Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
556
Views
0
Helpful
3
Replies

monitor capture on calatyst 9500 l3 Subinterfaces

maamann
Level 1
Level 1

‎07-04-2023 05:42 AM

Hi 

is there a trick on catalyst 9500 L3 Subinterfaces to capture packets via the "monitor capture" feature ?

I tried to capture traffic from Interface 

!
interface TenGigabitEthernet1/0/11.3261
description tport / ETH-10577
encapsulation dot1Q 3261
ip vrf forwarding tport
ip address 192.168.66.1 255.255.255.252
ip pim query-interval 5
ip pim sparse-mode
ip ospf message-digest-key 1 md5 7 43523452345234523452345234523452345234523452345E
ip ospf network point-to-point
ip ospf hello-interval 5
ip ospf 4545451 area 10
end

and i used the commands

9500#show monitor capture TEST para
monitor capture TEST interface TenGigabitEthernet1/0/11 OUT
monitor capture TEST interface TenGigabitEthernet1/0/11.3265 OUT
monitor capture TEST class-map class-default
monitor capture TEST buffer size 100
monitor capture TEST limit pps 10000
9500#

used the interfaces in any variation , tried the vlan number as capture interace ,  tried some other match criteria and ANY as well, but it willnot capture my packets.

If i use a Switchport trunk interfaces everyting works fine. Is there a limitation for L3 Sub-Interfaces or something else ?

 

Labels:
0 Helpful
3 Replies 3

Flavio Miranda
VIP
VIP

‎07-04-2023 05:46 AM

Hi @maamann 

 The problem is related to the VRF

"Neither VRFs, management ports, nor private VLANs can be used as attachment points."

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/16-6/command_reference/b_166_9500_cr/b_166_9500_cr_chapter_01001.html

 

0 Helpful

maamann
Level 1
Level 1
In response to Flavio Miranda

‎07-04-2023 05:56 AM - edited ‎07-04-2023 06:56 AM

Hi Flavio

yes , but i don´t use the vrf as a source, the Interface like i would interpret the doc like this.

monitor capture TESt interface vrf tport 

that captures everyting from the vrf to the buffer.

And on the other hand i would expect that the capture is working on the Main interface beause , this one sees only the L2 Dot1q packets and knows nothing from the vrf.

a classical monitor session is working in this case , so i would assume that it works with monitor capture as well  because i can not Imagine that cisco uses to different processes to send packets to the destination if capture monitor is used or monitor session ...... is used

 

0 Helpful

Flavio Miranda
VIP
VIP
In response to maamann

‎07-04-2023 06:16 AM

The doc states attachement not source.   I would try to remove the VRF just to make sure.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card