Solved: SPAN source VLAN tag

omer shtivi · ‎07-12-2015

Hello,

When configuring a SPAN with source VLAN does the monitoring system receive the frame with the VLAN tag or does the switch strips the tag?

Best regards,

Omer Shtivi

Peter Paluch · ‎07-12-2015

Hi Omer,

The switch can do both things and it depends on how you configure the destination SPAN port and optionally whether the frame arrived to the switch tagged or untagged.

If the destination SPAN port is configured as follows:

monitor session 1 destination interface GigabitEthernet0/1

then the monitored frames will always be sent out the Gi0/1 interface as untagged.

If the destination SPAN port is configured as follows:

monitor session 1 destination interface GigabitEthernet0/1 encapsulation dot1q

then the monitored frames will always be sent out the Gi0/1 interface tagged with the VLAN they were received in. It does not matter whether the frames were originally received by the switch as tagged or untagged.

If the destination SPAN port is configured as follows:

monitor session 1 destination interface GigabitEthernet0/1 encapsulation replicate

then the monitored frames will be sent out the Gi0/1 interface in the form they have been received by the switch. If they were received as tagged then they will also be forwarded out Gi0/1 as tagged. If they were received as untagged then they will also be forwarded out Gi0/1 as untagged.

Please test it and let us know if it worked for you. Thanks!

Best regards,
Peter

View solution in original post

Peter Paluch · ‎07-14-2015

Madhu, Omer,

Well, SPAN seems to be strongly platform-dependent, and various platforms may behave differently. Madhu, perhaps you could bring back to your managers a feedback that now it would be a good time to start making the behavior of different features and mechanisms identical across all switching platforms. Having to remember per-platform quirks is an exercise in uselessness. That's not where true expertise lies.

Nonetheless, according to the same Configuration Guide mentioned earlier by Madhu, it appears that on 6500 Catalyst series, if the destination SPAN port is configured as a trunk prior to being configured as a SPAN destination port, the egress traffic will be tagged unconditionally. This behavior should be similar to encapsulation dot1q type of destination SPAN port I have described earlier.

Best regards,
Peter

View solution in original post

Peter Paluch · ‎07-12-2015

Hi Omer,

The switch can do both things and it depends on how you configure the destination SPAN port and optionally whether the frame arrived to the switch tagged or untagged.

If the destination SPAN port is configured as follows:

monitor session 1 destination interface GigabitEthernet0/1

then the monitored frames will always be sent out the Gi0/1 interface as untagged.

If the destination SPAN port is configured as follows:

monitor session 1 destination interface GigabitEthernet0/1 encapsulation dot1q

then the monitored frames will always be sent out the Gi0/1 interface tagged with the VLAN they were received in. It does not matter whether the frames were originally received by the switch as tagged or untagged.

If the destination SPAN port is configured as follows:

monitor session 1 destination interface GigabitEthernet0/1 encapsulation replicate

then the monitored frames will be sent out the Gi0/1 interface in the form they have been received by the switch. If they were received as tagged then they will also be forwarded out Gi0/1 as tagged. If they were received as untagged then they will also be forwarded out Gi0/1 as untagged.

Please test it and let us know if it worked for you. Thanks!

Best regards,
Peter

Madhukrishnan Gopinathan Nair · ‎07-12-2015

Very quick Peter. I was trying to say use encapsulation replicate. But you very well covered it.

Madhu

omer shtivi · ‎07-12-2015

Working!

Thanks!

omer shtivi · ‎07-13-2015

Hi,

The command not seems to work on 6500 running version code 12.2.(33)SXI4a

Is there a way to make it work?

Thanks,

Omer Shtivi

Madhukrishnan Gopinathan Nair · ‎07-13-2015

Hello Omer,

Had a look at the config guide and it does not seem to be available and under the restrictions it is mentioned as below.

SPAN copies Layer 2 Ethernet frames, but SPAN does not copy source trunk port ISL or 802.1Q tags. You can configure destinations as trunks to send locally tagged traffic to the traffic analyzer

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/span.html#wp1059824

Thanks,

Madhu.

Peter Paluch · ‎07-14-2015

Madhu, Omer,

Well, SPAN seems to be strongly platform-dependent, and various platforms may behave differently. Madhu, perhaps you could bring back to your managers a feedback that now it would be a good time to start making the behavior of different features and mechanisms identical across all switching platforms. Having to remember per-platform quirks is an exercise in uselessness. That's not where true expertise lies.

Nonetheless, according to the same Configuration Guide mentioned earlier by Madhu, it appears that on 6500 Catalyst series, if the destination SPAN port is configured as a trunk prior to being configured as a SPAN destination port, the egress traffic will be tagged unconditionally. This behavior should be similar to encapsulation dot1q type of destination SPAN port I have described earlier.

Best regards,
Peter