10-15-2011 01:45 AM - edited 03-07-2019 02:49 AM
Dear all,
I am trying to configure RSPAN between two 2950 SI switches (I did not see any reference that SI does not support RSPAN source/destination, so I suppose it should work)
source: SW1 \ PC1 (connected on SW1's Fa0/24, access port in VLAN1)
destination: SW2 \ PC2 (connected on SW2's Fa0/16, access port in VLAN1)
reflector port: SW1 \ Fa0/3 (access port in VLAN1)
RSPAN VLAN: 20
SW1 -------- SW2
| |
PC1 PC2
SW1 config:
monitor session 1 source interface Fa0/24
monitor session 1 destination remote vlan 20 reflector-port Fa0/3
sh vlan:
20 RSPAN active
..
Remote SPAN VLANs
---------------------------------
20
SW1: show monitor session 1
Session 1
---------
Type : Remote Source Session
Source Ports :
Both : Fa0/24
Reflector Port : Fa0/3
Dest RSPAN VLAN : 20
----------------------------------------------------
SW2 config:
monitor session 1 destination interface Fa0/16
monitor session 1 source remote vlan 20
sh vlan:
20 RSPAN active
..
Remote SPAN VLANs
------------------------------------------------------------------------------
20
SW2: show monitor session 1
Session 1
---------
Type : Remote Destination Session
Source RSPAN VLAN : 20
Destination Ports : Fa0/16
Encapsulation : Native
Ingress: Disabled
There is a trunk port between SW1 and SW2, RSPAN VLAN 20 is not disallowed/pruned.
switch2#sh int trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 desirable 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/1 1-4094
Port Vlans allowed and active in management domain
Fa0/1 1,20
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1,20
When I generate traffic on source port --> reflector port seems to blink as fast as the source port
the trunk between the 2 switches seem to be forwarding traffic as well, however the destination port
does not blink with the same frequency, so I believe it is not reciving the monitored traffic.
Solved! Go to Solution.
10-15-2011 04:49 AM
Richard,
It seems that you are hit by the bug CSCdy38476. The Release notes for IOS 12.1(22)EA14 say:
In a Remote Switched Port Analyzer (RSPAN) session, if at least one switch is used as an intermediate or destination switch and if traffic for a port is monitored in both directions, traffic does not reach the destination switch.
–Use a Catalyst 3550 or Catalyst 6000 switch as an intermediate or destination switch.
–Monitor traffic in only one direction if a Catalyst 2950 switch is used as an intermediate or destination switch. (CSCdy38476)
The corresponding bug description says:
A Catalyst 2950 switch may not RSPAN traffic correctly. This is due
to an ASIC limitation specific to the 2950 platform.
Workaround:
RSPAN will function as expected under the following scenario's:
- Scenario1 (2950's as source, destination, and intermidiate switches):
RSPAN is supported if there is 1 source port, and the SPAN session is
configured as RX only or TX only.
- Scenario2 (2950 as the source switch, and the destination/intermediate
switches are another Cisco platform that supports RSPAN):
RSPAN is supported with multiple sources, and the SPAN session can be
configured as RX only, TX only or Both
- Scenario3 (2950 as destination switch, and the source/intermediate
switches are another Cisco platform that supports RSPAN):
RSPAN is supported if there is 1 source port, and the SPAN session is
configured as RX only or TX only.
- Scenario4 (2950 as intermediate switch for any Cisco platform that
supports RSPAN):
RSPAN is supported if there is 1 source port, and the SPAN session is
configured as RX only or TX only.
Can you try modifying your RSPAN config to meet these limitations?
Best regards,
Peter
10-15-2011 01:49 AM
Hello Richard,
Your configuration seems to be correct. I would personally not bother too much about the rate of LED blinking. The first and foremost indication of a working RSPAN is that you can see the traffic on the destionation port that is being captured on other switches and their source ports. Have you verified this?
Best regards,
Peter
10-15-2011 01:56 AM
Peter: of course I verified that the destination is not receiving monitored traffic (wireshark running in promiscuos mode at PC2)
10-15-2011 02:02 AM
Richard,
I apologize. Your original post did not mention anything about the traffic being or not being captured. I did not mean to offend you by suggesting obvious things.
According to what I see here, the VLAN20 is created on both switches, it is marked as RSPAN VLAN, and is allowed on the trunk on Sw2. Is it also allowed on the trunk on Sw1? You have not posted the sh int trunk output from Sw1.
Also please try posting the output of show span vlan 20 from both switches. Thank you!
Best regards,
Peter
10-15-2011 02:28 AM
Peter, you are trying to help me, which I greatly appreciate. You didnt insult me
switch1#show int trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 desirable 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/1 1-4094
Port Vlans allowed and active in management domain
Fa0/1 1,20
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1,20
switch1#sh spanning-tree vlan 20
VLAN0020
Spanning tree enabled protocol rstp
Root ID Priority 32788
Address 0017.94d4.7680
Cost 19
Port 1 (FastEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32788 (priority 32768 sys-id-ext 20)
Address 001b.5367.7680
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Root FWD 19 128.1 P2p Peer(STP)
switch2#show spanning-tree vlan 20
VLAN0020
Spanning tree enabled protocol ieee
Root ID Priority 32788
Address 0017.94d4.7680
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32788 (priority 32768 sys-id-ext 20)
Address 0017.94d4.7680
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Desg FWD 19 128.1 P2p
10-15-2011 02:43 AM
Hi Richard,
This issue is most interesting. Although it should not have anything in common with the RSPAN, would you mind running RSTP on both your switches? Currently, Sw2 is running STP while Sw1 runs RSTP.
In addition, I suggest making another experiment if possible: try configuring another port on the Sw1 as a trunk port. Connect a PC to this port and use Wireshark to capture packets. Do not modify the RSPAN configuration. If Sw1 is correctly reflecting captured traffic into RSPAN VLAN 20, you should be able to see it on the newly created trunk port (captured traffic is always flooded in the RSPAN VLAN). Or even better, connect the PC with the Wireshark directly to the Fa0/1 on Sw1 and check whether the captured traffic is indeed flooded via this port.
Best regards,
Peter
10-15-2011 03:05 AM
I changed SW2 to RSTP --> same result
I added a 2nd trunk port on SW1 --> plugged PC2 into this new trunk port --> I can see the captured traffic.
10-15-2011 03:10 AM
Richard,
Very well. So the traffic is positively being captured and flooded into RSPAN VLAN20.
Now please connect Sw1 back to Sw2, create a new trunk port on Sw2 and connect the PC with Wireshark there. Let us see if the captured traffic in VLAN20 passes through the trunk and is flooded over all trunks on Sw2.
Best regards,
Peter
10-15-2011 03:16 AM
Added a new trunk port on SW2, plugged PC2 into the new trunk port: I dont see the flooded traffic there.
10-15-2011 03:25 AM
Hello Richard,
This is where it starts to be interesting. Let us assume that the traffic is correctly tagged using VLAN ID 20 and that it comes to Sw2 via the Fa0/1 trunk port.
A couple of suggestions:
Best regards,
Peter
10-15-2011 03:53 AM
chang from dynamic desirable to static trunk didnt solve either
Although I noticed something very strange: I started the wireshark capture when PC2 NIC was in disconnected state. Afther this , I connected the nic to SW2's monitor destination port. For 30-35 seconds I do not see any captured traffic. But after this, I can capture 4-5 pings (continuous ping has been started on PC1, I try to capture this ping traffic on PC2). However, after 4-5 packets, no additional pings are captured. If I disconnect PC2 and reconnect, I can repeat this behavior.
I did not yet checked to re-create monitoring config and VLANs again.
10-15-2011 04:01 AM
Richard,
Just to be sure that the STP is not making some weird things, please enter the following commands on the both switches in the global config mode
no spanning-tree vlan 1-4094
Then repeat your experiment.
Best regards,
Peter
10-15-2011 04:21 AM
Disabling STP didnt solve it either
I am really hoping somebody can confirm if a 2950 with Standard image should work both the source and the destination of a RSPAN session.
10-15-2011 04:49 AM
Richard,
It seems that you are hit by the bug CSCdy38476. The Release notes for IOS 12.1(22)EA14 say:
In a Remote Switched Port Analyzer (RSPAN) session, if at least one switch is used as an intermediate or destination switch and if traffic for a port is monitored in both directions, traffic does not reach the destination switch.
–Use a Catalyst 3550 or Catalyst 6000 switch as an intermediate or destination switch.
–Monitor traffic in only one direction if a Catalyst 2950 switch is used as an intermediate or destination switch. (CSCdy38476)
The corresponding bug description says:
A Catalyst 2950 switch may not RSPAN traffic correctly. This is due
to an ASIC limitation specific to the 2950 platform.
Workaround:
RSPAN will function as expected under the following scenario's:
- Scenario1 (2950's as source, destination, and intermidiate switches):
RSPAN is supported if there is 1 source port, and the SPAN session is
configured as RX only or TX only.
- Scenario2 (2950 as the source switch, and the destination/intermediate
switches are another Cisco platform that supports RSPAN):
RSPAN is supported with multiple sources, and the SPAN session can be
configured as RX only, TX only or Both
- Scenario3 (2950 as destination switch, and the source/intermediate
switches are another Cisco platform that supports RSPAN):
RSPAN is supported if there is 1 source port, and the SPAN session is
configured as RX only or TX only.
- Scenario4 (2950 as intermediate switch for any Cisco platform that
supports RSPAN):
RSPAN is supported if there is 1 source port, and the SPAN session is
configured as RX only or TX only.
Can you try modifying your RSPAN config to meet these limitations?
Best regards,
Peter
10-15-2011 05:35 AM
Great job, that was the issue! Thank you very much, I would not think of reading through that lenghty caveat list...
I would have expected the SCG for 2950 mentions such a caveat, as a limitations in the RSPAN config section.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide