Re: RSPAN configuration query! Why do I see traffic from all V

andyroles · ‎10-05-2012

Hi. I wonder if somebody could help with the following problem I'm having relating to RSPAN configuration.

Thanks in advance!

I’ve been tasked with SPANing traffic across our Cisco switch infrastructure in an office so we can mirror a subset of traffic to a single port.

The reason this is required is so we can present all voice traffic to a port connected to a voice recording server.

The network infrastructure I am currently using to test this set up is as follows:

- Primary 6509 distribution switch running IOS version: s72033-ipservices_wan-mz.122-33.SXH4.bin" (hostname - RS03-6509E-DIST-ML-01)

- Secondary 6509 distribution switch running IOS version: s72033-ipservices_wan-mz.122-33.SXH4.bin" (hostname - RS03-6509E-DIST-ML-02)

- the two switches are connected together via a statically configured VLAN trunk.

The configuration I have put in place to implement RSPAN is as shown here:

1 RS03-6509E-DIST-ML-01#

2

3 vlan 950

4 name RSPAN_VLAN_950

5 remote-span

6

7

8 interface Port-channel1

9 description **** L2 PORTCHANNEL TO DC2-6509-DIST-ML02 PORTS 3/47-48 4/47-48 ****

10 switchport

11 switchport trunk encapsulation dot1q

12 switchport trunk allowed vlan 32-36,38-42,44-47,140,144,950

13 switchport mode trunk

14

15 spanning-tree vlan 32,34,36,38-40,42,44,46,140,144,950 priority 16384

16

17 !

18 monitor session 1 type rspan-source

19 description ** RSPAN_SRC_SESSION **

20 source vlan 32 , 34 , 36

21 destination remote vlan 950

22 !

23 !

24 monitor session 11 type rspan-destination

25 description ** RSPAN_DST_SESSION **

26 source remote vlan 950

27 destination interface Gi7/10

28 !

29

30

31 RS03-6509E-DIST-ML-02#

32

33 !

34 vlan 950

35 name RSPAN_VLAN_950

36 remote-span

37 !

38 spanning-tree vlan 32,34,36,38-40,42,44,46,140,144,950 priority 8192

39

40 interface Port-channel1

41 description **** L2 PORTCHANNEL TO DC2-6509-DIST-ML012 PORTS 3/47-48 4/47-48 ****

42 switchport

43 switchport trunk encapsulation dot1q

44 switchport trunk allowed vlan 32-36,38-42,44-47,140,144,950

45 switchport mode trunk

46

47 !

48 monitor session 1 type rspan-source

49 description ** RSPAN_SRC_SESSION **

50 source vlan 32 , 34 , 36

51 destination remote vlan 950

52 !

53 !

54 monitor session 11 type rspan-destination

55 description ** RSPAN_DST_SESSION **

56 source remote vlan 950

57 destination interface Gi7/10

58 !

59 !

ISSUE –

The problem I have been experiencing is that the traffic which gets presented at the destination port on either distribution switch (Gig 7/10 on both) is not limited to the 3 x VLANs that I specified in the source lists (see lines 20 and 50). When sniffing either port (on either distribution 01 or 02) using Wireshark I’m seeing traffic for all VLANs present on the switches?

Any help understanding what’s wrong with this configuration would be much appreciated i.e. any advice as to how I can limit the traffic presented to port Gi7/10 to VLANs 32, 34 and 36 only?

Hope someone can help and thank you for reading my post,

Andy

Giuseppe Larosa · ‎10-05-2012

Hello Andy,

you actually have two RSPAN sessions and you should use two separate remote SPAN Vlans like vlan 950 and 951.

RSPAN vlan has MAC address learning disabled so it should be used unidirectionally

RSPAN1 from 6909A to 6509B via vlan 950

RSPAN2 from C6509B to C6509A via vlan 951

Edit:

or you should use one RSPAN and one local SPAN with the constraint of putting the recording server only on one specific switch port.

I understand you would like to provide two monitoring ports one on each C6500 but it would require two RSPAN using a different RSPAN vlan and a local span on each device and one local SPAN.

Hope to help

Giuseppe

andyroles · ‎10-05-2012

Giuseppe,

Thanks for your comment.

No problem to implement that. While I was troubleshooting however I tried removing all configuration off switch 02 altogether - even with this done I still experienced the same issue?

any ideas?

Does the configuration look correct other than not using two separate RSPAN topologies?

Kind regards,

Andy

Giuseppe Larosa · ‎10-05-2012

Hello Andy,

>> Does the configuration look correct other than not using two separate RSPAN topologies?

yes the configuration looks like correct

Hope to help

Giuseppe

andyroles · ‎10-05-2012

Thank you.

I'll try what you recommended and see what the result is.

Andy

andyroles · ‎10-05-2012

Hi there Giuseppe,

I configured the switches as you recommended (I think!)... I'm still seeeing the same issue still however i.e I'm seeing traffic from all VLANs on the SPAN port when using Wireshark??

Strangely, if I only configure one vlan source e.g. VLAN 32 then that is the only traffic that I see. As soon as I add more VLAN sources to the list then traffic from all VLANs start to show up in the Wireshark trace?

The configuration I've applied now is shown below.

DISTRIBUTION SW 01 -

vlan 951

name RSPAN_VLAN_951

remote-span

!

vlan 952

name RSPAN_VLAN_952

remote-span

spanning-tree vlan 951 priority 8192

spanning-tree vlan 952 priority 16384

interface Port-channel1

switchport trunk allowed vlan add 951

switchport trunk allowed vlan add 952

!

monitor session 1 type rspan-source

source vlan 32 , 34 , 36

destination remote vlan 951

!

monitor session 11 type rspan-destination

source remote vlan 951

destination interface Gi7/10

interface GigabitEthernet7/10

description ** VOICE RECORDING PORT **

switchport

speed 1000

duplex full

end

DISTRIBUTION SW 02 -

name RSPAN_VLAN_951

remote-span

!

vlan 952

name RSPAN_VLAN_952

remote-span

spanning-tree vlan 952 priority 8192

spanning-tree vlan 951 priority 16384

interface Port-channel1

switchport trunk allowed vlan add 951

switchport trunk allowed vlan add 952

monitor session 2 type rspan-source

source vlan 32 , 34 , 36

destination remote vlan 952

!

monitor session 12 type rspan-destination

source remote vlan 952

destination interface Gi7/10

interface GigabitEthernet7/10

description ** VOICE RECORDING PORT **

switchport

speed 1000

duplex full

end

Giuseppe Larosa · ‎10-05-2012

Hello Andy,

>> source vlan 32 , 34 , 36

>>In lists, you must enter a space before and after the comma. In ranges, you must enter a space before and after the dash.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/span.html#wp1089465

What if you use a range 32 - 36

I wonder if the vlan list has to be written in the following way without spaces

source vlan 32,34,36

as it happens when we configure the list of permitted vlans on a trunk

The fact that

source vlan 32

works correctly makes me think there is something wrong in the command syntax when specifying multiple vlans

Hope to help

Giuseppe

andyroles · ‎10-05-2012

Thanks Giuseppe,

I'd love to say that had worked but unfortunately not.

Is it possible there is some global command that needs to be enabled and if not then do you think maybe start looking for a bug in IOS?

we're currently running -

disk1:/s72033-ipservices_wan-mz.122-33.SXH4.bin

Many Thanks,

Andy

RSPAN configuration query! Why do I see traffic from all VLANs??!