
4/2 1,40,101,240,242,244-248,309-312,395-398,803,999
4/3 1,40,101,240,242,244-248,309-312,395-398,803,999
4/4 1,40,101,240,242,244-248,309-312,395-398,803,999
5/34 240,242,246-247
5/43 240,242,246-247
5/44 240,242,246-247
5/45 240,242,246-247
5/48 1,240,242,244-247
6/36 240,242,246-247
6/44 240,242,246-247
6/48 240,242,246-247
15/1 240,242,244-246,309,311,397,803
02-06-2006 03:40 AM
Hello,
The output of sw2 tells:
6509-sw2>(enable) sh span
Destination : Port 5/21
Admin Source : VLAN 240
Should that not be VLAN 40? Which one are you trying to monitor? Make sure the ports are in the same VLAN.
Hope this helps! Please rate all posts.
Regards, Martin
02-06-2006 03:46 AM
Im going to try the previous post shortly but cisco.com docs seem to say that the source and dest ports must not be in the rspan vlan - as if the rspan vlan is seperate mechanism?
02-06-2006 04:16 AM
Hi,
that is what I thought too. Make sure your RSPAN traffic is directed to port 5/21. So, on the source switch you would have to configure:
Switch>(enable) set rspan source X 40
where ´X´ is the VLAN to be monitored, and 40 is your RSPAN VLAN.
On the destination switch you would configure:
Switch>(enable) set rspan destination 5/21 40
in order to direct traffic from the RSPAN VLAN to the port where your monitoring tool is connected to, 5/21 in your case...
Regards,
Nethelper
02-06-2006 06:28 AM
Perhaps I missed something. But why is the source switch doing rspan and the destination switch doing span? When I have done it it was rspan on both ends?
HTH
Rick
02-06-2006 07:18 AM
Sorry guys - I typed "sh span" and I should have typed "sh RSPAN"
There's an extra ingredient here in that someone else here is running an ongoing long term SPAN session - all local. Using SPAN (and spanning a vlan).
It is me who is trying to do a remote span. I don't THINK there will be conflict between concurrent span and rspan - at least, the destination port I am using is completely free and available for my sniffer.
Earlier in the thread there is a comment about using a "monitor session" command  hmm. Can't find that on the 6509 switch at all. So, my understanding is this - you go to the switch that hosts the source port and tell it to create an rspan session using a special rspan vlan number and state the source port - on that same switch. You then go over to the other switch (the one from which you will be doing the sniff) and tell it to create an rspan session for the special rspan vlan - to a specific destination port on that 2nd switch.
The ONLY way I got ANY packets appearing on the 2nd switch on the destination monitor port (5/36) was if I stated a source of 3/1 40 (i.e. port 3/1 vlan 40) ON the 2nd switch.
But of course I am really seeing traffic from 3/1 port on the 2nd switch or traffic from 3/1 on the 1st switch (that hosts the source port)?
02-06-2006 08:50 AM
Hello,
the ´monitor session´ is for IOS switches, so that wouldn´´t apply to you....
Can you post the full configurations of both switches ? Somewhere there must be something that is configured wrong.
Also, check this document for configuration guidelines and instructions:
Configuring SPAN and RSPAN
Regards,
Nethelper
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide