Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1076
Views
0
Helpful
2
Replies

Should native VLAN on SPAN session be encapsulated?

danielkleeman
Level 1
Level 1

‎12-10-2012 07:49 AM - edited ‎03-07-2019 10:30 AM

I have set up a SPAN session on a switch within a campus network:

Session 1

---------

Type                   : Local Session

Source Ports           :

    Both               : Gi0/18

Destination Ports      : Gi0/23

    Encapsulation      : DOT1Q

          Ingress      : Disabled

Por Gi0/18 (source) is a trunk port with native VLAN 20. The connected router on this port also uses VLAN 20 as a native VLAN.

Port Gi0/23 (destination) is a trunk port with native VLAN 2. It is connected to a virtual linux machine with Wireshark installed.

I am particularly interested in VLAN 20 on port Go0/18, so initially I set up Wireshark to capture only untagged packets and captured 87,000 packets in one minute.

I later saw that I was getting some traffic tagged with VLAN 20 - I was surprised as I expected the encapsulation on the source port to mean that VLAN 20 would not be tagged. I set up a capture session to only capture packets tagged on VLAN 20 and captured 65,000 packets in one minute. In other words, the flows seem to be fairly evenly balanced between tagged and untagged packets on VLAN 20.

Should I be concerned about this, or is it normal behaviour (based on direction, perhaps)?

Daniel

Labels:
0 Helpful
2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎12-10-2012 12:20 PM

Hello Daniel,

the SPAN destination port has a different native VLAN then the SPAN source port, so I would say that seeing traffic tagged with Vlan-id=20 out of SPAN destination port can be expected as traffic is sent out of the port according to the SPAN destination port settings making a change of native vlan.

The internal respresentation of frames in the switch is tagged with Vlan-id=20.

Your suggestion about direction of traffic is likely to apply too.

If I remember correctly if the SPAN destination port is not configured as a trunk all mirrored traffic has the VLAN tag removed so traffic is presented to the SPAN destination port according to settings on this port.

Hope to help

Giuseppe

0 Helpful

danielkleeman
Level 1
Level 1
In response to Giuseppe Larosa

‎12-11-2012 09:14 AM

Thank you Giuseppe.

In my case the SPAN destination port is correctly configured as a trunk port. What I find odd is that I would expect all traffic mirrored on VLAN 20 would be tagged or all to be untagged, not some kind of mixture. It seems strange that this would be 'by design'.

Daniel

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card