Re: SPAN Setup Cisco 930048T - Fiber and Ethernet - Page 2

christian.sheppard · ‎11-11-2021

Hello All,

I apologize but I was not able to locate any documentation on this specific setup and my efforts have not yielded any fruit thus far. Thank you in advance for anyone that is able/willing to assist.

Scenario and Objective:

We have a 48 port Cisco 9300 that we would like to setup a SPAN or port monitor for our ingress/egress traffic. The switch (and subsequent traffic) is connected to our Velo device (The ISP's Demarc) by fiber. We have a server that is connected to the same physical switch (It is a switch stack). We wish to create the SPAN with the source being the fiber port and the destination, the standard RJ45 Ethernet port on the same switch that is connected to the server. The server setup has been verified as good. All physical lines are verified as good.

Current Result/Symptoms

No traffic is being monitored on the indicated server.

Current SPAN Configuration:

sh monitor session 1
Session 1
---------
Type : Local Session
Source Ports :
Both : Te2/1/1
Destination Ports : Gi2/0/16
Encapsulation : Native
Ingress : Disabled

christian.sheppard · ‎11-17-2021

Hi Balaji,

My apologies for the belated response. Please see below. I removed some irrelevant information such as the standard CISCO disclaimers and ports that are not involved, just to make some things easier to read.

****************************************
Show version
****************************************
Cisco IOS XE Software, Version 16.06.07
Cisco IOS Software [Everest], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 16.6.7, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2019 by Cisco Systems, Inc.
Compiled Mon 23-Sep-19 14:24 by mcpre

ROM: IOS-XE ROMMON
BOOTLDR: System Bootstrap, Version 16.8.1r [FC4], RELEASE SOFTWARE (P)

<Redacted> uptime is 1 year, 43 weeks, 2 days, 23 hours, 45 minutes
Uptime for this control processor is 1 year, 43 weeks, 2 days, 23 hours, 48 minutes
System returned to ROM by PowerOn
System restarted at 14:36:56 CST Sat Jan 18 2020
System image file is "flash:packages.conf"
Last reload reason: PowerOn

Technology Package License Information:

-----------------------------------------------------------------
Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
network-advantage Permanent network-advantage
dna-advantage Subscription dna-advantage

cisco C9300-48T (X86) processor with 1392535K/6147K bytes of memory.
Processor board ID FJC2346E06J
26 Virtual Ethernet interfaces
208 Gigabit Ethernet interfaces
32 Ten Gigabit Ethernet interfaces
8 Forty Gigabit Ethernet interfaces
2048K bytes of non-volatile configuration memory.
8388608K bytes of physical memory.
1638400K bytes of Crash Files at crashinfo:.
11264000K bytes of Flash at flash:.
0K bytes of WebUI ODM Files at webui:.
1638400K bytes of Crash Files at crashinfo-2:.
11264000K bytes of Flash at flash-2:.
1638400K bytes of Crash Files at crashinfo-3:.
11264000K bytes of Flash at flash-3:.
1638400K bytes of Crash Files at crashinfo-4:.
11264000K bytes of Flash at flash-4:.

Base Ethernet MAC Address : <Redacted>
Motherboard Assembly Number : 73-18273-04
Motherboard Serial Number : <Redacted>
Model Revision Number : A0
Motherboard Revision Number : B0
Model Number : C9300-48T
System Serial Number : <Redacted>

Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 62 C9300-48T 16.6.7 CAT9K_IOSXE INSTALL
2 62 C9300-48T 16.6.7 CAT9K_IOSXE INSTALL
3 62 C9300-48T 16.6.7 CAT9K_IOSXE INSTALL
4 62 C9300-48T 16.6.7 CAT9K_IOSXE INSTALL

Switch 02
---------
Switch uptime : 1 year, 43 weeks, 2 days, 23 hours, 30 minutes

Base Ethernet MAC Address : <Redacted>
Motherboard Assembly Number : 73-18273-04
Motherboard Serial Number : <Redacted>
Model Revision Number : A0
Motherboard Revision Number : B0
Model Number : C9300-48T
System Serial Number : <Redacted>

