Re: SG350 RSPAN Not Working

dpsw120 · ‎09-19-2019

Hello Everyone,

I have 3 SG350 and connected each other

Here is the config

SW1#sh run
config-file-header
SW1
v2.3.5.63 / RLINUX_923_093
CLI v1.0
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
unit-type-control-start
unit-type unit 1 network gi uplink none
unit-type-control-end
!
spanning-tree loopback-guard
port jumbo-frame
vlan database
vlan 10,20,30,40,50,60,70,99
exit
voice vlan state disabled
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
loopback-detection enable
errdisable recovery cause loopback-detection
errdisable recovery cause port-security
errdisable recovery cause dot1x-src-address
errdisable recovery cause acl-deny
errdisable recovery cause stp-bpdu-guard
errdisable recovery cause stp-loopback-guard
errdisable recovery cause udld
errdisable recovery cause storm-control
bonjour interface range vlan 1
qos wrr-queue wrtd
hostname SW1
logging host 192.168.1.254
logging origin-id hostname
aaa authentication login Tacacas+1 tacacs local
aaa authentication enable Tacacas+1 tacacs enable
aaa accounting login start-stop group tacacs+
line ssh
login authentication Tacacas+1
password aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa encrypted
exit
line console
password bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb encrypted
exit
enable password level 15 encrypted ccccccccccccccccccccccccccccccccccccccccccc
username cisco password encrypted ddddddddddddddddddddddddddddddddddddddd privilege 15
ip ssh server
ip ssh-client server authentication
snmp-server server
snmp-server engineID local wwwwwwwwwwwwwwwwwwww
snmp-server location SNMP_MANAGER
snmp-server contact SNMPADMIN
snmp-server community SNMP_SNMP ro 192.168.1.253 view Default
snmp-server community SNMP_SNMP ro 192.168.1.254 view Default
snmp-server host 192.168.1.253 traps version 2c SNMP_SNMP
snmp-server host 192.168.1.254 traps version 2c SNMP_SNMP
snmp-server group SNMP v2
encrypted tacacs-server host 192.168.1.252 single-connection key eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
encrypted tacacs-server key fffffffffffffffffffffffffffffffffffffffff
clock timezone " " +7
sntp server 192.168.1.1 poll
security-suite enable
security-suite dos protect add stacheldraht
security-suite dos protect add invasor-trojan
security-suite dos protect add back-orifice-trojan
security-suite deny martian-addresses reserved add
!
interface vlan 10
name Main
!
interface vlan 20
name Backup
!
interface vlan 99
ip address 192.168.1.4 255.255.255.0
!
interface GigabitEthernet1
switchport access vlan 10
!
interface GigabitEthernet2
switchport access vlan 10
!
interface GigabitEthernet3
switchport access vlan 10
!
interface GigabitEthernet4
switchport access vlan 10
!
interface GigabitEthernet5
switchport access vlan 10
!
interface GigabitEthernet21
switchport mode trunk
switchport trunk native vlan 99
no macro auto smartport
!
interface GigabitEthernet23
switchport mode trunk
switchport trunk native vlan 99
no macro auto smartport
!
interface GigabitEthernet25
switchport mode trunk
switchport trunk native vlan 99
no macro auto smartport
!
exit
ip arp inspection
ip arp inspection validate
ip source-guard
ip default-gateway 192.168.1.1

