RSPAN

vlad0 · ‎03-29-2018

Hi there, I have som problem with RSPAN configuration. My topology is SW4506 where I want to mirror port to RSPAN vlan, this switch is connected via trunk port to L3 switch 4510 and from 4510 via trunk to L2 switch 2960, which is my desired RSPAN destination port gi0/2. I have created special rspan vlan by commands

conf t -> vlan 66 -> remote-span->name RSPAN. I have created this vlan on those 3 switches and distrubuted vlan 66 over trunk ports to those switches.

SW4506 is configured like this:

monitor session 1 source interface gix/x both

monitor session 1 destination remote vlan 66

sw2960:

monitor session 1 source remote vlan 66

monitor session 1 destination interface gi0/2

After this I have no mirrored traffic. Do I need to do some configuration on my L3 4510 switch?

Hulk8647 · ‎03-29-2018

gs.skills · ‎03-29-2018

Hello,

This configuration excerpt looks fine, RSPAN spans only the broadcast domain of the remote vlan, no L3 configuration required.

however I think you should verify the operational state (show interface trunk) of your trunks (vlan 66 not pruned from your trunks), are you sure there is traffic to be monitored on the source port, and are you sure the monitoring host can receive monitored traffic (ex. :interface card in monitor mode).

You can also verify the operational state of RSPAN (show monitor session 1) on source and destination switches.

Regards, Guillaume

vlad0 · ‎03-29-2018

trunk from 4510:

switchport trunk allowed vlan 10,30,40,66,99,100 (trunk connection to desired RSPAN source)

Vlans in spanning tree forwarding state and not pruned

Gi7/2 10,30,40,66,99-100

trunk from 4506 (desired RSPAN source)

Port Vlans allowed on trunk
Gi1/4 10,30,40,44,48,61,66,99-101

Port        Vlans in spanning tree forwarding state and not pruned
Gi1/4       44,48,61,66,101
Gi1/5       10,30,40,44,48,61,66,99-101

Trunk from 2960 (desired RSPAN destination)

Port Vlans allowed on trunk
Gi0/1 1-4094

Port Vlans in spanning tree forwarding state and not pruned
Gi0/1 1,10,20-21,30,40,48,50,62,66,72,79,90,99-100,103

output from 2960 from show monitor session 1 is: (of course at 4506 source interface is gix/x and vlan66 as destination)

Session 1
---------
Type                   : Remote Destination Session
Source RSPAN VLAN      : 66
Destination Ports      : Gi0/2
    Encapsulation      : Native
          Ingress      : Disabled

vlan 66 is also active on all switches.

sh vlan id 66

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
66 RSPAN active

BUT ...source port on 4506 is in vlan 10 and destination port on my 2960 is in vlan 40. This might be the issue?

gs.skills · ‎03-29-2018

It looks fine, the destination port is in the monitoring mode (not a normal switchport anymore so the vlan configuration does not matter) and the source port can belongs to any vlan even trunk ports are supported by RSPAN.
You can verify the state of the destination port (show int gi0/2):
- it should be up/down(monitoring)
- the output packets number should be growing
You can verify that the number of input/output packets on source interface are growing too

vlad0 · ‎04-03-2018

this is output from destination gi0/2 port:

GigabitEthernet0/2 is down, line protocol is down (monitoring)
Hardware is Gigabit Ethernet, address is 1c17.d3aa.cf9a (bia 1c17.d3aa.cf9a)
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Auto-duplex, Auto-speed, media type is 10/100/1000BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 2w0d, output 5d17h, output hang never
Last clearing of "show interface" counters 00:01:02
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     0 input packets with dribble condition detected
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out

there are no growin packets. I red some artickles, and there were said every remote monitoring traffic needs to be reflected to any empty port on the source switch. But when I wanted to add command "port reflection" this command is unkown. Any ideas?

gs.skills · ‎04-04-2018

Hello,
status of your destination port is down/down(monitoring), It should be UP/down(monitoring).
Look for layer 1 problem: faulty cable, i don't know if auto MDIX works on monitoring ports(= try a straight cable), the port of your monitoring host is shutdown or must be manually enabled,...
Regards, Guillaume

vlad0 · ‎04-04-2018

The port is shutdown beacuse of no device is currenty connected to destination port. I just moved to the next room with laptop, connected to gi0/2, there was no traffic shown in wireshark and I have moved back to active port.

vlad0 · ‎04-04-2018

output with connected device to port:

GigabitEthernet0/2 is up, line protocol is down (monitoring)
Hardware is Gigabit Ethernet, address is 1c17.d3aa.cf9a (bia 1c17.d3aa.cf9a)
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 2w1d, output 00:00:00, output hang never
Last clearing of "show interface" counters 01:54:38
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     0 input packets with dribble condition detected
     26 packets output, 2744 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out

gs.skills · ‎04-04-2018

[~~Ok, i see output packets on your interface, wireshark should display the 26 packets.~~
~~I think the problem is on the laptop: monitor mode of the interface, wrong interface on wireshark,...~~]

Sorry i didn't notice the last clearing of counter

vlad0 · ‎04-04-2018

new sh int gi0/2

GigabitEthernet0/2 is up, line protocol is down (monitoring)
Hardware is Gigabit Ethernet, address is 1c17.d3aa.cf9a (bia 1c17.d3aa.cf9a)
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:24:39, output 00:00:00, output hang never
Last clearing of "show interface" counters 00:17:36
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     0 input packets with dribble condition detected
     151 packets output, 16459 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out

packets are increasing and still nothing in wireshark. But, when I tried SPAN (fa0/2 source and fa0/21 destination, monitoring was working like a charm)

gs.skills · ‎04-04-2018

Did you verify the traffic on the switch too (show int gi0/2) while your laptop was connected? Can you also verify the traffic from the source port?

vlad0 · ‎04-04-2018

i verified traffic on gi0/2 while another PC was connected to that switch

sh int gi3/31 from source:

GigabitEthernet3/31 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet Port, address is 44d3.cab3.635e (bia 44d3.cab3.635e)
Description: " SWITCH/HUB "
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, link type is auto, media type is 10/100/1000-TX
input flow-control is on, output flow-control is on
Auto-MDIX on (operational: on)
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:09, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 57000 bits/sec, 93 packets/sec
     6209796 packets input, 2026540826 bytes, 0 no buffer
     Received 257391 broadcasts (186281 multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 input packets with dribble condition detected
     191546919 packets output, 20444638600 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out
sw27_4506_1#sh mon
Session 1
---------
Type                   : Remote Source Session
Source Ports           :
    Both               : Gi3/31
Filter Pkt Type        :
    RX Only       : Good
Dest RSPAN VLAN        : 66

is this enought?

gs.skills · ‎04-04-2018

port-reflection is an old feature: an unused port is put in loopback mode to put the captured traffic on the RSPAN VLAN, it is used if the switch has no hardware monitoring capability. I don't know if it's still used, but if you can't configure it, i guess it's not required.

Sorry, i have no more clues, your configuration looks fine, i guess you rechecked again and again your remote vlans,...

Regards, Guillaume

vlad0 · ‎04-06-2018

Problem solved, there was problem with port incosistency due to spanning tree root guard. vlan66 on destination switch had lower priority than on L3 switch, which is configured as root. Thx everybody ;)

RSPAN works like a charm :)