Switch 03
---------
Switch uptime : 1 year, 43 weeks, 2 days, 23 hours, 35 minutes

Base Ethernet MAC Address : <Redacted>
Motherboard Assembly Number : 73-18273-04
Motherboard Serial Number : <Redacted>
Model Revision Number : A0
Motherboard Revision Number : B0
Model Number : C9300-48T
System Serial Number : <Redacted>

Switch 04
---------
Switch uptime : 25 weeks, 4 days, 3 hours, 47 minutes

Base Ethernet MAC Address : <Redacted>
Motherboard Assembly Number : 73-18273-04
Motherboard Serial Number : <Redacted>
Model Revision Number : A0
Motherboard Revision Number : B0
Model Number : C9300-48T
System Serial Number : <Redacted>

Configuration register is 0x102

****************************************
Show VLAN
****************************************
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1000 Core-Routing active Te2/1/1

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

Remote SPAN VLANs
------------------------------------------------------------------------------

Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------

****************************************
Show span VLAN 1000
****************************************
VLAN1000
Spanning tree enabled protocol ieee
Root ID Priority 33768
Address <Redacted>
Cost 4
Port 144
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 33768 (priority 32768 sys-id-ext 1000)
Address <Redacted>
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Te2/1/1 Desg FWD 2 128.149 P2p

****************************************
Show run | sec monitor
****************************************
monitor session 1 source interface Gi2/0/1
monitor session 1 destination interface Gi2/0/16

tdavis85 · ‎11-21-2021

Your interface from g2/0/16 is showing that the SPAN port is sending traffic. Is there any way you could hook up a PC with Wireshark instead of the server and see if you are still not receiving any traffic? Either that or push it as an RSPAN to another switch just to see if the other switch registers the traffic. That'll tell you if the interface statistics are just not accurately reflecting on that switch or if you are actually sending traffic that the Server just isn't registering.

christian.sheppard · ‎11-29-2021

Hi tdavis85,

Thanks for reaching out. I apologize for the belated response. I am here in the States and we just had Thanksgiving. I did just that as of this morning. I used Wireshark on a laptop and plugged it directly into the destination port. I did see plenty of traffic come through however, it appears to only be local (So internal IPs, broadcast addresses, general handshaking, etc.). I am not sure what would cause the external-facing traffic to be excluded. Any ideas? Thanks in advance!

tdavis85 · ‎11-29-2021

I would check the counters on the source interface compared to the counters on the destination interface. The destination interface output should be the input and output of the source interface combined. That will give you an idea of how much traffic you are dropping. Also, are you still not seeing anything on your server that you were trying to capture on? If you aren't I would check and see if that server is expecting the traffic to be tagged or not. I can't really say much as far as why you aren't seeing the external traffic without knowing your system flow, but some things to keep in mind are if you are using a proxy, or have multiple paths out that may affect what you see in regards to the SPAN traffic.

christian.sheppard · ‎12-01-2021

Hi @tdavis85,

Thanks and please see below for the requested info.

"I would check the counters on the source interface compared to the counters on the destination interface. The destination interface output should be the input and output of the source interface combined. That will give you an idea of how much traffic you are dropping."

Port InOctets InUcastPkts InMcastPkts InBcastPkts
Gi2/0/16 4052038607414 4152222077 7250450 13001618

Port OutOctets OutUcastPkts OutMcastPkts OutBcastPkts

Gi2/0/16 3435171268561 13138298527 1501832273 940292284

*********************************************************

Port InOctets InUcastPkts InMcastPkts InBcastPkts
Te2/1/1 133876953473610 161081010889 6340837 8283058

Port OutOctets OutUcastPkts OutMcastPkts OutBcastPkts
Te2/1/1 70133397099721 134655317068 43492631 4476206

"Also, are you still not seeing anything on your server that you were trying to capture on?"

Negative.

"If you aren't I would check and see if that server is expecting the traffic to be tagged or not."

This is a good observation. I will reach out to the vendor to get the details on that.

"...but some things to keep in mind are if you are using a proxy, or have multiple paths out that may affect what you see in regards to the SPAN traffic."

That's a good point too but we only have one port for ingress/egress so that shouldn't be a problem.