SW1#sh runconfig-file-headerSW1v2.3.5.63 / RLINUX_923_093CLI v1.0file SSD indicator encrypted@ssd-control-startssd configssd file passphrase control unrestrictedno ssd file integrity controlssd-control-end xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx!!unit-type-control-startunit-type unit 1 network gi uplink noneunit-type-control-end!spanning-tree loopback-guardport jumbo-framevlan databasevlan 10,20,30,40,50,60,70,99exitvoice vlan state disabledvoice vlan oui-table add 0001e3 Siemens_AG_phone________voice vlan oui-table add 00036b Cisco_phone_____________voice vlan oui-table add 00096e Avaya___________________voice vlan oui-table add 000fe2 H3C_Aolynk______________voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phonevoice vlan oui-table add 00d01e Pingtel_phone___________voice vlan oui-table add 00e075 Polycom/Veritel_phone___voice vlan oui-table add 00e0bb 3Com_phone______________loopback-detection enableerrdisable recovery cause loopback-detectionerrdisable recovery cause port-securityerrdisable recovery cause dot1x-src-addresserrdisable recovery cause acl-denyerrdisable recovery cause stp-bpdu-guarderrdisable recovery cause stp-loopback-guarderrdisable recovery cause udlderrdisable recovery cause storm-controlbonjour interface range vlan 1qos wrr-queue wrtdhostname SW1logging host 192.168.1.254logging origin-id hostnameaaa authentication login Tacacas+1 tacacs localaaa authentication enable Tacacas+1 tacacs enableaaa accounting login start-stop group tacacs+line sshlogin authentication Tacacas+1password aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa encryptedexitline consolepassword bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb encryptedexitenable password level 15 encrypted cccccccccccccccccccccccccccccccccccccccccccusername cisco password encrypted ddddddddddddddddddddddddddddddddddddddd privilege 15ip ssh serverip ssh-client server authenticationsnmp-server serversnmp-server engineID local wwwwwwwwwwwwwwwwwwwwsnmp-server location SNMP_MANAGERsnmp-server contact SNMPADMINsnmp-server community SNMP_SNMP ro 192.168.1.253 view Defaultsnmp-server community SNMP_SNMP ro 192.168.1.254 view Defaultsnmp-server host 192.168.1.253 traps version 2c SNMP_SNMPsnmp-server host 192.168.1.254 traps version 2c SNMP_SNMPsnmp-server group SNMP v2encrypted tacacs-server host 192.168.1.252 single-connection key eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeencrypted tacacs-server key fffffffffffffffffffffffffffffffffffffffffclock timezone " " +7sntp server 192.168.1.1 pollsecurity-suite enablesecurity-suite dos protect add stacheldrahtsecurity-suite dos protect add invasor-trojansecurity-suite dos protect add back-orifice-trojansecurity-suite deny martian-addresses reserved add!interface vlan 10name Main!interface vlan 20name Backup!interface vlan 99ip address 192.168.1.4 255.255.255.0!interface GigabitEthernet1switchport access vlan 10!interface GigabitEthernet2switchport access vlan 10!interface GigabitEthernet3switchport access vlan 10!interface GigabitEthernet4switchport access vlan 10!interface GigabitEthernet5switchport access vlan 10!interface GigabitEthernet21switchport mode trunkswitchport trunk native vlan 99no macro auto smartport!interface GigabitEthernet23switchport mode trunkswitchport trunk native vlan 99no macro auto smartport!interface GigabitEthernet25switchport mode trunkswitchport trunk native vlan 99no macro auto smartport!exitip arp inspectionip arp inspection validateip source-guardip default-gateway 192.168.1.1

This config is same in all switches except the it's own trunk interface.

Okay so i need to config RSPAN so i config like this

Spoiler

S1,S2,S3
#Vlan 90 name RSPAN_
#Int vlan 90
#rspan-vlan
S1
#monitor session 1 source int gi1 both
#monitor session 1 destination remote vlan 90 reflector-port gi15 network
S3
#monitor session 1 source remote vlan 90
#monitor session 1 destination interface gi1 network

S1,S2,S3#Vlan 90 name RSPAN_#Int vlan 90#rspan-vlanS1#monitor session 1 source int gi1 both#monitor session 1 destination remote vlan 90 reflector-port gi15 networkS3#monitor session 1 source remote vlan 90#monitor session 1 destination interface gi1 network

After this configuration, in my linux box i tried to see the traffic with tcptrack -i (interface) and it didn't show.

Only span will work, i don't know why RSPAN didn't work.

Please Help.

Thank You

dpsw120 · ‎09-20-2019

Can someone help, please

Georg Pauwen · ‎09-20-2019

Hello,

make sure that the source port, reflector port and the destination port are NOT part of the RSPAN Vlan (Vlan 90 in your case as far as I can tell).

Check page 52 of the attached admin guide...

https://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/350xg/admin_guide/AG_Tesla_350_550.pdf

dpsw120 · ‎09-20-2019

I think i already check this section lil bit confusing

Start Switch
3. Define a reflector port (destination, egress port) and ensure that it is not a member of the
RSPAN VLAN.

reflector port=unused port right?

Intermediate Switch(es) 
2. Ensure that there are at least two ports that are members of the RSPAN VLAN. Traffic will
pass through the switch via the RSPAN VLAN.

how can i add port to be a member of RSPAN VLAN? is it possible?

Thank you sir.

dpsw120 · ‎09-22-2019

Anyone Help Please

Georg Pauwen · ‎09-23-2019

Hello,

you can assign ports to Vlans on the Port VLAN Membership page of the GUI (page 213 of the guide).

Not sure what you are missing, you might want to check the RSPAN workflow (page 52)...

https://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/350xg/admin_guide/AG_Tesla_350_550.pdf

dpsw120 · ‎09-23-2019

Let me quick recap on that page number 52.
In start switch
- source port is port that connected to the devices eg.pc,server
- reflector is unused port?
- start switch and intermediate switch connected thorugh trunkport right?
In Intermediae switch
- should i allocate 2 unused port as RSPAN vlan member? and 1 port is the same as reflector port on start switch?
in Final Switch
- what is port 7 in this switch is it unused port or port that connected to intermediate switch?
Please help me, thank you

dpsw120 · ‎09-26-2019

Help please someone out there

DeFlaMenTaL · ‎10-29-2020

Hi !

I have the same issue here, and it is a mess that no solution available.

I made a bench with only two SG350, in order to avoid issue from intermediate switch, but impossible to make it working.

Can someone from CISCO help us ?