02-20-2009 06:47 AM - edited 03-06-2019 04:08 AM
Hi,
I have a Cisco 3750 and I'm spanning a couple of ports to a single port where our Observer (packet capture server) is. These 2 ports I'm monitoring are in Vlan 2 and Vlan 3 but in Observer it shows no VLAn info, however I can all the other traffic data.
The Observer consultant says it has to be the switch as he has seen this all working before.
Port 1/0/48 is the destination span port and it's in no vlan:
interface FastEthernet1/0/47
shutdown
!
interface FastEthernet1/0/48
!
interface GigabitEthernet1/0/1
shutdown
This is the span, I have to have session 1 for our Wensense server, session 2 is what I'm on about and the 2 source ports are the inside and outside of our Cisco ASA firewall.
monitor session 1 source interface Fa1/0/3
monitor session 1 destination interface Fa1/0/6
monitor session 2 source interface Fa1/0/3 , Fa1/0/9
monitor session 2 destination interface Fa1/0/48
Any ideas as this is behond my knowledge.
Thanks
02-20-2009 07:10 AM
If you want to grab the VLAN information and not just the data on the two ports, you are going to need to span the VLAN's instead of the ports. However this is going to give you all data that is passing through the VLAN and not just the two ports that you are currently trying to investigate.
c3750_remote(config)#monitor session 1 source vlan < Remote RSPAN VLAN ID >
c3750_remote(config)#monitor session 1 destination interface < Interface ID >
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml')">http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml
02-20-2009 07:13 AM
Hi,
I did try also using the VLAN to span but I got the same result, this is what I did:
c3750_remote(config)#monitor session 2 source vlan 2,3
c3750_remote(config)#monitor session 2 destination interface 1/0/48
Again port 48 is in no VLAN and the NIC for this server has no IP etc.
Thanks
02-20-2009 07:17 AM
Are these VLAN's trunked to another location? You might be able to perform a port monitoring on the Trunk interface and grab the Dot1Q headers.
02-20-2009 07:23 AM
How strange, this is the trunk port info, however vlan 2 isn't on there?? Eventhough it works? This trunk port goes to the ASA firewall.
interface FastEthernet1/0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 3,4,6,7,9,10,300
switchport mode trunk
ASA:
ASA5520-1# sh vlan
4, 6-7 , 9-10 , 300
3750
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1/0/19, Fa1/0/20, Fa1/0/21, Fa1/0/22, Fa1/0/27, Fa1/0/28, Fa1/0/35, Fa1/0/36
Fa1/0/37, Fa1/0/38, Fa1/0/39, Fa1/0/40, Fa1/0/41, Fa1/0/42, Fa1/0/43, Fa1/0/44
Fa1/0/45, Fa1/0/47, Fa1/0/48, Gi1/0/1, Gi1/0/2, Gi1/0/3, Fa2/0/2, Fa2/0/19
Fa2/0/20, Fa2/0/21, Fa2/0/22, Fa2/0/27, Fa2/0/28, Fa2/0/35, Fa2/0/36, Fa2/0/37
Fa2/0/38, Fa2/0/39, Fa2/0/40, Fa2/0/41, Fa2/0/42, Fa2/0/43, Fa2/0/44, Fa2/0/45
Fa2/0/47, Gi2/0/1, Gi2/0/2, Gi2/0/3, Gi2/0/4
2 VLAN0002 active Fa1/0/3, Fa1/0/4, Fa1/0/5, Fa1/0/6, Fa1/0/7, Fa1/0/8, Fa1/0/33, Fa1/0/34
Fa2/0/3, Fa2/0/4, Fa2/0/5, Fa2/0/6, Fa2/0/7, Fa2/0/8, Fa2/0/33, Fa2/0/34
3 VLAN0003 active Fa1/0/9, Fa1/0/10, Fa1/0/11, Fa1/0/12, Fa1/0/13, Fa1/0/14, Fa1/0/15, Fa1/0/16
Fa2/0/9, Fa2/0/10, Fa2/0/11, Fa2/0/12, Fa2/0/13, Fa2/0/14, Fa2/0/15, Fa2/0/16
Fa2/0/48
4 VLAN0004 active Fa1/0/17, Fa1/0/18, Fa2/0/17, Fa2/0/18
6 VLAN0006 active
7 VLAN0007 active Fa1/0/23, Fa1/0/24, Fa1/0/25, Fa1/0/26, Fa2/0/23, Fa2/0/24, Fa2/0/25, Fa2/0/26
8 VLAN0008 active
9 VLAN0009 active Fa1/0/31, Fa1/0/32, Fa2/0/29, Fa2/0/30, Fa2/0/31, Fa2/0/32
10 VLAN0010 active
100 VLAN0100 active
200 VLAN0200 active
300 VLAN0300 active Fa1/0/46, Fa2/0/46
02-20-2009 11:50 PM
I think you'll resolve your issue by enabliing the encapsulation type when creating the destination port for the SPAN:
"monitor session x dest int xyz encapsulation 'dot1q/isl'"
I am pretty sure this passes the VLAN tagging to the port.
Let us know if it works.
Cheers,
Mario
02-21-2009 01:57 PM
No change, Observer just sees VLAN 1.
Does int 1/0/48 (span destination port) need to have any trunk settings?
I can only think my NIC on the server is rubbish, it's a Broadcom 5708 NIC on a Dell 2950 server.
This is what I have:
interface FastEthernet1/0/1
description Trunk to Firewall
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 3,4,6,7,9,10,300
switchport mode trunk
interface FastEthernet1/0/3
description Link to Inside Firewall
switchport access vlan 2
interface FastEthernet1/0/9
description Outside Firewall
switchport access vlan 3
interface FastEthernet1/0/48
switchport trunk encapsulation dot1q
switchport mode trunk
monitor session 2 source interface Fa1/0/3 , Fa1/0/9
monitor session 2 destination interface Fa1/0/48 encapsulation dot1q
02-22-2009 11:10 AM
Whiteford,
Interesting you say you are using Observer to monitor as I've just started a trial last week on their latest version...
Couple questions:
1) I am sure I read something in Observer's release notes or online tech info about the VLAN info missing - Have a look at their websites FAQ? I'll try and find the link again.
2) Do you need to use the Broadcom card? Can you test this with a differnet nic on /off the server (maybe make the destination another port?
3) In the configuration for fa1/0/48, why don't you just change it to a standard switchport rather than have the trunking and encapsulation in place?
Mario
02-22-2009 11:21 AM
Hi,
1.) Yeah I've been through it with them, looks like it is a Broadcom issue, however today Broadcom are saying it's a simple registry change to stop the VLAN tags being removed on the dot1q header, just waiting foe there example tp come back again as the first made no sense at all :)
2.) If all fails I will buy the recommended Intel cards.
3.) Tried that too :(
Observer 13 is fantastic, I can do monitor anything, nothing gets past it (well apart from VLAN info on mine) :)
02-23-2009 05:50 AM
Hi,
I might be wrong, but as your source interfaces are access ones, the SPAN session wil probably NOT add the 802.1q header to the monitored frames.
The configuration guide
is showing the
"encapsulation replicate" keyword, but it will also not help here, I'm afraid.
BR,
Milan
02-23-2009 06:04 AM
Hi,
Yeah I'm already using the "encapsulation replicate" on the monitored destination port and still no VLAN tag info.
I'm starting to think it's the Broadcom NIC on the server, then again I have tried an Intel card too.
02-23-2009 06:08 AM
Well, then I might be right and the SPAN session does not add the 802.1q header to the frames which were captured on an access port.
If you try to use a trunk as a SPAN session source port, you would prove/disprove this idea.
BR,
Milan
02-23-2009 06:13 AM
I've just added fas1/0/1 which it the trunk to the ASA firewall and all I see is VLAN1 now and everything else is in the novlan group in Observer.
I should see many more VLAN's
02-23-2009 03:29 PM
Hi,
I managed to get a Broadcom reg fix that means my Nic doesn't remove the vlan tags now. If span a trunk port I see all the Vlans now, however if I span the 2 ports in question I do get the vlan info.
This is what I have:
interface FastEthernet1/0/3
switchport access vlan 2
interface FastEthernet1/0/3
switchport access vlan 3
monitor session 2 source interface Fa1/0/3 , Fa1/0/9
monitor session 2 destination interface Fa1/0/48 encapsulation replicate
Do I need to add anything else to the 2 interfaces?
02-21-2009 02:43 PM
Also I get this messege when adding:
monitor session 2 destination interface Fa1/0/48 encapsulation dot1q
% Warning: One or more specified dest port does not support requested encapsulation.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide