Re: 3560 SPAN Port Problem

cfujimura · ‎12-08-2010

I am testing a record software for Cisco IP Phones. This software must receive voice traffic from mirrorred ports on a 3560 switch. I´ve configured the span ports in this switch, but the only traffic I can see is broadcast and multicast. I didn´t see neither the audio streamming nor the call signaling (I can´t see any unicast traffic). Below is part of the configuration of the 3560 switch.

spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree portfast bpduguard default
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
spanning-tree uplinkfast
spanning-tree backbonefast
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/1
switchport access vlan 23
switchport mode access
switchport voice vlan 51
spanning-tree portfast
!
interface FastEthernet0/2
switchport access vlan 23
switchport mode access
switchport voice vlan 51
spanning-tree portfast
!
interface FastEthernet0/3
switchport access vlan 23
switchport mode access
switchport voice vlan 51
spanning-tree portfast
!
interface FastEthernet0/4
switchport access vlan 23
switchport mode access
switchport voice vlan 51
spanning-tree portfast
!
interface FastEthernet0/5
switchport access vlan 23
switchport mode access
switchport voice vlan 51
spanning-tree portfast
!
interface FastEthernet0/6
switchport access vlan 23
switchport mode access
switchport voice vlan 51
spanning-tree portfast

!
interface FastEthernet0/14
switchport access vlan 23
switchport mode access
switchport voice vlan 51
spanning-tree portfast

!

interface FastEthernet0/48
speed 100
duplex full
spanning-tree portfast

!
monitor session 1 source interface Fa0/1 - 6 , Fa0/14
monitor session 1 filter vlan 51
monitor session 1 destination interface Fa0/48

The ports with IP Phones are 1 to 6 and 14. The port that will receive the VoIP traffic is 48.

The switch is loaded with C3560 Software (C3560-IPBASE-M), Version 12.2(50)SE1.

Have anyone had this problem before?

Best Regards.

Fujimura.

letsgomets · ‎12-08-2010

Have you tried removing the filter and see if you get any data?

cfujimura · ‎12-08-2010

I´ve tried already without the filter. The difference is that, without the filter, I see the broadcast and multicast from vlan 23 (vlan 23 is the pc vlan; the PCs are connect to the IP Phones; vlan 51 is the voice vlan). I´ve tried too the source as vlan 51 instead of the range of ports. But the result is the same with and without the filter.

Best Regards.

Fujimura.

letsgomets · ‎12-08-2010

It seems your configuration is not actually being applied. Try removing the session configuration and use a different session number of 2 or some other integer. If it still doesn't work you could be running into a software or hardware problem.

Another idea, just try a one to one session and see if you get data that way. Perhaps your control plane cannot process the number of source ports you are configuring.

cfujimura · ‎12-08-2010

I´ve tried another session (session id 2) with 1 to 1 port, but it didn´t work. I still is receiving only broadcast and multicast traffic.

Best Regards.

Fujimura.

tdistlists · ‎12-08-2010

I'm pretty sure that "monitor session 1 filter vlan 51" will only work if your source ports are trunk ports. In your case they are all access ports.

As for the problem, is your sniffer and/or tool in promiscuous mode?

cfujimura · ‎12-08-2010

The sniffer is working in promiscuous mode. The source of the traffic is only one port now. But I still receive broadcast and multicast traffic only.

Best Regards.

Fujimura.

cadet alain · ‎12-08-2010

I'm pretty sure that "monitor session 1 filter vlan 51" will only work if your source ports are trunk ports.

It is also working for voice ports

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_se/configuration/guide/swspan.html#wp1200141

Don't forget to rate helpful posts.

tdistlists · ‎12-08-2010

Hmmm...

Can you default interface f0/48 and re-configure it as a switchport? I'm tending to agree that the config didn't take. And did you try a different monitor session?

(Thanks for the clarification cadetalain!)

cadet alain · ‎12-08-2010

What does show monitor session says?

Don't forget to rate helpful posts.

cfujimura · ‎12-08-2010

Below is the output for the sh monitor session command.

IDF-46# sh monitor session 2 detail
Session 2
---------
Type                   : Local Session
Description            : -
Source Ports           :
    RX Only            : None
    TX Only            : None
    Both               : Fa0/14
Source VLANs           :
    RX Only            : None
    TX Only            : None
    Both               : None
Source RSPAN VLAN      : None
Destination Ports      : Fa0/48
    Encapsulation      : Native
          Ingress      : Disabled
Filter VLANs           : None
Dest RSPAN VLAN        : None

Best Regards.

Fujimura.

cfujimura · ‎12-08-2010

I took off the spanning tree portfast from the destination port (port 48). In this port, there are only settings for speed (100Mbps) and duplex (full) that match the server´s interface configuration (100 Mbps, full duplex ). I changed already monitor session id to number 2. But the problem still happens.

The output for the sh runn (only show the FastEthernet0/48 setting) and sh interfaces fastEthernet 0/48 are shown below.

!
interface FastEthernet0/48
speed 100
duplex full

IDF-46#sh interfaces fastEthernet 0/48
FastEthernet0/48 is up, line protocol is down (monitoring)
Hardware is Fast Ethernet, address is 0024.f7e6.0a34 (bia 0024.f7e6.0a34)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is 10/100BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 06:02:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 87142
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 1000 bits/sec, 1 packets/sec
     2893 packets input, 301216 bytes, 0 no buffer
     Received 1774 broadcasts (838 multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 838 multicast, 0 pause input
     0 input packets with dribble condition detected
     12422832 packets output, 4710427378 bytes, 0 underruns
     0 output errors, 10 collisions, 5 interface resets
     0 babbles, 16 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out

Best Regards.

Fujimura.

regrajen · ‎12-11-2010

Hi Fujimura,

You would need to put the span destination port i.e fa0/48 in vlan 51 (switchport access vlan 51).

Please check if you receive the unicast traffic once this has been configured.

-Reghu.

cfujimura · ‎12-12-2010

Hi, Reghunath.

I´ve tried vlan 51 at mirrorred port (port 48), but it didn´t work. I still am receiving only broadcast and multicast traffic.

Best Regards.
Fujimura.

amikat · ‎12-13-2010

Hi,

Can you please try to modify your destination command as follows:

"monitor session 1 dest int fa0/48 enc replicate"

and see if there is any progress.

Best regards,

Antonin