Solved: Re: RSPAN only forwards broadcast traffic to destination port

pehi030670 · ‎12-18-2009

Hello all,

I have configured an RSPAN monitoring session on a 2950 switch. I have configured a remote-span VLAN from the VTP server switch, and checked on my monitoring source switch (VTP client in the domain) that the VLAN shows up as a remote-span VLAN.

I have configured the reflector port on the client, and the destination port and source remote-vlan on the server.

No matter what VLAN I assign to the destination port - remote-span VLAN, vlan of the monitored source-port, no VLAN id at all, I only get Broadcast and multicast traffic forwarded to my monitor (wireshark).

I've seen various discussions of this over the last coupe of years, but no definitive answe (e.g. https://supportforums.cisco.com/message/544295#147017)

Has anyone got any further thoughts?

Many thanks,

Pete

Giuseppe Larosa · ‎12-21-2009

Hello Pete,

RSPAN is supported only on enhanced image:

To use the RSPAN feature described in this section, you must have the EI installed on your switch. Follow these guidelines when configuring RSPAN:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22_ea11x/configuration/guide/swspan.html#wp1415108

what image have you got?

post sh ver | inc image

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎12-23-2009

Hello Pete,

you have been kind to provide a feedback on this issue.

Probably other people may meet the same problem.

Best Regards

Giuseppe

View solution in original post

Giuseppe Larosa · ‎12-21-2009

Hello Pete,

RSPAN is supported only on enhanced image:

To use the RSPAN feature described in this section, you must have the EI installed on your switch. Follow these guidelines when configuring RSPAN:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22_ea11x/configuration/guide/swspan.html#wp1415108

what image have you got?

post sh ver | inc image

Hope to help

Giuseppe

pehi030670 · ‎12-22-2009

Many thanks for replying Giuseppe - I have tried on 2950's running EI.

What is of note, is that if I configure a new trunk, while runnign a constant ping against a target on the monitored source port, I get a single solitary Unicast packet through when the new trunk transitions to "Up", then nothing - I have tried this several time and the behaviour is constant.

pehi030670 · ‎12-23-2009

OK, buried in one of the 2950 IOS release notes:

RSPAN Limitation

In a Remote Switched Port Analyzer (RSPAN) session, if at least one Catalyst 2950 switch is used as an

intermediate or destination switch

and if traffic for a port is monitored in both directions, traffic does

not reach the destination switch. (CSCdy38476)

These are the workarounds:

•

Use a Catalyst 3550 or Catalyst 6000 switch as an intermediate or destination switch.

•

Monitor traffic in only one direction if a Catalyst 2950 switch is used as an intermediate or

destination switch.

As soon as Iconfigure a 3750 as the destination for RSPAN it all works.

Giuseppe Larosa · ‎12-23-2009

Hello Pete,

you have been kind to provide a feedback on this issue.

Probably other people may meet the same problem.

Best Regards

Giuseppe

Paul Wedde · ‎05-19-2010

Hi Guys,

I know this thread is already answered but I have the same problem (only recieving Broadcast/Multicast) on my RSPAN session and I'm running it on all 6500's. All Switches are running Adv Enterprise IOS. Any ideas?

Giuseppe Larosa · ‎05-19-2010

Hello Paul,

have you configured the RSPAN vlan as rspan ?

something like:

conf t

vlan 999

remote-span

in all devices including intermediate switches

Hope to help

Giuseppe

Paul Wedde · ‎05-19-2010

Hi Giuseppe

I'm receiving the traffic but only Broadcast/Multicast so I take it that my RSPAN is working just that I'm not receiving all traffic.

The RSPAN VLAN is configured on 3 switches, The source, the intermediary and the destination. All 3 have "remote-span" enabled on the correct vlan which can be proven by running "show vlan remote-span". This does not show in the configuration as the VLANs are not configured at interface level.

I thought it might be the lack of the "reflector port" command on the source switch but the console would not accept this command and I have read somewhere that you only need the reflector port on some older or smaller switches.

Cheers.

Giuseppe Larosa · ‎05-19-2010

Hello Paul,

>> I thought it might be the lack of the "reflector port" command on the source switch but the console would not accept this command and I have read somewhere that you only need the reflector port on some older or smaller switches.

This is correct you don't need reflector port on C6500 switches

post sh monitor session all on first and last switch

Hope to help

Giuseppe

Paul Wedde · ‎05-19-2010

Only interested in Session 2 on both switches.

Source:

HOSTNAME#sh monitor session all
Session 2
---------
Type                   : Remote Source Session
Source Ports           :
    Both               : Gi1/1
Dest RSPAN VLAN        : 999

Egress SPAN Replication State:
Operational mode : Centralized
Configured mode : Centralized (default)

Session 9
---------
Type                   : Local Session
Source Ports           :
    Both               : Gi2/1
Destination Ports      : Gi2/48

Egress SPAN Replication State:
Operational mode : Centralized
Configured mode : Centralized (default)

Destination:

HOSTNAME#sh monitor session all
Session 2
---------
Type                   : Remote Destination Session
Source RSPAN VLAN      : 999
Destination Ports      : Gi1/1

Why is the Egress SPAN Replication State missing here??

Session 3
---------
Type                   : Local Session
Source Ports           :
    Both               : Fa2/1
Destination Ports      : Gi1/2

Egress SPAN Replication State:
Operational mode       : Centralized
Configured mode        : Centralized (default)

FYI the config on the Destination switch is:

monitor session 2 destination interface Gi1/1
monitor session 2 source remote vlan 999

Paul Wedde · ‎05-19-2010

Also this:

HOSTNAME#sh monitor session remote detail
Session 2
---------
Type                   : Remote Destination Session
Description            : -
Source Ports           :
    RX Only            : None
    TX Only            : None
    Both               : None
Source VLANs           :
    RX Only            : None
    TX Only            : None
    Both               : None
Source RSPAN VLAN : 999
Destination Ports      : Gi1/1
Filter VLANs           : None
Dest RSPAN VLAN        : None
Source IP Address      : None
Source IP VRF          : None
Source ERSPAN ID       : None
Destination IP Address : None
Destination IP VRF     : None
Destination ERSPAN ID : None
Origin IP Address      : None
IP QOS PREC            : 0
IP TTL                 : 255

Giuseppe Larosa · ‎05-19-2010

Hello Paul,

what kind of supervisors and PFCs are in your switches?

take in account the following restrictions, there are more limits with sup2/PFC2

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/span.html#wp1033684

the show output shows correctly for session 2

Hope to help

Giuseppe

Paul Wedde · ‎05-19-2010

All Switches are Sup720, PFC3A.

I can not open that link.

Paul Wedde · ‎05-19-2010

I located the link:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/span.html#wp1033684

...and I could not see any of these restrictions being hit.

Giuseppe Larosa · ‎05-19-2010

Hello Paul,

I agree there are some limitations for ERSPAN with PFC3A but not for RSPAN

I suppose you have checked that the RSPAN vlan is permitted on L2 trunks between the three switches or you are using dedicated links allowing the RSPAN vlan.

Hope to help

Giuseppe