RSPAN through a Nexus 5010 pair

Russell Gibbons · ‎06-08-2015

I had a port-channel from a 6509 VSS pair into a 4948 that was monitoring a remote vlan into a physical port. Due to a physical layout change, the connection is now from the 6509 VSS pair into a pair of Nexus 5010's - which each have a port-channel back to the VSS pair, and a vpc link between them - and then via vpc link to the 4948. Essentially, fiber endpoint from the 4948 was moved from the 6509 pair to the nexus pair. The monitor appears to no longer be working, or at best working intermittently. Since the remote vlan is 1025, I added it to both Nexi manually, and configured it to be a remote-span. Is this not supposed to work this way? I have to think that if there is an issue it must be on the Nexus at this point.

TIA,

Russell

Madhukrishnan Gopinathan Nair · ‎06-08-2015

Hello Russel,

Could you please draw simple diagram for this and share. Where exactly the ports you are monitoring(source ports) and where is your actual destination ports. if you can show me a diagram it would have been much easier to understand it better. You are right, if you are doing rspan, then you need to define it as remote span under vlan config and ofcourse under vpc set up, you need to define on both pairs. May be a quick thought. are you allowing this vlan on vpc peer-link.

Thanks,

Madhu

Russell Gibbons · ‎06-08-2015

I'm not *not* allowing any vlans on the peer-link, but they do not show up in 'sh int trunk' on the ports in question under the 'Vlans in spanning tree forwarding state and not pruned', which leads me to believe that they ARE being pruned dynamically. BUT, 'sh vlan' shows it active in the appropriate ports, e.g. the port channel back to the core, the port channel vpc link, and the port channel to the destination 4948. Diagram in attached pic.

Madhukrishnan Gopinathan Nair · ‎06-08-2015

Hi Russel,

Could you please share the associated config also from these boxes ?

Thanks,

Madhu

Russell Gibbons · ‎06-08-2015

Source 4948
vlan 1025
name NitroSQL
remote-span
!
monitor session 2 source vlan 18
monitor session 2 destination remote vlan 1025

VSS pair

vlan 1025
name NitroSQL
remote-span
end

interface Port-channel36
description Source 4948
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
load-interval 30
mls qos trust dscp
ip dhcp snooping trust
end

interface Port-channel50
description Connection to Nexus 1
switchport
switchport trunk encapsulation dot1q
switchport trunk pruning vlan none
switchport mode trunk
switchport nonegotiate
load-interval 30
mls qos trust dscp
end
interface Port-channel51
description Connection to Nexus 2
switchport
switchport trunk encapsulation dot1q
switchport trunk pruning vlan none
switchport mode trunk
switchport nonegotiate
load-interval 30
mls qos trust dscp
end

Nexus 1
vlan 1025
name NitroSQL
remote-span
interface port-channel820
description Destination 4948
switchport mode trunk
vpc 820
speed 10000
interface Ethernet1/15
switchport mode trunk
channel-group 820

Nexus 2
vlan 1025
name NitroSQL
remote-span
interface port-channel820
description Destination 4948
switchport mode trunk
vpc 820
speed 10000
interface Ethernet1/15
switchport mode trunk
channel-group 820

Destination 4948
vlan 1025
name NitroSQL
remote-span
!
interface GigabitEthernet1/10
description Nitro SQL span port
switchport mode access
qos trust cos
auto qos voip trust
tx-queue 3
bandwidth percent 33
priority high
shape percent 33
spanning-tree portfast
spanning-tree bpduguard enable
service-policy output autoqos-voip-policy
end
monitor session 1 destination interface Gi1/10
monitor session 1 source remote vlan 1025

Madhukrishnan Gopinathan Nair · ‎06-08-2015

Hi Russel,

The configuration looks correct to me

We will check this further.

Thanks,

Madhu

Madhukrishnan Gopinathan Nair · ‎06-08-2015

I think we missed the config on Nexus boxes towards the 6500 VSS..can you share the config too.

Thanks,

M

Madhukrishnan Gopinathan Nair · ‎06-08-2015

Also are the VPC's up?

Can you also check sh vpc and see these vlans allowed under peer-link under sh vpc

Thanks

Madhu

Russell Gibbons · ‎06-08-2015

I would also like to point out that packets are incrementing on the egress port on the destination 4948, but the appliance is not seeing the packets.

Nexus 1
interface port-channel1
description Core
switchport mode trunk
speed 10000
interface Ethernet1/19
switchport mode trunk
logging event port link-status
logging event port trunk-status
channel-group 1

interface Ethernet1/20
switchport mode trunk
logging event port link-status
logging event port trunk-status
channel-group 1

vPC Peer-link status
---------------------------------------------------------------------
id Port Status Active vlans
-- ---- ------ --------------------------------------------------
1 Po10 up 1-13,18,20-22,24-32,35-37,42,45,50,54,60,69-71,77,
80,91,98,111-116,121-125,131-132,141,181-184,189,1
91,195,201,206-216,221-225,228,241-242,251,270,277
,300,320-321,400-403,405,420-422,424-427,499-503,5
10-513,554,570-571,575,700-702,704,900-901,920,1025
820 Po820 up success success 1-13,18,20-
22,24-32,35
-37,42,45,5
0,54,60,69-
71,77,8....
Nexus 2
interface port-channel1
description Core
switchport mode trunk
speed 10000
interface Ethernet1/19
switchport mode trunk
logging event port link-status
logging event port trunk-status
channel-group 1

interface Ethernet1/20
switchport mode trunk
logging event port link-status
logging event port trunk-status
channel-group 1

vPC Peer-link status
---------------------------------------------------------------------
id Port Status Active vlans
-- ---- ------ --------------------------------------------------
1 Po10 up 1-13,18,20-22,24-32,35-37,42,45,50,54,60,69-71,77,
80,91,98,111-116,121-125,131-132,141,181-184,189,1
91,195,201,206-216,221-225,228,241-242,251,270,277
,300,320-321,400-403,405,420-422,424-427,499-503,5
10-513,554,570-571,575,700-702,704,900-901,920,1025
820 Po820 up success success 1-13,18,20-
22,24-32,35
-37,42,45,5
0,54,60,69-
71,77,8....

Madhukrishnan Gopinathan Nair · ‎06-08-2015

Ok. Can you shut/ unshut destination port?

Also if that dont help, can you try shutting one of the port-channel from 6500 VSS towrds nexus and check?

Thanks,

Madhu

Russell Gibbons · ‎06-08-2015

I bounced the egress port on the destination 4948, which didn't change anything. I cannot drop a port-channel to the Nexus, as this is all production. I did notice that the appliance did seem to capture SOME packets this morning when I added vlan 1025 to the nexus pair - the fiber move was done almost 3 weeks ago, and this issue was just noticed this morning. It seems like I added the vlan to one nexus, and in the time it took me to log in and make the change to the other nexus, some packets went through. However, I also know through testing that I cannot leave it in that configuration, as the vlans will go err-disabled. Really at a loss here

Madhukrishnan Gopinathan Nair · ‎06-08-2015

Hello Russ,

Understand the siutation.

At this point i would say, please open a TAC case to investigate this more. Once you open a tac case, we can even try and reproduce the issue in Lab and further check on this. Surely we will get to a solution on this, please open a Tac case at the earliest.

Hope this helps, and if you feel any of the posts were useful here, do remember to rate them.

Thanks,

Madhu.

Madhukrishnan Gopinathan Nair · ‎06-09-2015

Hello Russ,

Did you open TAC case?

Thanks,

Madhu

Russell Gibbons · ‎06-09-2015

I have.