Yes, I can see the captured traffic with Wireshark. I am doing RSPAN

Metro Ethernet network -> L3 port of 3560G (gi0/23 of SW1) ---- L2 connection (100M fiber) ----- 3560G (gi0/14 of SW2) - PC with wireshark

SW1

monitor session 2 source interface Gi0/23

monitor session 2 destination remote vlan 100

SW2

monitor session 1 source interface remote vlan 100

monitor session 1 destination interface Gi0/14

However, if I replace PC by 881, I cant see all traffic except multicast traffic in 881. If I use 1841 instead of 881, I even cant see any traffic.

Metro Ethernet network -> L3 port of 3560G (gi0/23 of SW1) ---- L2  connection (100Mbps fiber) ----- 3560G (gi0/14 of SW2, 100Mbps) - 1841/881

Kenny,

I am not very familiar with netflow on low end routers, however what I see (and I don't like at all) is a continuous speed mismatch between your links.

You did not add speed info between metro ethernet network and the first 3560, however I assume it goes at 1Gbps (you are using G0/23 as ingress port).

Then the speed reduces to 100Mbps on the l2 link between the 2 3560 and apparently it is 1Gbps again if you connect a PC or stays at 100mbps if you have the routers.

SPAN and RSPAN as highly susceptible to these speed mismatches between source and destination even when with low volume traffic. The reason is that burst of traffic cannot be accomodated if the egress interface is slower than the ingress and gets dropped after being replicated.

The symptoms you describe are not exactly matching this as it is weird that some traffic categories only get affected; however in order to perform some sensible investigation we need to be 100% sure that what you are doing is supposed to work well. For that I suggest you, if possible, to SPAN on the first 3560 on a destination port having the same speed of the ingress one. You could try and connect your routers there.

Or, you might checking for increasing port-asic drops on your 3560. You should check the destination ports (the one between SW1 and Sw2 on Sw1 and Go0/14 on sw2) by issuing 'show platform port-asic stats drop GigabitEthernet0/X' before and after you do a RSPAN capture.

Only after that we can move on and start netflow investigation on the routers... unless somebody else is able to add some useful info/comment on this already.

Riccardo

Riccardo,

Thank you for your quick advice. I did try to do SPAN on SW2. However, I get the similar result. My 1841/881 only has fastethernet port anyway.

When I enable SPAN, I see more traffic goto gi0/14 but I cant see more traffic on 1841/881.

3560G (gi0/14 of SW2) - 1841/881

Kevin, we really need to be sure that we don't have drops along the way.

have you checked the port-asic drops?

The fact that you have only fast ports on the routers is not good! SPAN/RSPAN on 3750/3560 switches on speed mismatching configurations are known to not be accurate and trustworthy.

Riccardo

When I connect my PC with wireshark, I can see all the expected traffic. Thus I guess the SPAN works.

your PC is connected at 1Gbps or 100Mbps?