cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
750
Views
0
Helpful
2
Replies
Beginner

Should native VLAN on SPAN session be encapsulated?

I have set up a SPAN session on a switch within a campus network:

Session 1

---------

Type                   : Local Session

Source Ports           :

    Both               : Gi0/18

Destination Ports      : Gi0/23

    Encapsulation      : DOT1Q

          Ingress      : Disabled

Por Gi0/18 (source) is a trunk port with native VLAN 20. The connected router on this port also uses VLAN 20 as a native VLAN.

Port Gi0/23 (destination) is a trunk port with native VLAN 2. It is connected to a virtual linux machine with Wireshark installed.

I am particularly interested in VLAN 20 on port Go0/18, so initially I set up Wireshark to capture only untagged packets and captured 87,000 packets in one minute.

I later saw that I was getting some traffic tagged with VLAN 20 - I was surprised as I expected the encapsulation on the source port to mean that VLAN 20 would not be tagged. I set up a capture session to only capture packets tagged on VLAN 20 and captured 65,000 packets in one minute. In other words, the flows seem to be fairly evenly balanced between tagged and untagged packets on VLAN 20.

Should I be concerned about this, or is it normal behaviour (based on direction, perhaps)?

Daniel

Everyone's tags (5)
2 REPLIES 2
Highlighted
Hall of Fame Expert

Should native VLAN on SPAN session be encapsulated?

Hello Daniel,

the SPAN destination port has a different native VLAN then the SPAN source port, so I would say that seeing traffic tagged with Vlan-id=20 out of SPAN destination port can be expected as traffic is sent out of the port according to the SPAN destination port settings making a change of native vlan.

The internal respresentation of frames in the switch is tagged with Vlan-id=20.

Your suggestion about direction of traffic is likely to apply too.

If I remember correctly if the SPAN destination port is not configured as a trunk all mirrored traffic has the VLAN tag removed so traffic is presented to the SPAN destination port according to settings on this port.

Hope to help

Giuseppe

Highlighted
Beginner

Should native VLAN on SPAN session be encapsulated?

Thank you Giuseppe.

In my case the SPAN destination port is correctly configured as a trunk port. What I find odd is that I would expect all traffic mirrored on VLAN 20 would be tagged or all to be untagged, not some kind of mixture. It seems strange that this would be 'by design'.

Daniel

CreatePlease to create content
Content for Community-Ad