Monitor Session on Catalyst 2960X Issue

oslopez · ‎03-09-2024

Hi,

I'm trying to replicate traffic in one catalyst 2960X port to feed it to a Linux VM to generate a graph of inbound/outbound traffic using Net data. So I came up with the following SPAN configuration (I'm just including the relevant lines):

vlan 220
 name RMT_SPAN_1
 remote-span
!
interface GigabitEthernet1/0/7
 description VLAN220 to vmnic3 Server 
 switchport trunk allowed vlan 220
 switchport mode trunk
!
monitor session 1 source interface Gi1/0/52 both
monitor session 1 destination remote vlan 220

Once everything is set up, I do receive the replicated traffic in the server, but instead of receive both Rx and Tx I receive all as Rx traffic only.

After generating tons of traffic in both directions, this is what is displayed in the server interface:

ens192: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
        inet6 fe80::20c:29ff:fe26:39e0  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:26:39:e0  txqueuelen 1000  (Ethernet)
        RX packets 4270105  bytes 5441999363 (5.4 GB)
        RX errors 0  dropped 821  overruns 0  frame 0
        TX packets 38  bytes 5405 (5.4 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

As you can see, Rx total traffic is 5.4G and Tx traffic is 5.4K. So, all traffic is arriving as Rx and is not being separated as Rx or Tx. I have the same scenario using a Nexus 3K switch and in that case the traffic arrives to the server as it should: Rx or Tx.

This issue is causing that the Netdata graph only displays Rx traffic even if it's TX. Indeed I also tried the following config:

monitor session 1 source interface Gi1/0/52 Tx
monitor session 1 destination GigabitEthernet1/0/7

Only replicated Tx traffic but the server still received Rx traffic in the interface.

Is this an expected outcome or is there something that I'm missing?

Any help would be appreciated.

Switch: WS-C2960X-48TS-L

IOS: 15.0(2)EX4

Thank you

andrewswanson · ‎03-11-2024

Hi
Have you tried the following:

monitor session 1 source interface Gi1/0/52 both
monitor session 1 destination remote vlan 220
!
monitor session 2 source remote vlan 220
monitor session 2 destination interface g1/0/7

See https://bohemiangrove.co.uk/how-to-setup-cisco-port-mirroring-to-a-vm/

hth
Andy

oslopez · ‎03-11-2024

Thanks for your answer Andy, added the second monitoring session but unfortunately the issue persists. Just would like to add that in my topology there is only one switch where the replicating traffic is on port gig1/0/25 and the vmnic of the VM is connected to port gig1/0/7, all in the same switch.

balaji.bandi · ‎03-11-2024


Thanks for your answer Andy, added the second monitoring session but unfortunately the issue persists. Just would like to add that in my topology there is only one switch where the replicating traffic is on port gig1/0/25 and the vmnic of the VM is connected to port gig1/0/7, all in the same switch.

if all in same switch you do not remote vlan here i guess.

if the vmnic connected to 1/0/52 or 25 (since you mentioned 2 post different port numnbers)

you can replicate all data to 1/0/7

make sure on the VMWARE you configured allow in the configuration.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

oslopez · ‎03-12-2024

Hi Balaji,

yes, in order to rule out any physical port issue, I changed ports and stopped using RSPAN.

interface GigabitEthernet1/0/18
 description To  Link to NIC 6 NRM Server | SPAN_2 Traffic Monitoring
!
monitor session 3 source interface Gi1/0/1
monitor session 3 destination interface Gi1/0/18

First I checked port gig1/0/18 and is setup as monitor:

Switchw#sh int gig1/0/18                     
GigabitEthernet1/0/18 is up, line protocol is down (monitoring)

Then Performed an Inbound/Outbound speed test at testmy.net

The show interface summary showed the following outcome:

 GigabitEthernet1/0/16         0         0         0         0         0         0         0         0         0
  GigabitEthernet1/0/17         0         0         0         0         0         0         0         0         0
  GigabitEthernet1/0/18         0         0         0         0         0         0  43591000      4562         0
  GigabitEthernet1/0/19         0         0         0         0         0         0         0         0         0
  GigabitEthernet1/0/20         0         0         0         0         0         0         0         0         0

Which tells me that both Rx and Tx traffic are still being put as Rx.

I also changed the monitor scope from both to Rx only

monitor session 3 source interface Gi1/0/1 rx
monitor session 3 destination interface Gi1/0/18

and Tx only.

monitor session 3 source interface Gi1/0/1 tx
monitor session 3 destination interface Gi1/0/18

But after running the show interface summary, it shows that replicated traffic (Rx and Tx) is being put as Rx.

  GigabitEthernet1/0/17         0         0         0         0         0         0         0         0         0
  GigabitEthernet1/0/18         0         0         0       783         0         0  53588000      5476         0
  GigabitEthernet1/0/19         0         0         0         0         0         0         0         0         0

simon italy · ‎08-23-2024

Hi everybody,

I have problem with monitor session , its not available in switch in eve_ng, the image : i86bi-linux-l2-ipbas , iam trying to figure out how I can abilitate it on the SW , anybody can help me ?
thank you