Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3880
Views
0
Helpful
5
Replies

SPAN traffic with VLAN tag

David Hervas Garrudo
Level 1
Level 1

‎01-02-2013 04:50 AM - edited ‎03-07-2019 10:51 AM

Hello

I read in Cisco document to span traffic with VLAN tag i have to configure the destination port in trunk mode, something like this:

Configuring a Destination Port as an Unconditional Trunk

To tag the monitored traffic as it leaves a destination port, configure the destination port as a trunk.

To configure the destination port as a trunk, perform this task:

interface GigabitEthernet3/45

description PORT MIRRORING DESTINATION WITH VLAN TAG

switchport

switchport trunk encapsulation dot1q

switchport mode trunk

switchport nonegotiate

Configuring this the port is ok!!! up and trunking:

SWH#sh interfaces gigabitEthernet 3/45

GigabitEthernet3/45 is up, line protocol is up (connected)

  Hardware is C6k 1000Mb 802.3, address is 001d.7039.e45c (bia 001d.7039.e45c)

  Description: PORT MIRRORING DESTINATION WITH VLAN TAG

  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,

[Ommitted]

SWH00-CMAD01#sh interfaces gigabitEthernet 3/45 trunk

Port          Mode         Encapsulation  Status        Native vlan

Gi3/45        on           802.1q         trunking      1

Port          Vlans allowed on trunk

Gi3/45        1-4094

[ommited]

The problem is when we configure the port like port mirroring destination, the trunking is off and then i haven´t the vlan tag

SWH#sh interfaces gigabitEthernet 3/45

GigabitEthernet3/45 is up, line protocol is down (monitoring)

  Hardware is C6k 1000Mb 802.3, address is 001d.7039.e45c (bia 001d.7039.e45c)

  Description: PORT MIRRORING DESTINATION WITH VLAN TAG

  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,

[ommited]

SWH#sh interfaces gigabitEthernet 3/45 trunk

Port          Mode         Encapsulation  Status        Native vlan

Gi3/45        on           802.1q         not-trunking  1

Port          Vlans allowed on trunk

Gi3/45        1-4094

Any idea??? what is wrong? How to configure the mirroring to mantain the VLAN tag?

Thank you in advance

Regards

David

Labels:
0 Helpful
5 Replies 5

Edwin Summers
Level 3
Level 3

‎01-02-2013 05:52 AM

David,

I'm not in a place where I can confirm the output now.  I have monitored tagged (802.1q) traffic before but do not remember how the destination port "shows" when it is a monitoring port.  Just to confirm, the port that you are monitoring is a trunk port and configured for tagging, correct?

Also note the following configuration option for your SPAN session:

monitor           session session_number destination interface           interface_id encapsulation dot1q

command in order to enable encapsulation of the packets at the destination           port. If you do not specify the

encapsulation

keyword, the           packets are sent untagged, which is the default in Cisco IOS Software Release           12.1(11)EA1 and later.

(source: 

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml)

One last caveat:  I've heard of some PC NICs having issues reading/decoding 802.1q-tagged packets.  This is also mentioned in the source document above.  If the NIC cannot correctly "read" the packets, it may drop or display unstable behavior when trying to collect/process packets during sniffing.

Best of luck.  If someone hasn't helped resolve your issue by the time I get back to my lab later this evening (US EST), I can lab it up and assist.

Ed

0 Helpful

David Hervas Garrudo
Level 1
Level 1
In response to Edwin Summers

‎01-02-2013 07:01 AM

Hi Edwin

Thank you in advance for your help!!!

Yes, the port is configured as trunk 802.1q

interface GigabitEthernet3/45

description PORT MIRRORING DESTINATION WITH VLAN TAG

switchport

switchport trunk encapsulation dot1q

switchport mode trunk

switchport nonegotiate

And i have a question about capturing device, Is mandatory that the NIC server has been configured as trunk??

Regards

David

0 Helpful

Edwin Summers
Level 3
Level 3
In response to David Hervas Garrudo

‎01-02-2013 08:25 AM

Understand that port gi3/4/5 is your SPAN destination port, but I just wanted to confirm that your *source* port (the port you are mirroring from) is configured as a trunk port.  If the source port is not tagging traffic, then there will be no tags to show on the monitor. Perhaps you can provide the full configuration of both the SPAN source and destination ports?

Best,

Ed

0 Helpful

David Hervas Garrudo
Level 1
Level 1
In response to Edwin Summers

‎01-03-2013 03:00 AM

Hello Edwin

Yes, several sources ports are configured laike trunks 802.1q, with several VLANs. For example, we have one port connectted to a Cisco 3825 with 3 VLANs, and we need capture the traffic with the VLAN tags.

I tested several configurations without any result, i have opened a case to TAC Cisco, and i will comment the solution (i hope!!)

Thank you very much

Regards

David

0 Helpful

Edwin Summers
Level 3
Level 3
In response to David Hervas Garrudo

‎01-03-2013 05:04 AM

Sounds good, David.  Sorry we couldn't get you running as quick as we'd like.  I'll try to lab up a quick monitoring session this evening (US EST) when I get back, but I only have a 2950 currently to work with.  I can post the config to see if it helps.  Otherwise, let us know what you find with TAC.  I'll be interested to hear the results.

Best,

Ed

0 Helpful
Customers Also Viewed These Support Documents