Rspan vlan missing traffic
Hi,
I want to capture all traffic in a certain vlan (74) from two switches. I use a remote vlan to accomplish this.
The problem is that I see on the wireshark trace traffic which is traveling from one switch to the other but I don’t see traffic which remains within one switch.
So:
switch 1: server 1&2
switch 2: server 3&4
all interfaces in the same vlan (74)
remote vlan = vlan 745
connection switch 1 -> switch 2 = trunk (vlan 74 & 745)
action - on wireshark trace
ping server1 <-> sever 2 - no
ping server1<-> server 3 - yes
ping server 3 <-> server4 - no
I found some examples for the configuration and these are more or less the same as mine; so why is this not working as expected?
My config:
Switch 1 (3560)
monitor session 1 source vlan 74 rx
monitor session 1 destination remote vlan 745
switch 2 (4948)
monitor session 1 source vlan 74 rx
monitor session 1 destination remote vlan 745
monitor session 2 destination interface Gi1/17
monitor session 2 source remote vlan 745
Wireshark pc on port 17
Thanks for any help
Hans
Hi Hans
May I suggest this config for you to try:
switch 1
monitor session 1 source vlan 74 rx
monitor session destination remote vlan 745
switch 2
monitor session 1 source remote vlan 745
monitor session 1 destination interface Gi1/17
monitor session 2 source vlan 74 rx
monitor session 2 destination interface Gi1/17
Cheers
Stephen.
Similar Messages
-
Multiple RSPAN Vlan on cat 6500
Hi,
Can we create multiple RSPAN Vlans on one switch and span across the same VTP domain ?
I am using Cat 6500 switch.
Is it possible to have multiple RSPAN sessions Simultaneously
require valuable inputs for the same.Hi
24 max RSPAN sessions -
Hi ,
Can someone please explain me why a trunk link, between two cisco switch, not allow a vlan x traffic if vlan x is not locally configured ?
In my lab I have three switch (2950 but it is the same with 2960 3750 etc).
Switch 1 is connected by trunk to switch 2 and switch 2 is connected by trunk to switch 3.
Switch 1 and switch 3 has configured vlan 10 and interfaces vlan 10 instead Switch 2 has not configured vlan 10
Vtp is disabled (transparent mode) in all switch
Switch 2 not permit switch1 to ping switch3 until I not configure vlan 10.
2950#sh int fa 0/9 status
Port Name Status Vlan Duplex Speed Type
Fa0/9 connected trunk a-full a-100 10/100BaseTX
2950#sh int fa 0/9 trun
Port Mode Encapsulation Status Native vlan
Fa0/9 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/9 1-4094
Port Vlans allowed and active in management domain
Fa0/9 1-2,11,101
Port Vlans in spanning tree forwarding state and not pruned
Fa0/9 1-2,11,101
2950#sh vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 128
Number of existing VLANs : 8
VTP Operating Mode : Transparent
VTP Domain Name : daniele
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x63 0x6C 0xF9 0xF6 0xB9 0xDC 0xBE 0xF3
Configuration last modified by 192.168.0.103 at 0-0-00 00:00:00
2950#
It seem that vlan 10 is pruned but I don't understand why (vtp is disabled)
Thanks a lot for you help
DanieleHi lnrdnl78d,
so will give this ago not quite sure how a uploaded images looks,
i have mocked up what i have understood from your explanation so feel free to correct me if i have got this wrong :)
however assuming in this situation that VTP is enabled (which i know you have disabled in yours, but hoping this helps)
in this situation client 1 sends a broadcast to client two.
with VTP pruning enable switch 2 will learn that switch 4 has no ports connected to VLAN 2
so the trunk link to Switch 4 will have VLAN 2 pruned from the trunk link
but 2 and 3 will receive the broadcast and switch 3 will be the only one to forward it out the connected port
from my understanding this is what you have configured in your lab apart from switch 4 but added it to fit the example
does this help demonstrate it at all or am i way off ? -
Hi all.
We have offices for rent and each has a dedicated VLAN for our office staff and separate VLANs for each client that will be renting on our office.
Each office has a small topology, usually a star, and one of the edge switches has a mirrored port and the source port will be the core's uplink to the FW. So is it alright to put the RSPAN VLAN on the same VLAN as the office staff VLAN? Or should I have a dedicated VLAN for RSPAN?
The reason I'm asking is because, if I propose to create a separate VLAN, then we'll need to create it on the switches and firewalls on all offices, additional firewall rules. etc..
Please advise. Thanks!Hi
It would be a very bad idea to use a normal VLAN as an RSPAN VLAN. You should create a new VLAN dedicated for this purpose.
Please see this list of differences in the behavior of the VLAN types:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swspan.html#wp1200730
Regards
Aaron -
Only system vlans forward traffic on 1000v
I am trying to migrate to a Nexus 1000v vDS but only VM's in the system VLAN can forward traffic. I do not want to make my voice vlan a system VLAN but that is the only way I can get a VM in that VLAN to work properly. I have a host with its vmk in the L3Control port group. From the VSM, a show module shows the VEM 3 with an "ok" status. I currently only have 1 NIC under the vDS control. My VM's using the VM_Network port group work fine and can forward traffic normally. When I put a VM in the Voice_Network port group I lose communication with it. If I add vlan 5 as a system vlan to my Uplink port profile then the VM's in the Voice_Network work properly. I thought you shouldn't create system vlans for each vlan and only use it for critical management functions so I would rather not make it a system vlan. Below is my n1k config. The upstream switch is a 2960X with the "switchport mode trunk" command. Am I missing something that is not allowing VLAN 5 to communicate over the Uplink port profile?
port-profile type ethernet Unused_Or_Quarantine_Uplink
vmware port-group
shutdown
description Port-group created for Nexus1000V internal usage. Do not use.
state enabled
port-profile type vethernet Unused_Or_Quarantine_Veth
vmware port-group
shutdown
description Port-group created for Nexus1000V internal usage. Do not use.
state enabled
port-profile type vethernet VM_Network
vmware port-group
switchport mode access
switchport access vlan 1
no shutdown
system vlan 1
max-ports 256
description VLAN 1
state enabled
port-profile type vethernet L3-control-vlan1
capability l3control
vmware port-group L3Control
switchport mode access
switchport access vlan 1
no shutdown
system vlan 1
state enabled
port-profile type ethernet iSCSI-50
vmware port-group "iSCSI Uplink"
switchport mode trunk
switchport trunk allowed vlan 50
switchport trunk native vlan 50
mtu 9000
channel-group auto mode active
no shutdown
system vlan 50
state enabled
port-profile type vethernet iSCSI-A
vmware port-group
switchport access vlan 50
switchport mode access
capability iscsi-multipath
no shutdown
system vlan 50
state enabled
port-profile type vethernet iSCSI-B
vmware port-group
switchport access vlan 50
switchport mode access
capability iscsi-multipath
no shutdown
system vlan 50
state enabled
port-profile type ethernet Uplink
vmware port-group
switchport mode trunk
switchport trunk allowed vlan 1,5
no shutdown
system vlan 1
state enabled
port-profile type vethernet Voice_Network
vmware port-group
switchport mode access
switchport access vlan 5
no shutdown
max-ports 256
description VLAN 5
state enabledBelow is the output you requested. Thank you.
~ # vemcmd show card
Card UUID type 2: 4c4c4544-004c-5110-804a-b9c04f564831
Card name: synergvm5
Switch name: synergVSM
Switch alias: DvsPortset-0
Switch uuid: 7d e9 0d 50 b3 3b 25 47-64 14 61 c0 3f c0 7b d9
Card domain: 4094
Card slot: 3
VEM Tunnel Mode: L3 Mode
L3 Ctrl Index: 49
L3 Ctrl VLAN: 1
VEM Control (AIPC) MAC: 00:02:3d:1f:fe:02
VEM Packet (Inband) MAC: 00:02:3d:2f:fe:02
VEM Control Agent (DPA) MAC: 00:02:3d:4f:fe:02
VEM SPAN MAC: 00:02:3d:3f:fe:02
Primary VSM MAC : 00:50:56:aa:70:b9
Primary VSM PKT MAC : 00:50:56:aa:70:bb
Primary VSM MGMT MAC : 00:50:56:aa:70:ba
Standby VSM CTRL MAC : 00:50:56:aa:70:b6
Management IPv4 address: 172.30.2.64
Management IPv6 address: 0000:0000:0000:0000:0000:0000:0000:0000
Primary L3 Control IPv4 address: 172.30.100.1
Secondary VSM MAC : 00:00:00:00:00:00
Secondary L3 Control IPv4 address: 0.0.0.0
Upgrade : Default
Max physical ports: 32
Max virtual ports: 216
Card control VLAN: 1
Card packet VLAN: 1
Control type multicast: No
Card Headless Mode : No
Processors: 16
Processor Cores: 8
Processor Sockets: 2
Kernel Memory: 62904468
Port link-up delay: 5s
Global UUFB: DISABLED
Heartbeat Set: True
PC LB Algo: source-mac
Datapath portset event in progress : no
Licensed: Yes
~ # vemcmd show port
LTL VSM Port Admin Link State PC-LTL SGID Vem Port Type
24 Eth3/8 UP UP FWD 0 vmnic7
49 Veth1 UP UP FWD 0 vmk1
50 Veth2 UP UP FWD 0 XP-Voice.eth0
51 Veth3 UP UP FWD 0 synergPresence.eth0
~ # vemcmd show port vlans
Native VLAN Allowed
LTL VSM Port Mode VLAN State* Vlans
24 Eth3/8 T 1 FWD 1
49 Veth1 A 1 FWD 1
50 Veth2 A 1 FWD 1
51 Veth3 A 5 FWD 5
* VLAN State: VLAN State represents the state of allowed vlans.
~ # vemcmd show bd
Number of valid BDS: 10
BD 1, vdc 1, vlan 1, swbd 1, 5 ports, ""
Portlist:
BD 2, vdc 1, vlan 3972, swbd 3972, 0 ports, ""
Portlist:
BD 3, vdc 1, vlan 3970, swbd 3970, 0 ports, ""
Portlist:
BD 4, vdc 1, vlan 3969, swbd 3969, 2 ports, ""
Portlist:
8
9
BD 5, vdc 1, vlan 3968, swbd 3968, 3 ports, ""
Portlist:
1 inban
5 inband port securit
11
BD 6, vdc 1, vlan 3971, swbd 3971, 2 ports, ""
Portlist:
14
15
BD 7, vdc 1, vlan 5, swbd 5, 1 ports, ""
Portlist:
51 synergPresence.eth0
BD 8, vdc 1, vlan 50, swbd 50, 0 ports, ""
Portlist:
BD 9, vdc 1, vlan 77, swbd 77, 0 ports, ""
Portlist:
BD 10, vdc 1, vlan 199, swbd 199, 0 ports, ""
Portlist:
~ # -
IDSM missing traffic on trunk interface
Hi
I have a scenario where an IDSM with IPS 6 is triggering on traffic from a non-trunk interface but when the same traffic passes over another VLAN on a trunk.
Monitor setup is like this
monitor session 10 source interface Gi1/2
monitor session 10 source interface Gi7/1
monitor session 10 filter vlan 22 - 23 , 208
monitor session 10 destination intrusion-detection-module 5 data-port 1
where 1/2 is the non-trunk interface and 7/1 is the trunk. Traffic from VLAN 23 is firewalled/NATed and sent out on VLAN 208 towards our edge network.
The exact case is that when I browse an external web site with SQL code in the HTML I get an SQL Injection alert from VLAN 208 only. I never get the alert for the same traffic passing behind the firewall over the trunk. When I set a sniffer as source for the SPAN session I see the HTTP request with the SQL code passing through the trunk interface as well as VLAN 208.
Am I missing something here? Shouldn't and IPS report ALL occurrences of bad traffic?
Regards
Fredrik HofgrenWhat has to be upgraded, the Catalyst IOS or the software on the IDSM? Our Catalyst has IOS 12.2(18)SXF5 and the IDSM the latest version 6.0(3)E1.
It seems odd that it would be a problem with missing VLAN tags. When I set the IDSM to manually capture traffic from an IP in the inside VLAN passing over the trunk the VLAN tag is present when I view the packets in Ethereal.
/Fredrik -
Encrypting vlan-trunk traffic between switches
Hi,
Can anyone guide me to some papers or other resources on how to encrypt traffic between 2 switches. The switchces will be connected with fiber and use dot-1q tagging. And I wan't to encrypt all of the trunked traffic.
I was thinking of L2TP, but I haven't found any good description on how to implement this. I have two 3750 switches I thought I might use.
Thanks for any input,
Regards,
Oyvind Mathiesen
mnemonic
NorwayHi,
Thanks for the response. I had a look at MACsec and it looks good. I would have liked to employ something P2P though, to also limit the ammount of MAC addresses broadcasted on the "wire". But let me first give you an understanding of the task:
We have two sites, connected via fibre and we want to create a VLAN trunk across and order to expand the broadcast domains to te other site.
The IDIOT carrier, has a limitation on the number of MAC addresses they allow on the fibre service, 100.
We also need to encrypt the datatraversing this connectivity.
MACsec wuold work 100% exept the source and dstination MAC addresses are still sent (at least according to https://docs.google.com/viewer?a=v&q=cache:LEf2qOmYZyYJ:www.ieee802.org/1/files/public/docs2011/bn-hutchison-macsec-sample-packets-0511.pdf+&hl=en&gl=za&pid=bl&srcid=ADGEESgmAHXpDOY0RBAE-Rv1HDpu_C_gkeSPN4cv6NGgyP0M1aXVu0UqzCfxo8t_P41ep6J37k4OLKnjfp1M9hoTDHxY22WGz2h7yB7YRLyPvRUbGS8TICzvEMlG92xqbhy6RWFugmnj&sig=AHIEtbTfu0LQIJejdYidE6yzq4lpPifxjQ
And that would cause me to eat into the 100 MAC limit.
Ridiculous I know, but we are looking for an out-of-the-norm plan...
Thanks -
Hi, I have:
Cisco 2800 with HWIC 4ESW module (4 port FE switch), IOS 13.3(8)T8, Feature Set IP. 10 VLANs are defined, 2 assigned directly to 2 4ESW ports, 2 port are trunk.
How to configure traffic shapping on VLANs? I need shape 10Mbits from one Giga port to 10x 1Mbits for every VLAN.
When I use this configuration, Giga interface is shapping, but VLAN running without shape.
It is possible?
Thank you.
Libor
access-list 111 permit ip any any
class-map match-all class11
match access-group 111
policy-map policy11
class class11
shape average 1000000
interface GigabitEthernet0/0
ip address 192.168.0.222 255.255.255.0
ip nbar protocol-discovery
service-policy output policy11
duplex auto
speed auto
interface FastEthernet0/0/0
switchport access vlan 11
no ip address
interface Vlan11
ip address 10.11.12.1 255.255.255.248
ip nbar protocol-discovery
service-policy output policy11Hi, put the service-policy command under the FE0/0/0 directly. Since there is only 1 VLAN defined there, you should otain the expected result.
HTH -
Vlan passing traffic between switches
I have a client that has two WAP321s, two Catalyst 2960s, one SG500X-48, and a Watchguard Router/Firewall (Model is not important).
I am trying to get the guest wireless network setup to pass traffic on VLAN2 to the router across the network. All regular traffic is on VLAN1. (yes I know it really should be on a different VLAN)
Background: I had originally had everything working till one of the unmanaged switches died. I move one of the Catalyst 2960s to replace the dead switch and then replaced the Catalyst 2960 with a SG500X-48.
Network layout: One WAP321 is connected to one of the Catalyst 2960s, which is connected to the Firewall/Router. (All traffic is passed as expected on both VLANS)
The second WAP321 is connected to the second Catalyst 2960, which connects to the SG500X-48, which connects to the first Catalyst 2960, and then to the Firewall/Router. The Default VLAN 1 works fine. VLAN2 does not.
What I have tried to do is set the ports on the second Catalyst 2960 which is connected to the WAP321 and the SG500X-48 to Trunk. I also set the port on the first Cataylst 2960 that connects to the SG500X-48 to trunk. (Although it was not set and passing traffic before moving switches around.) When I do this all traffic between the first Catalyst 2960 and the SG500X-48 stops. The Catalyst 2960 reports a port error and then shuts down the port. Only way to recover is to clear the port setting and then reboot the switch.
Does anyone have any ideas as to what is happening and what I am doing wrong?Aniketalashe
I was able to get the port on the Catalyst 2960 set to trunk finally, not sure what did the trick, although that does not seem to be my problem.
Back to your question of the error report. I am unable to figure out how to get the log out of the 2960. I saw the error in the webGUI, when I moused over the port in question when the problem was happening.
I am starting to think that maybe the switch is starting to go. -
RSPAN does not put IPv6 multicast traffic into port
Hi.
There is two switches in the equation:
WS-C2960-24TT-L 12.2(55)SE5 C2960-LANBASEK9-M
and stack of
Switch Ports Model SW Version SW Image
1 12 WS-C3750G-12S 12.2(55)SE8 C3750-IPSERVICESK9-M
2 12 WS-C3750G-12S 12.2(55)SE8 C3750-IPSERVICESK9-M
* 3 24 WS-C3750G-24T 12.2(55)SE8 C3750-IPSERVICESK9-M
3 is a master
There is VTP domain with pruning off and RSPAN VLAN 1001
core#sho vlan remote-span
Remote SPAN VLANs
1001
there is RSPAN session on first:
#sho monitor session 1
Session 1
Type : Remote Source Session
Source Ports :
Both : Fa0/11
Dest RSPAN VLAN : 1001
Port Fa0/11 is in access mode, VLAN 303
and on second:
core#sho monitor session 1
Session 1
Type : Remote Destination Session
Source RSPAN VLAN : 1001
Destination Ports : Gi3/0/2
Encapsulation : Native
Ingress : Disabled
Problem is that i can't see any IPv6 multicast traffic (like ICMPv6 RA or such) on Gi3/0/2 which is absolutely sure there, because if i remove monitoring session on core switch and put Gi3/0/2 into trunk mode, i can see packets i need in vlan 1001:
# tcpdump -s0 -nnvei eth1 vlan 1001 and ip6
tcpdump: WARNING: eth1: no IPv4 address assigned
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
14:17:37.059045 50:57:a8:f0:72:1b > 33:33:ff:00:00:01, ethertype 802.1Q (0x8100), length 90: vlan 1001, p 0, ethertype IPv6, (class 0xe0, hlim 255, next-header ICMPv6 (58) payload length: 32) 2abc:abc:1:600b::2 > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2abc:abc:1:600b::1
source link-address option (1), length 8 (1): 50:57:a8:f0:72:1b
14:17:38.083266 50:57:a8:f0:72:1b > 33:33:ff:00:00:01, ethertype 802.1Q (0x8100), length 90: vlan 1001, p 0, ethertype IPv6, (class 0xe0, hlim 255, next-header ICMPv6 (58) payload length: 32) 2abc:abc:1:600b::2 > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2abc:abc:1:600b::1
source link-address option (1), length 8 (1): 50:57:a8:f0:72:1b
14:17:39.107068 50:57:a8:f0:72:1b > 33:33:ff:00:00:01, ethertype 802.1Q (0x8100), length 90: vlan 1001, p 0, ethertype IPv6, (class 0xe0, hlim 255, next-header ICMPv6 (58) payload length: 32) 2abc:abc:1:600b::2 > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2abc:abc:1:600b::1
source link-address option (1), length 8 (1): 50:57:a8:f0:72:1b
There is no such problem with usual unicast and broadcast traffic.
Any suggestions?Interestingly, i've found bug CSCsr64007 which i stubmbled upon on one of my switches during troubleshooting. The effect of this bug was that RSPAN took IPv6 multicast packets from unrelated VLANs and forwarded them into monitor port.
Looks like they have "fixed" it filtering IPv6 multicast completely. -
Only some of the traffic passing through inline vlan pair
Here is my network setup
firewall<---- >(g1/2)Coreswitch 6500 with IDSM(TG9/1)<-----> (TG9/1) Distrib switch with FWSM---------Accessswitch
configuration in core switch
interface GigabitEthernet1/2.11
description **** ****
encapsulation dot1Q 211
ip vrf forwarding VRF11
ip address 10.2.11.73 255.255.255.248
ip ospf network point-to-point
standby 1 ip 10.2.11.75
standby 1 priority 110
standby 1 preempt
interface GigabitEthernet1/2.37
description **** ****
encapsulation dot1Q 237
ip vrf forwarding VRF37
ip address 10.2.37.73 255.255.255.248
ip ospf network point-to-point
standby 1 ip 10.2.37.75
standby 1 priority 110
standby 1 preempt
interface TenGigabitEthernet9/1.11
description **** ****
encapsulation dot1Q 311
ip vrf forwarding VRF11
ip address 10.2.11.2 255.255.255.252
ip ospf network point-to-point
interface TenGigabitEthernet9/1.12
description **** ****
encapsulation dot1Q 312
ip vrf forwarding VRF12
ip address 10.2.12.2 255.255.255.252
ip ospf network point-to-point
configuration in Distribution switch:
interface TenGigabitEthernet9/1.11
description **** ****
encapsulation dot1Q 311
ip vrf forwarding VRF11
ip address 10.2.11.1 255.255.255.252
no ip route-cache
ip ospf network point-to-point
interface TenGigabitEthernet9/1.37
description ********
encapsulation dot1Q 337
ip vrf forwarding VRF37
ip address 10.2.37.1 255.255.255.252
no ip route-cache
ip ospf network point-to-point
i have seggregated n/w like this. i am using inline vlan pair , to pass all the traffic through the IDSM module ,
i am using the monitoring port gi0/8
config in core switch
intrusion-detection module 8 data-port 2 trunk allowed-vlan 211-260,311-360
IDSM
physical-interfaces GigabitEthernet0/8
subinterface-type inline-vlan-pair
subinterface 11
description
vlan1 211
vlan2 311
exit
subinterface 37
description
vlan1 237
vlan2 337
exit
Problem i am facing is , some of the vlan-pair traffic passing through the IDSM some of the traffic are not passing , here i have given the statistics
MAC statistics from interface GigabitEthernet0/8
Statistics From Subinterface 11
Statistics From Vlan 211
Total Packets Received On This Vlan = 0
Total Bytes Received On This Vlan = 0
Total Packets Transmitted On This Vlan = 0
Total Bytes Transmitted On This Vlan = 0
Statistics From Vlan 311
Total Packets Received On This Vlan = 0
Total Bytes Received On This Vlan = 0
Total Packets Transmitted On This Vlan = 0
Total Bytes Transmitted On This Vlan = 0
Statistics From Subinterface 37
Statistics From Vlan 237
Total Packets Received On This Vlan = 3189658726
Total Bytes Received On This Vlan = 64165872092928
Total Packets Transmitted On This Vlan = 3549575166
Total Bytes Transmitted On This Vlan = 64165872092928
Statistics From Vlan 337
Total Packets Received On This Vlan = 3549575166
Total Bytes Received On This Vlan = 64165872092928
Total Packets Transmitted On This Vlan = 3189658726
Total Bytes Transmitted On This Vlan = 64165872092928
Statistics From Subinterface 38
Statistics From Vlan 238
Total Packets Received On This Vlan = 2215151150
Total Bytes Received On This Vlan = 64165872092928
Total Packets Transmitted On This Vlan = 126546964
Total Bytes Transmitted On This Vlan = 64165866995200
Statistics From Vlan 338
Total Packets Received On This Vlan = 126546964
Total Bytes Received On This Vlan = 64165866995200
Total Packets Transmitted On This Vlan = 2215151150
Total Bytes Transmitted On This Vlan = 64165872092928
Give me idea experts , so that i can resolve this issue.
Help me thanks in advanceI believe the issue is because of the config below:
interface GigabitEthernet1/2.11
description **** ****
encapsulation dot1Q 211
ip vrf forwarding VRF11
ip address 10.2.11.73 255.255.255.248
ip ospf network point-to-point
standby 1 ip 10.2.11.75
standby 1 priority 110
standby 1 preempt
encapsulation dot1Q 311
ip vrf forwarding VRF11
ip address 10.2.11.2 255.255.255.252
ip ospf network point-to-point
interface TenGigabitEthernet9/1.12
description **** ****
encapsulation dot1Q 312
ip vrf forwarding VRF12
ip address 10.2.12.2 255.255.255.252
ip ospf network point-to-point
As you can see we have 2 ip subnets in the VRF 11 .73 & .2 in vlan 211 & 311 respectively.
The switch is doing intervlan routing directly without having to go through the IDSM for VRF 11.
What we need to remember is IDSM does not do routing, and it can only bridge vlans.
Hence we have to force to packet to go through the IDSM.
Here is what we do when we use IDSM to see traffic going between vlans.:
Normally, with vlans, and IDSM inline mode, we have one IP subnet and 2 Vlans.
IDSM2 in inline mode necessitates an additional artificial Vlan on the SAME subnet as the Vlan you wish to sense.
