12-06-2011 07:28 AM - edited 03-07-2019 03:46 AM
I have a requirement to monitor downstream data feed from a remote site and feed it to multiple destination devices for recording. The source data will be fed into a port on a Cisco 2960G switch then, using the monitor function, be forwarded to multiple interfaces. This works fine for normal Etherent II traffic. We tried a test using a device that generates IEEE 802.3 Raw packets ('type' field is used as a 'length' field) but found that while the traffic appeared to be accepted by the input port with no errors it was not forwarded to the destination ports, even when using the monitor function. I did try the 'encapsulation replicate' feature with no help. It does not forward these packets even if I set all the ports into a common VLAN and let the switch just perform a normal switch function (non monitor).
Can anyone tell me if it is possible to get the IEEE 802.3 raw packets to pass through the switch and if it is, how to or what I need to do to make it work?
Thanks in advance for any help.
12-06-2011 07:46 AM
Can you please post the configuration for your span session.
Are the source and destination on the same switch (doesn't sound like it), then you may need to configuring Remote Span.
12-06-2011 08:26 AM
I am including the entire configuration of the switch. The plan is to use a feed from another vendor switch but the test configuration has the device generating the IEEE 802.3 packets connected to directly to port 0/22 and I have configured the monitor session to take the data on port 0/22 and monitor out to port 0/3. I am wondering if this is a flowcontrol issue or a QoS issue.
I also attached a copy of the packet format that I am having trouble with.
Wayne
12-06-2011 08:48 AM
monitor session 1 source interface Gi0/22 rx
monitor session 1 destination interface Gi0/3 encapsulation replicate
Well, you're taking receive traffic from gi0/22 and putting it to gi0/3.
interface GigabitEthernet0/22
media-type rj45
spanning-tree bpdufilter enable
spanning-tree guard none
I noticed that there was not a 'switchport mode access' command on this port. I also don't see a vlan assigned to this port.
interface GigabitEthernet0/3
description lontest1 span
switchport mode access
no keepalive
spanning-tree portfast
spanning-tree bpdufilter enable
I don't see any vlan assigned to this port.
Can you put the output of 'show int trunk' as well.
12-06-2011 08:55 AM
Yes input on 22 and output on 3. 3 is a monitor destination port - VLAN configuraiton would seem to be irrelevant but, when in mode access the default VLAN is 1. I did have port 22 with a 'switchport mode access' command but that didn't make any difference - will test it again. Note that the 'encapsulation replicate' didn't make a difference but I left it there. Attached is the interface trunk information.
Wayne
12-06-2011 09:16 AM
Port Vlans in spanning tree forwarding state and not pruned
Gi0/24 85,811,830
Lab2960-ms1#
vlan 950
name TEST_RSPAN
remote-span
It looks like the RSPAN VLAN is not configured to go across gi0/24 which is the only trunk that is up and operational.
interface GigabitEthernet0/21
description UL test link
switchport trunk allowed vlan 950
switchport mode access
media-type rj45
I noticed this as well. It's configured with the 'switchport trunk allowed' command but it's set to 'switchport mode access'
12-06-2011 09:22 AM
I apologize if I wasn't clear. I am not using RSPAN for this effort. I am using straight monitor to span the input to port 22 to port 3 in this case. RSPAN would be used if I was accepting a remote RSPAN VLAN from another switch. This test does not do that. The future planned implementation would just have the output of another vendors mirror port sent to an input port of the Cisco 2960. The 'switchport trunk allowed vlan 950' is just a residule command from when I was testing in a different configuration. It is in mode 'access' so the trunk command has not effect... .or shouldn't as I understand it.
Wayne
12-06-2011 09:40 AM
I see what you mean. From looking at the monitor session configuration, everything seems ok.
What device do you have connected to gi0/3 that is reading the data from this port?
12-06-2011 09:44 AM
Currently have a workstation that is running wireshark. Works for Ethernet II but not for IEEE 802.3.
12-06-2011 09:50 AM
Do you see anything at all when you choose IEEE 802.3 ?
12-06-2011 10:06 AM
Where would I select IEEE 802.3? The workstation records whatever it receives, Ethernet II, IEEE 802.3, etc.... The problem is the data is not coming out the destination port when the source is IEEE 802.3.
12-06-2011 10:11 AM
Ive used wireshark before, but I cant see anything changing it from 802.3 to ethernet ll. Maybe wireshark is reading it as ll even though its 802.3.
12-06-2011 10:16 AM
The primary difference between an 802.3 packet and an Ethernet II packet is that two bytes after the source mac address are the 'type' bytes (typically 0800 for IPv4) for Ethernet II or Length bytes if 802.3 (05CD or less) for 802.3.
12-06-2011 11:12 AM
http://www.wireshark.org/lists/wireshark-users/200803/msg00089.html
Check that out w-morse.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide