06-05-2022 05:30 AM
Hi,
I'm have a SPAN session on a 6509E which has a number of VLAN's SPAN'd to two 10Gbps interfaces. This is working fine, but I would also like to include the 802.1Q VLAN tags on the captured packets so I can tell which VLAN each packet originated on. This doesn't seem to be happening by default and I can't find an option on the 'monitor' command which seems to include 802.1Q options
The 6509E is a VSS pair and is running "Cisco IOS Software, s2t54 Software (s2t54-IPSERVICESK9-M), Version 15.5(1)SY8, RELEASE SOFTWARE (fc3)"
The current monitor config is shown below.
Any ideas?
Session 1
---------
Type : Local Session
Status : Admin Enabled
Description :
Source VLANs :
RX Only : 2,160,290,300-319,321-322,362,399-400,404-405,408,411-427,600-602,605,607,702,705-706,708,712,714-717,721,855-856,860,863-865
Destination Ports : Te2/4/12,Te2/4/16
Egress SPAN Replication State:
Operational mode : Centralized
Configured mode : Centralized (default)
06-05-2022 05:56 AM - edited 06-05-2022 05:56 AM
Hi,
If the destination SPAN port is configured as follows:
monitor session 1 destination interface GigabitEthernet0/1
then the monitored frames will always be sent out the Gi0/1 interface as untagged.
If the destination SPAN port is configured as follows:
monitor session 1 destination interface GigabitEthernet0/1 encapsulation dot1q
then the monitored frames will always be sent out the Gi0/1 interface tagged with the VLAN they were received in. It does not matter whether the frames were originally received by the switch as tagged or untagged.
If the destination SPAN port is configured as follows:
monitor session 1 destination interface GigabitEthernet0/1 encapsulation replicate
then the monitored frames will be sent out the Gi0/1 interface in the form they have been received by the switch. If they were received as tagged then they will also be forwarded out Gi0/1 as tagged. If they were received as untagged then they will also be forwarded out Gi0/1 as untagged.
https://community.cisco.com/t5/switching/span-source-vlan-tag/td-p/2710253
06-05-2022 05:58 AM - edited 06-05-2022 05:58 AM
Are the 10Gbps destination ports configured as trunks ?
From the 6500 configuration guide -
"SPAN copies Layer 2 Ethernet frames, but SPAN does not copy source trunk port 802.1Q tags. You can configure destinations as trunks to send locally tagged traffic to the traffic analyzer."
which I take to mean if you configure destination ports as trunks you will see the tags but having never done it so can't say for sure.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide