3850X Span Session ACL Filter Problem

ahmad82pkn · ‎05-18-2016

Hi, we saw a weird issue few days earlier.

we have a SPAN Session on 3850x which has 1 Destination Port Lets say port number 20.

this Span session has ACL Filter applied to only capture data from 192.168.10.0 to any.

So we bought a new sniffer server.

we allocated a vacant port 21 on 3850x for Span session and added port 21 as well in same session as of port 20.

so now one span session that has 2 destination ports, one port 20 already in production and port 21 currently DOWN but part of span session.

Now as soon Port 21 came up (when we turned up new server) , we were hoping both servers on port 20 and 21 will start receiving the traffic.

what actually happened that old server on Port 20 stopped receiving all traffic that matches the ACL, and everything else was feed to the Server but just not the required ACL that matched the condition that is 192.168.10.x to any.

so server on port 20 was capturing all traffic but not required traffic.

Any idea, what caused interesting traffic to stop going to already running server, as soon port 21 came up ( new server ? )

Borgenstrand · ‎05-18-2016

You should be able to have multiple destination ports in a SPAN session.
Can you share the ACL and Span session config?

ahmad82pkn · ‎05-18-2016

monitor session 2 source interface Po1

monitor session 2 destination interface Gi1/0/20 ( Current Production Server )

monitor session 2 destination interface Gi2/0/21 ( New Server )

monitor session 2 filter ip access-group ACL-Filter

ip access-list extended ACL-Filter

deny ip 192.168.10.0 0.0.0.255 10.120.0.0 0.0.255.255

Permit ip 192.168.10.0 0.0.0.255 any

so when issue occurred i didnt get any packet for permit ACL, but i did get packet for deny acl :0s and rest of unknown traffic.

Borgenstrand · ‎05-18-2016

Does it work better if you do:
monitor session 2 destination interface Gi1/0/20,Gi2/0/21

ahmad82pkn · ‎05-19-2016

Tried that, same happened :( Now my next approach would be, Remove ACL First, Then bring server online, Make it part of Span, and then Apply ACL Filter again.

Lets see.

if any more suggestions, Please do share.

Borgenstrand · ‎05-19-2016

Hi,

can you run show monitor and share the result here?

ahmad82pkn · ‎05-25-2016

here is output

Session 2
---------
Type                   : Local Session
Source Ports           :
    Both               : Po1
Destination Ports      : Gi1/0/20,Gi2/0/21
    Encapsulation      : Native
          Ingress      : Disabled
IP Access-group        : ACL-Filter

Here is what i did that didnt cause the issue.

i made sure that Span port only has 1 port that is already working.

Connect 2nd Server NIC on Switch, (port will come up)

Then i removed ACL from SPAN.

Added second Port to SPAN Session

Re applied ACL.

Carlos Villagran · ‎05-19-2016

Hi!

Can you please create 2 different ACLs with the same entries and try again?

This may be related to a TCAM issue.

Can you confirm if this helped?

Best regards!

JC

ahmad82pkn · ‎05-25-2016

But how can i apply two different ACL in same span session? : Confused.... Here is what i did that didnt cause the issue.

i made sure that Span port only has 1 port that is already working.

Connect 2nd Server NIC on Switch, (port will come up)

Then i removed ACL from SPAN.

Added second Port to SPAN Session

Re applied ACL.

no issues reported. Now i am thinking what will happen if 1 server reboot, will ACL act strange again? cant tell right now. will update if any such situation occurs. unfortunately cant test it, lots of escalations already going on , due to previous incident :)