A layer 3 switch interface needs to be configured within this additional artificial Vlan.
In a nutshell, we need to create 2 Vlans that share one same ip subnet and put SVI on only one of the Vlans.
In your case you will need one ip between vlans 211 & 311 in VRF 11 to force the data to go through the IDSM.
I can understand if this is a bit tricky to understand.
Please go through my design document for IDSM inline mode, which explains the basic concepts and packet walk in detail.
It will explain why we need the above and how arp makes the mac-address table populate correct entries, (with one ip subnet for 2 vlans) so that traffic goes through the IDSM.
https://supportforums.cisco.com/docs/DOC-12206
- Sid -
Hi,
I'm trying to configure a RSPAN with multiple source ports on multiple switches and 1 destination port.
On the first switch I have :
Session 1
Type : Remote Source Session
Source Ports :
Both : Po2
Dest RSPAN VLAN : 400
On the second switch I have :
Session 1
Type : Remote Source Session
Source Ports :
Both : Po2
Dest RSPAN VLAN : 400
Session 2
Type : Remote Destination Session
Source RSPAN VLAN : 400
Destination Ports : Gi0/7
Encapsulation : Native
Ingress : Disabled
I don't get any error message, but the counters of interface gi0/7 all remain at 0.
I guess the source & destination RSPAN on the same switch are not supported.
I'm looking for a workaround.
any idea ?
Thanks
Stéph.Hi Stephane,
The traffic for each RSPAN session is carried over a user-specified RSPAN VLAN that is dedicated for that RSPAN session in all participating switches. This Vlan is trunked to a remote switch which uses the vlan as the source and a local physical interface as the final destination interface connecting the sniffer.
Keeping this in mind it is impossible for RSPAN to have source and destination on same switch. Also, any interface can be the destination for at most one SPAN session. Hence in your case, its impossible to configure a common destination for the local SPAN and the RSPAN. There have to be at least two different interfaces acting as the destination for these SPAN sessions.
Cheers,
Shashank
Please rate if you found the content useful -
[rspan in 'hub+spoke' topology]
Hi,
I have the topology depicted in the attached drawing.
What we want to achieve is to enable rspan to replicate monitored traffic from access switches (3550 spokes) to a core switch (6500 hub).
The configuration in general is working and looks like this:
HUB:
monitor session 1 destination interface Gix/y
monitor session 1 source remote vlan z
SPOKES:
monitor session 1 source interface Gix/y
monitor session 1 destination remote vlan z
As stated previosly the environment is working, but...we're having one problem. The uplinks from the spokes to the hub are almost full. After doing some troubleshooting, we found that span traffic is being replicated by the hub to the spokes. The reason I say this is that when i remove the rspan vlan (on the core switch) from the uplink to the hubs the output traffic from core to access (or input on the access switches) goes down in the same amount being received by the network analyzer. when i add the vlan on the uplink trunk again, the traffic going out of the core to the access switches goes up by the same amount being sent to the network analyzer.
Like i said, the rspan part seems to be working fine, but the uplinks to the access switches are getting full because the hub switch is copying the span traffic to all uplinks which is not what we want.
Two questions here:
1.- Is this the way rspan is supposed to work in this environment?
2.- if not, is there a way to turn off this behavior or does it sound like a bug to you?
Thanks in advance!
c.Hello,
in Hub and Spoke - as in any other L3VPN - traffic will flow in the opposite direction of IP routing updates. In a Hub and Spoke setup the spoke sites should get routing updates from the hub site. Thus one faces a split horizon problem: updates learned at the hub CE from a neighbor (PE) will not be sent back over the same interface to that neighbor. Hence the simple solution is: one VRF and interface to announce spoke routes from the PE to the hub CE and another interface terminating in a second VRF to announce the routes from the hub CE back into the MPLS VPN environment.
Just as a side note: this results in an unusual load pattern on the two hub CE interfaces. Both interfaces will have nearly only load in one direction.
Hope this helps! Please rate all posts.
Regards, Martin -
Guys, RSPAN seems to be a pretty common topic here and I was wondering if someone can help me. I have poured over the documents and forums, but I cannot see why my setup won’t work.
Basic overview time, 2 Cat 4507Rs (swc3b and swc230) connected via isl trunk. All vlans allowed on trunk.
RSPAN vlan 109 has been setup on vtp server and propagated to all switches.
Config as follows:
SWC230:
monitor session 1 source interface Fa4/47 [PC I want to sniff is in f4/47]
monitor session 1 destination remote vlan 109
SWC3B:
monitor session 1 source vlan 109
monitor session 1 destination interface Gi7/18
[sniffer is connected in g7/18]
IOS on both switches is Version 12.2(20)EW.
I have tried a few permutations with the configuration: putting swc3b g7/18 into remote vlan 109, taking it out again; putting a port on SWC230 into vlan 109 (switchport access vlan 109), in the hope that this was would function as a ‘reflector port’.
Nothing works. I have noticed that vlan 109 is pruned on the trunk between swc230 > swc3b. That was kinda why I tried putting a port on swc230 into vlan 109.
Any advice gratefully received.Amit, thanks for the response, but I've cracked it. All that was missing was 'remote' from the source command on swc3b i.e.
monitor session 1 source REMOTE vlan 109
Once this was done, it worked like a charm. -
Hello all,
I have read various threads about using RSPAN with 2950 switches, but I am still unable to get it to work.
The source, destination and 2 intermediate switches are all C2950G-24-EI running 12.1(20)EA1a.
On all switches I have created vlan 480:
vlan 480
name RSPAN-vlan
remote-span
On the source I have:
monitor session 1 source interface fastEthernet0/14 rx
monitor session 1 destination remote vlan 480 reflector-port fastEthernet0/6
On the destination:
monitor session 1 source remote vlan 480
monitor session 1 destination interface fastEthernet0/11
Ideally I want both tx and rx on the source, but after reading a previous thread I am just trying to get rx.
"- Scenario1 (2950's as source, destination, and intermidiate switches):
RSPAN is supported if there is 1 source port, and the SPAN session is
configured as RX only or TX only. "
If I generate excessive traffic to the source port, I can see this on the link graph for the trunk port of the destination switch, but not on the final port itself.
Can anyone suggest anything that I can try to resolve this?
Regards,
-JeffHello all,
I have read various threads about using RSPAN with 2950 switches, but I am still unable to get it to work.
The source, destination and 2 intermediate switches are all C2950G-24-EI running 12.1(20)EA1a.
On all switches I have created vlan 480:
vlan 480
name RSPAN-vlan
remote-span
On the source I have:
monitor session 1 source interface fastEthernet0/14 rx
monitor session 1 destination remote vlan 480 reflector-port fastEthernet0/6
On the destination:
monitor session 1 source remote vlan 480
monitor session 1 destination interface fastEthernet0/11
Ideally I want both tx and rx on the source, but after reading a previous thread I am just trying to get rx.
"- Scenario1 (2950's as source, destination, and intermidiate switches):
RSPAN is supported if there is 1 source port, and the SPAN session is
configured as RX only or TX only. "
If I generate excessive traffic to the source port, I can see this on the link graph for the trunk port of the destination switch, but not on the final port itself.
Can anyone suggest anything that I can try to resolve this?
Regards,
-Jeff
Maybe you are looking for
-
Please Help: I could not save my Premiere CC and now Premiere won't open!
I've been working on this project (on a Mac) for several weeks without any problems Today I rendered my sequence. I also deleted some files from my computer while it was rendering to make extra space. First I got this message: You do not have write
-
Hi. I want to parse a String that has an xml format with Sax according to a specific scema using xerces. I've written the following code: public void parse(String rr) throws Exception { SAXReader reader = new SAXReader(); reader.setValidation(true);
-
IPhone 4 reset itself, photos lost -URGENT HELP NEEDED
Hi there, Urgent help needed!! Tonight I was taking extremely important photos throughout an event on my iPhone 4, however, my iPhone 4 ran out of battery once I was near a charger I plugged it in and for some reason my iPhone had reset itself. Back
-
Pentax K-7 support in Lightroom 2.4 not quite complete?
Hi, I have my K-7, and Lightroom 2.4 installed. Lightroom reads K-7 pefs and dngs, but doesn't seem to do anything with the lens aberration info included in the pef files when that feature is enabled. Am I correct, and if so, is this just temporary,
-
Hi, How to find the Email id of an User. I have user name in USR02-BNAME. I want to find the Email ID related to that User-ID. From which table I can get these details? is there any function module to get these details? Please help me how to procede