03-29-2018 05:29 AM - edited 03-08-2019 02:26 PM
Hi there, I have som problem with RSPAN configuration. My topology is SW4506 where I want to mirror port to RSPAN vlan, this switch is connected via trunk port to L3 switch 4510 and from 4510 via trunk to L2 switch 2960, which is my desired RSPAN destination port gi0/2. I have created special rspan vlan by commands
conf t -> vlan 66 -> remote-span->name RSPAN. I have created this vlan on those 3 switches and distrubuted vlan 66 over trunk ports to those switches.
SW4506 is configured like this:
monitor session 1 source interface gix/x both
monitor session 1 destination remote vlan 66
sw2960:
monitor session 1 source remote vlan 66
monitor session 1 destination interface gi0/2
After this I have no mirrored traffic. Do I need to do some configuration on my L3 4510 switch?
03-29-2018 06:35 AM - edited 03-29-2018 06:39 AM
03-29-2018 07:10 AM
Hello,
This configuration excerpt looks fine, RSPAN spans only the broadcast domain of the remote vlan, no L3 configuration required.
however I think you should verify the operational state (show interface trunk) of your trunks (vlan 66 not pruned from your trunks), are you sure there is traffic to be monitored on the source port, and are you sure the monitoring host can receive monitored traffic (ex. :interface card in monitor mode).
You can also verify the operational state of RSPAN (show monitor session 1) on source and destination switches.
Regards, Guillaume
03-29-2018 08:10 AM
trunk from 4510:
switchport trunk allowed vlan 10,30,40,66,99,100 (trunk connection to desired RSPAN source)
Vlans in spanning tree forwarding state and not pruned
Gi7/2 10,30,40,66,99-100
trunk from 4506 (desired RSPAN source)
Port Vlans allowed on trunk
Gi1/4 10,30,40,44,48,61,66,99-101
Port Vlans in spanning tree forwarding state and not pruned
Gi1/4 44,48,61,66,101
Gi1/5 10,30,40,44,48,61,66,99-101
Trunk from 2960 (desired RSPAN destination)
Port Vlans allowed on trunk
Gi0/1 1-4094
Port Vlans in spanning tree forwarding state and not pruned
Gi0/1 1,10,20-21,30,40,48,50,62,66,72,79,90,99-100,103
output from 2960 from show monitor session 1 is: (of course at 4506 source interface is gix/x and vlan66 as destination)
Session 1
---------
Type : Remote Destination Session
Source RSPAN VLAN : 66
Destination Ports : Gi0/2
Encapsulation : Native
Ingress : Disabled
vlan 66 is also active on all switches.
sh vlan id 66
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
66 RSPAN active
BUT ...source port on 4506 is in vlan 10 and destination port on my 2960 is in vlan 40. This might be the issue?
03-29-2018 08:42 AM
04-03-2018 10:57 PM - edited 04-03-2018 11:05 PM
this is output from destination gi0/2 port:
GigabitEthernet0/2 is down, line protocol is down (monitoring)
Hardware is Gigabit Ethernet, address is 1c17.d3aa.cf9a (bia 1c17.d3aa.cf9a)
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Auto-duplex, Auto-speed, media type is 10/100/1000BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 2w0d, output 5d17h, output hang never
Last clearing of "show interface" counters 00:01:02
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
there are no growin packets. I red some artickles, and there were said every remote monitoring traffic needs to be reflected to any empty port on the source switch. But when I wanted to add command "port reflection" this command is unkown. Any ideas?
04-04-2018 12:29 AM
04-04-2018 12:45 AM
The port is shutdown beacuse of no device is currenty connected to destination port. I just moved to the next room with laptop, connected to gi0/2, there was no traffic shown in wireshark and I have moved back to active port.
04-04-2018 12:48 AM
output with connected device to port:
GigabitEthernet0/2 is up, line protocol is down (monitoring)
Hardware is Gigabit Ethernet, address is 1c17.d3aa.cf9a (bia 1c17.d3aa.cf9a)
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 2w1d, output 00:00:00, output hang never
Last clearing of "show interface" counters 01:54:38
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
26 packets output, 2744 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
04-04-2018 12:57 AM - edited 04-04-2018 01:04 AM
[Ok, i see output packets on your interface, wireshark should display the 26 packets.I think the problem is on the laptop: monitor mode of the interface, wrong interface on wireshark,...]
Sorry i didn't notice the last clearing of counter
04-04-2018 01:23 AM
new sh int gi0/2
GigabitEthernet0/2 is up, line protocol is down (monitoring)
Hardware is Gigabit Ethernet, address is 1c17.d3aa.cf9a (bia 1c17.d3aa.cf9a)
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:24:39, output 00:00:00, output hang never
Last clearing of "show interface" counters 00:17:36
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
151 packets output, 16459 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
packets are increasing and still nothing in wireshark. But, when I tried SPAN (fa0/2 source and fa0/21 destination, monitoring was working like a charm)
04-04-2018 12:52 AM
04-04-2018 01:00 AM
i verified traffic on gi0/2 while another PC was connected to that switch
sh int gi3/31 from source:
GigabitEthernet3/31 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet Port, address is 44d3.cab3.635e (bia 44d3.cab3.635e)
Description: " SWITCH/HUB "
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, link type is auto, media type is 10/100/1000-TX
input flow-control is on, output flow-control is on
Auto-MDIX on (operational: on)
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:09, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 57000 bits/sec, 93 packets/sec
6209796 packets input, 2026540826 bytes, 0 no buffer
Received 257391 broadcasts (186281 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
191546919 packets output, 20444638600 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
sw27_4506_1#sh mon
Session 1
---------
Type : Remote Source Session
Source Ports :
Both : Gi3/31
Filter Pkt Type :
RX Only : Good
Dest RSPAN VLAN : 66
is this enought?
04-04-2018 01:44 AM - edited 04-04-2018 01:54 AM
port-reflection is an old feature: an unused port is put in loopback mode to put the captured traffic on the RSPAN VLAN, it is used if the switch has no hardware monitoring capability. I don't know if it's still used, but if you can't configure it, i guess it's not required.
Sorry, i have no more clues, your configuration looks fine, i guess you rechecked again and again your remote vlans,...
Regards, Guillaume
04-06-2018 02:07 AM
Problem solved, there was problem with port incosistency due to spanning tree root guard. vlan66 on destination switch had lower priority than on L3 switch, which is configured as root. Thx everybody ;)
RSPAN works like a charm :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide