Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1138
Views
0
Helpful
8
Replies

3850X Span Session ACL Filter Problem

ahmad82pkn
Level 3
Level 3

‎05-18-2016 08:33 AM - edited ‎03-08-2019 05:49 AM

Hi, we saw a weird issue few days earlier.

we have a SPAN Session on 3850x which has 1 Destination Port Lets say port number 20.

this Span session has ACL Filter applied to only capture data from 192.168.10.0 to any.

So we bought a new sniffer server.

we allocated a vacant port 21 on 3850x for Span session and added port 21 as well in same session as of port 20.

so now one span session that has 2 destination ports, one port 20 already in production and port 21 currently DOWN but part of span session.

Now as soon Port 21 came up (when we turned up new server) , we were hoping both servers on port 20 and 21 will start receiving the traffic.

what actually happened that old server on Port 20 stopped receiving all traffic that matches the ACL, and everything else was feed to the Server but just not the required ACL that matched the condition that is 192.168.10.x to any.

so server on port 20 was capturing all traffic but not required traffic.

Any idea, what caused interesting traffic to stop going to already running server, as soon port 21 came up ( new server ? )

Labels:
0 Helpful
8 Replies 8

Borgenstrand
Level 1
Level 1

‎05-18-2016 10:57 AM

You should be able to have multiple destination ports in a SPAN session. 
Can you share the ACL and Span session config?

0 Helpful

ahmad82pkn
Level 3
Level 3
In response to Borgenstrand

‎05-18-2016 11:54 AM

monitor session 2 source interface Po1

monitor session 2 destination interface Gi1/0/20 ( Current Production Server )

monitor session 2 destination interface Gi2/0/21 ( New Server )

monitor session 2 filter ip access-group ACL-Filter

ip access-list extended ACL-Filter

deny ip 192.168.10.0 0.0.0.255 10.120.0.0 0.0.255.255

Permit ip 192.168.10.0 0.0.0.255 any

so when issue occurred i didnt get any packet for permit ACL, but i did get packet for deny acl :0s and rest of unknown traffic.

0 Helpful

Borgenstrand
Level 1
Level 1
In response to ahmad82pkn

‎05-18-2016 11:54 AM

Does it work better if you do:
monitor session 2 destination interface Gi1/0/20,Gi2/0/21 

0 Helpful

ahmad82pkn
Level 3
Level 3
In response to Borgenstrand

‎05-19-2016 08:45 AM

Tried that, same happened :( Now my next approach would be, Remove ACL First, Then bring server online, Make it part of Span, and then Apply ACL Filter again.

Lets see.

if any more suggestions, Please do share.

0 Helpful

Borgenstrand
Level 1
Level 1
In response to ahmad82pkn

‎05-19-2016 10:37 AM

Hi,

can you run show monitor and share the result here?

0 Helpful

ahmad82pkn
Level 3
Level 3
In response to Borgenstrand

‎05-25-2016 05:56 AM

here is output

Session 2
---------
Type                   : Local Session
Source Ports           :
    Both               : Po1
Destination Ports      : Gi1/0/20,Gi2/0/21
    Encapsulation      : Native
          Ingress      : Disabled
IP Access-group        : ACL-Filter

Here is what i did that didnt cause the issue.

i made sure that Span port only has 1 port that is already working.

Connect 2nd Server NIC on Switch, (port will come up)

Then i removed ACL from SPAN.

Added second Port to SPAN Session

Re applied ACL.

0 Helpful

Carlos Villagran
Cisco Employee
Cisco Employee

‎05-19-2016 11:27 AM

Hi!

Can you please create 2 different ACLs with the same entries and try again?

This may be related to a TCAM issue.

Can you confirm if this helped?

Best regards!

JC

0 Helpful

ahmad82pkn
Level 3
Level 3
In response to Carlos Villagran

‎05-25-2016 05:52 AM

But how can i apply two different ACL in same span session? : Confused.... Here is what i did that didnt cause the issue.

i made sure that Span port only has 1 port that is already working.

Connect 2nd Server NIC on Switch, (port will come up)

Then i removed ACL from SPAN.

Added second Port to SPAN Session

Re applied ACL.

no issues reported. Now i am thinking what will happen if 1 server reboot, will ACL act strange again? cant tell right now. will update if any such situation occurs. unfortunately cant test it, lots of escalations already going on , due to previous incident :)

0 Helpful
Top