11-20-2009 07:30 AM - edited 03-06-2019 08:39 AM
I need to have a SPAN port forward VLAN tags. This is on a 6509 running 122-18.SXF15a.
Here's the current configuration for the port and the monitor session:
interface GigabitEthernet2/11
description Connected to Gigamon-1A port 9
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
end
monitor session 2 source vlan 54 , 260 , 801 - 805 , 900 - 936
monitor session 2 destination intrusion-detection-module 1 data-port 1
monitor session 2 destination interface Gi2/11
monitor session 2 destination interface Gi4/4 , Gi4/25 , Gi4/40
When I do a capture, I'm not seeing the tags.
What am I missing?
Thanks.
Jason
11-23-2009 06:15 AM
I'm going to bump this in the hopes that someone can help.
From what I have read, in theory, all I should need to do is have the destination port trunked. However, when I do a capture with tcpdump off of that destination port, I'm not seeing the VLAN tags.
Is there something else that I'm missing? I've removed the destination port from the monitor session and re-added it, but it did not help.
Any thoughts? I really need to fix this.
Thanks.
Jason
11-23-2009 09:08 AM
Hello Jason,
it should work if this is a local span session.
also the device you connect to the monitor destination port plays a role: its nic has to understand tagging.
may you post a sh module to see exactly what type of PFC is on the chassis?
Hope to help
Giuseppe
11-25-2009 05:58 PM
Hi Jason
Your span destination port needs to be a trunk port in order to preserve the 1Q tags
ie
switchport
switchport mode trunk
02-21-2013 04:35 PM
I have been working on this exact issue. I configured my destination port as a trunk port as shown above, but it still did not pass VLAN tags. However, once I added "switchport nonegotiation", vlan tags were captured in my monitor session.
For those playing at home, my succesful config looks like this:
interface GigabitEthernet2/2
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
no ip address
monitor session 2 source vlan 45 - 50 , 182 , 190 , 260 , 300 - 306
monitor session 2 destination interface Gi2/2
11-25-2009 07:54 PM
monitor session 2 source vlan 54 , 260 , 801 - 805 , 900 - 936monitor session 2 destination intrusion-detection-module 1 data-port 1
monitor session 2 destination interface Gi2/11
monitor session 2 destination interface Gi4/4 , Gi4/25 , Gi4/40When I do a capture, I'm not seeing the tags.
What am I missing?
Thanks.
Jason
The sources are L3 interfaces and do not contain any tag information.
If you want to capture tags, you must span a 802.1q switchport
Regards
Edison
02-21-2013 05:00 PM
Also verify if you are using a Broadcom chip-based NIC card. They strip out (silently) the VLAN tags. You can either get yourself a cheap realtek based card (what I did) or try the following from the wireshark FAQ:
05-29-2018 01:09 PM
Hi I've had the same problem with our vlan span on our 6509, and believe me it gave me a hard time before finding the solution:
The most easy part is that you've to add a replication of the vlan tag for it to work. WIth this command
monitor session egress replication-mode distributed
Also curiously the order in which you create your monitor session is important from my experience. Once i had the replication, i had to remove the SPAN config on the interface and then re-apply it.
monitor session 2 source vlan 12 - 13
monitor session 2 source vlan 2271 , 2310
monitor session 2 destination interface Gi1/1/44
monitor session egress replication-mode distributed
interface GigabitEthernet1/1/44
description Span-To-Arista
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
Hope this help, but i'm now having the same problem with Nexus 9000, i wish for a world where manufacturer will use the same code for every equipment...
Francois Gervais
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide