Solved: RSPAN on 2950 SI

pasztor.richard · ‎10-15-2011

Dear all,

I am trying to configure RSPAN between two 2950 SI switches (I did not see any reference that SI does not support RSPAN source/destination, so I suppose it should work)

source: SW1 \ PC1 (connected on SW1's Fa0/24, access port in VLAN1)

destination: SW2 \ PC2 (connected on SW2's Fa0/16, access port in VLAN1)

reflector port: SW1 \ Fa0/3 (access port in VLAN1)

RSPAN VLAN: 20

SW1 -------- SW2

| |

PC1 PC2

SW1 config:

monitor session 1 source interface Fa0/24

monitor session 1 destination remote vlan 20 reflector-port Fa0/3

sh vlan:

20 RSPAN active

..

Remote SPAN VLANs

---------------------------------

20

SW1: show monitor session 1

Session 1

---------

Type : Remote Source Session

Source Ports :

Both : Fa0/24

Reflector Port : Fa0/3

Dest RSPAN VLAN : 20

----------------------------------------------------

SW2 config:

monitor session 1 destination interface Fa0/16

monitor session 1 source remote vlan 20

sh vlan:

20 RSPAN active

..

Remote SPAN VLANs

------------------------------------------------------------------------------

20

SW2: show monitor session 1

Session 1

---------

Type : Remote Destination Session

Source RSPAN VLAN : 20

Destination Ports : Fa0/16

Encapsulation : Native

Ingress: Disabled

There is a trunk port between SW1 and SW2, RSPAN VLAN 20 is not disallowed/pruned.

switch2#sh int trunk

Port Mode Encapsulation Status Native vlan

Fa0/1 desirable 802.1q trunking 1

Port Vlans allowed on trunk

Fa0/1 1-4094

Port Vlans allowed and active in management domain

Fa0/1 1,20

Port Vlans in spanning tree forwarding state and not pruned

Fa0/1 1,20

When I generate traffic on source port --> reflector port seems to blink as fast as the source port

the trunk between the 2 switches seem to be forwarding traffic as well, however the destination port

does not blink with the same frequency, so I believe it is not reciving the monitored traffic.

Peter Paluch · ‎10-15-2011

Richard,

It seems that you are hit by the bug CSCdy38476. The Release notes for IOS 12.1(22)EA14 say:

In a Remote Switched Port Analyzer (RSPAN) session, if at least one switch is used as an intermediate or destination switch and if traffic for a port is monitored in both directions, traffic does not reach the destination switch.

These are the workarounds:

–Use a Catalyst 3550 or Catalyst 6000 switch as an intermediate or destination switch.

–Monitor traffic in only one direction if a Catalyst 2950 switch is used as an intermediate or destination switch. (CSCdy38476)

The corresponding bug description says:

A Catalyst 2950 switch may not RSPAN traffic correctly. This is due

to an ASIC limitation specific to the 2950 platform.

Workaround:

RSPAN will function as expected under the following scenario's:

- Scenario1 (2950's as source, destination, and intermidiate switches):

RSPAN is supported if there is 1 source port, and the SPAN session is

configured as RX only or TX only.

- Scenario2 (2950 as the source switch, and the destination/intermediate

switches are another Cisco platform that supports RSPAN):

RSPAN is supported with multiple sources, and the SPAN session can be

configured as RX only, TX only or Both

- Scenario3 (2950 as destination switch, and the source/intermediate

switches are another Cisco platform that supports RSPAN):

RSPAN is supported if there is 1 source port, and the SPAN session is

configured as RX only or TX only.

- Scenario4 (2950 as intermediate switch for any Cisco platform that

supports RSPAN):

RSPAN is supported if there is 1 source port, and the SPAN session is

configured as RX only or TX only.

Can you try modifying your RSPAN config to meet these limitations?

Best regards,

Peter

View solution in original post

Peter Paluch · ‎10-15-2011

Hello Richard,

Your configuration seems to be correct. I would personally not bother too much about the rate of LED blinking. The first and foremost indication of a working RSPAN is that you can see the traffic on the destionation port that is being captured on other switches and their source ports. Have you verified this?

Best regards,

Peter

pasztor.richard · ‎10-15-2011

Peter: of course I verified that the destination is not receiving monitored traffic (wireshark running in promiscuos mode at PC2)

Peter Paluch · ‎10-15-2011

Richard,

I apologize. Your original post did not mention anything about the traffic being or not being captured. I did not mean to offend you by suggesting obvious things.

According to what I see here, the VLAN20 is created on both switches, it is marked as RSPAN VLAN, and is allowed on the trunk on Sw2. Is it also allowed on the trunk on Sw1? You have not posted the sh int trunk output from Sw1.

Also please try posting the output of show span vlan 20 from both switches. Thank you!

Best regards,

Peter

pasztor.richard · ‎10-15-2011

Peter, you are trying to help me, which I greatly appreciate. You didnt insult me

switch1#show int trunk

Port Mode Encapsulation Status Native vlan

Fa0/1 desirable 802.1q trunking 1

Port Vlans allowed on trunk

Fa0/1 1-4094

Port Vlans allowed and active in management domain

Fa0/1 1,20

Port Vlans in spanning tree forwarding state and not pruned

Fa0/1 1,20

switch1#sh spanning-tree vlan 20

VLAN0020

Spanning tree enabled protocol rstp

Root ID Priority 32788

Address 0017.94d4.7680

Cost 19

Port 1 (FastEthernet0/1)

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32788 (priority 32768 sys-id-ext 20)

Address 001b.5367.7680

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300

Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- --------------------------------

Fa0/1 Root FWD 19 128.1 P2p Peer(STP)

switch2#show spanning-tree vlan 20

VLAN0020

Spanning tree enabled protocol ieee

Root ID Priority 32788

Address 0017.94d4.7680

This bridge is the root

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32788 (priority 32768 sys-id-ext 20)

Address 0017.94d4.7680

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300

Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- --------------------------------

Fa0/1 Desg FWD 19 128.1 P2p

Peter Paluch · ‎10-15-2011

Hi Richard,

This issue is most interesting. Although it should not have anything in common with the RSPAN, would you mind running RSTP on both your switches? Currently, Sw2 is running STP while Sw1 runs RSTP.

In addition, I suggest making another experiment if possible: try configuring another port on the Sw1 as a trunk port. Connect a PC to this port and use Wireshark to capture packets. Do not modify the RSPAN configuration. If Sw1 is correctly reflecting captured traffic into RSPAN VLAN 20, you should be able to see it on the newly created trunk port (captured traffic is always flooded in the RSPAN VLAN). Or even better, connect the PC with the Wireshark directly to the Fa0/1 on Sw1 and check whether the captured traffic is indeed flooded via this port.

Best regards,

Peter

pasztor.richard · ‎10-15-2011

I changed SW2 to RSTP --> same result

I added a 2nd trunk port on SW1 --> plugged PC2 into this new trunk port --> I can see the captured traffic.

Peter Paluch · ‎10-15-2011

Richard,

Very well. So the traffic is positively being captured and flooded into RSPAN VLAN20.

Now please connect Sw1 back to Sw2, create a new trunk port on Sw2 and connect the PC with Wireshark there. Let us see if the captured traffic in VLAN20 passes through the trunk and is flooded over all trunks on Sw2.

Best regards,

Peter

pasztor.richard · ‎10-15-2011

Added a new trunk port on SW2, plugged PC2 into the new trunk port: I dont see the flooded traffic there.

Peter Paluch · ‎10-15-2011

Hello Richard,

This is where it starts to be interesting. Let us assume that the traffic is correctly tagged using VLAN ID 20 and that it comes to Sw2 via the Fa0/1 trunk port.

A couple of suggestions:

Your Fa0/1 ports do not seem to be statically configured as trunks. You are running them in their default configuration, as the sh in trunk says they are working in dynamic desirable mode. Please correct this and use the switchport mode trunk on both Fa0/1 interfaces to force them to operate as static trunks. This may have nothing to do with our issue but let's avoid some corner cases here.
Try removing the destination RSPAN session altogether on the Sw2, delete and recreate the VLAN 20 without marking it as RSPAN VLAN. Simply leave it as a common VLAN. Then check whether the traffic in VLAN 20 is flooded over an additional static trunk port on the Sw2 to your PC. The flooding should take place if you capture broadcast or unknown multicast traffic on Sw1. Do not modify RSPAN configuration on Sw1. By this experiment, I want to make sure that Sw2 is correctly receiving and forwarding the traffic in VLAN 20.
After this communication is verified to work, recreate the RSPAN configuration on Sw2. Check whether the issue still remains.

Best regards,

Peter

pasztor.richard · ‎10-15-2011

chang from dynamic desirable to static trunk didnt solve either

Although I noticed something very strange: I started the wireshark capture when PC2 NIC was in disconnected state. Afther this , I connected the nic to SW2's monitor destination port. For 30-35 seconds I do not see any captured traffic. But after this, I can capture 4-5 pings (continuous ping has been started on PC1, I try to capture this ping traffic on PC2). However, after 4-5 packets, no additional pings are captured. If I disconnect PC2 and reconnect, I can repeat this behavior.

I did not yet checked to re-create monitoring config and VLANs again.

Peter Paluch · ‎10-15-2011

Richard,

Just to be sure that the STP is not making some weird things, please enter the following commands on the both switches in the global config mode

no spanning-tree vlan 1-4094

Then repeat your experiment.

Best regards,

Peter

pasztor.richard · ‎10-15-2011

Disabling STP didnt solve it either

I am really hoping somebody can confirm if a 2950 with Standard image should work both the source and the destination of a RSPAN session.

Peter Paluch · ‎10-15-2011

Richard,

It seems that you are hit by the bug CSCdy38476. The Release notes for IOS 12.1(22)EA14 say:

In a Remote Switched Port Analyzer (RSPAN) session, if at least one switch is used as an intermediate or destination switch and if traffic for a port is monitored in both directions, traffic does not reach the destination switch.

These are the workarounds:

–Use a Catalyst 3550 or Catalyst 6000 switch as an intermediate or destination switch.

–Monitor traffic in only one direction if a Catalyst 2950 switch is used as an intermediate or destination switch. (CSCdy38476)

The corresponding bug description says:

A Catalyst 2950 switch may not RSPAN traffic correctly. This is due

to an ASIC limitation specific to the 2950 platform.

Workaround:

RSPAN will function as expected under the following scenario's:

- Scenario1 (2950's as source, destination, and intermidiate switches):

RSPAN is supported if there is 1 source port, and the SPAN session is

configured as RX only or TX only.

- Scenario2 (2950 as the source switch, and the destination/intermediate

switches are another Cisco platform that supports RSPAN):

RSPAN is supported with multiple sources, and the SPAN session can be

configured as RX only, TX only or Both

- Scenario3 (2950 as destination switch, and the source/intermediate

switches are another Cisco platform that supports RSPAN):

RSPAN is supported if there is 1 source port, and the SPAN session is

configured as RX only or TX only.

- Scenario4 (2950 as intermediate switch for any Cisco platform that

supports RSPAN):

RSPAN is supported if there is 1 source port, and the SPAN session is

configured as RX only or TX only.

Can you try modifying your RSPAN config to meet these limitations?

Best regards,

Peter

pasztor.richard · ‎10-15-2011

Great job, that was the issue! Thank you very much, I would not think of reading through that lenghty caveat list...

I would have expected the SCG for 2950 mentions such a caveat, as a limitations in the RSPAN config section.