cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
433
Views
0
Helpful
2
Replies

6509 SPAN Session

BlueyVIII
Level 1
Level 1

Hi,

I'm have a SPAN session on a 6509E which has a number of VLAN's SPAN'd to two 10Gbps interfaces. This is working fine, but I would also like to include the 802.1Q VLAN tags on the captured packets so I can tell which VLAN each packet originated on. This doesn't seem to be happening by default and I can't find an option on the 'monitor' command which seems to include 802.1Q options

 

The 6509E is a VSS pair and is running "Cisco IOS Software, s2t54 Software (s2t54-IPSERVICESK9-M), Version 15.5(1)SY8, RELEASE SOFTWARE (fc3)"

 

The current monitor config is shown below.

 

Any ideas?

 

Session 1
---------
Type : Local Session
Status : Admin Enabled
Description : 
Source VLANs :
RX Only : 2,160,290,300-319,321-322,362,399-400,404-405,408,411-427,600-602,605,607,702,705-706,708,712,714-717,721,855-856,860,863-865
Destination Ports : Te2/4/12,Te2/4/16

Egress SPAN Replication State:
Operational mode : Centralized
Configured mode : Centralized (default)

2 Replies 2

pman
Spotlight
Spotlight

Hi,

 

If the destination SPAN port is configured as follows:

monitor session 1 destination interface GigabitEthernet0/1

then the monitored frames will always be sent out the Gi0/1 interface as untagged.

 

If the destination SPAN port is configured as follows:

monitor session 1 destination interface GigabitEthernet0/1 encapsulation dot1q

then the monitored frames will always be sent out the Gi0/1 interface tagged with the VLAN they were received in. It does not matter whether the frames were originally received by the switch as tagged or untagged.

 

If the destination SPAN port is configured as follows:

monitor session 1 destination interface GigabitEthernet0/1 encapsulation replicate

then the monitored frames will be sent out the Gi0/1 interface in the form they have been received by the switch. If they were received as tagged then they will also be forwarded out Gi0/1 as tagged. If they were received as untagged then they will also be forwarded out Gi0/1 as untagged.

 

https://community.cisco.com/t5/switching/span-source-vlan-tag/td-p/2710253

Jon Marshall
Hall of Fame
Hall of Fame

 

Are the 10Gbps destination ports configured as trunks ? 

 

From the 6500 configuration guide - 

 

"SPAN copies Layer 2 Ethernet frames, but SPAN does not copy source trunk port 802.1Q tags. You can configure destinations as trunks to send locally tagged traffic to the traffic analyzer."

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/span_rspan_erspan.html

 

which I take to mean if you configure destination ports as trunks you will see the tags but having never done it so can't say for sure. 

 

Jon

Review Cisco Networking for a $25 gift card