VLAN-Based SPAN
hello everybody,
why can i only monitoring received (rx) traffic on a VLAN ?
thanks for an answer...
Hi again:
Ingress/Egress SPAN
In the example in the section Monitor VLANs with SPAN, traffic that enters and leaves the specified ports is monitored. The field Direction: transmit/receive shows this. The Catalyst 4500/4000, 5500/5000, and 6500/6000 series switches allow you to collect only egress (outbound) or only ingress (inbound) traffic on a particular port. Add the keyword rx (receive) or tx (transmit) to the end of the command. The default value is both (tx and rx).
set span source_port destination_port [rx | tx | both]
Have you defined only rx keyword?
I hope this help. Please rate if it does.
Best regards
Alberto Giorgi from spain.
Similar Messages
-
Hi all,
I'm trying to configure rule based span on my Nexus 7000.
I want to monitor some vlans, but limit the traffic going to my monitor station by using frame-type ipv4 filter.
The link below explains how to configure it, but my nexus doesn't recognise the command "mode extended".
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/nx-os/system_management/configuration/guide/sm_nx_os_cg/sm_14span.html#wp1286697
Am I missing something? I'm running version 6.1.3.
Thanks,
Joris
NEXUS(config)# monitor session 1
NEXUS(config-monitor)# mode extended
^
% Invalid command at '^' marker.
NEXUS(config-monitor)# mode ?
*** No matching command found in current mode, matching in (exec) mode ***
connect Notify system on modem connection
restart Reenabling modem portHi Joris,
The rule based SPAN filtering was not introduced until NX-OS 6.2 so will not be available to you with NX-OS 6.1(3).
See the section SPAN in the NX-OS 6.2 release notes.
Regards -
Tcl script to change access vlan based on MAC address
Hello all. I'm looking for some input on how best to handle this situation. I have a large nework with a lot of remote offices where we have limited control over users moving around patch cables. We're using vlan-based QoS in these office to mark voice, video, data. etc. The problem I'm having is that our users are moving video conferencing equipment to different interfaces on our swithes, which puts the VTC unit in a different vlan, fouling our QoS policy. They then call and complain about poor video quality.
I'm trying to come up with a way to automate putting the interface in the video vlan if a VTC unit is connected. All of our video conferencing units are from the same vendor, so they have same OUI in the MAC address. The script I've been working on looks for a line protocol up event, then checks to see what access vlan is configured on the interface. If the interface is already in the video vlan, the script exits. if the interface is not in the video vlan, the script looks at the MAC address table for the interface and if the OUI matches a VTC unit, the script changes interface configuration. My question is, is there a better event to trigger script execution? Maybe a MAC notification trap, or something else? Line protocol transitions when the access vlan is changed, so the current script runs twice: once when the interface first comes up with a new connection, and again when the vlan is changed.
Script is attached. Any help or advice is appreciated!Does your video equipment use CDP? If so, then you can use the neighbor-discovery event detector to only react when you see a media endpoint being connected to a port. Yes, MAC address notifications (the mat ED) can also work if you know the MACs of your media endpoints.
-
Hi,
I'm trying to implement policer on Cat 6500 running CatOS 8.4.
The configuration is as such:
set qos enable
set port qos 1/7 vlan-based
set qos policer aggregate 2Mbps rate 2000 policed-dscp erate 2000 drop burst 26 eburst 26
set qos acl mac vlan10 dscp 0 aggregate 2Mbps any any
commit qos acl all
set qos acl map vlan10 10
Port 1/7 is in trunking mode that's why I'm using MAC ACL.
But nothing is working. The output of the command 'show qos statistics aggregate-policer 2Mbps' is:
QoS aggregate-policer statistics:
Aggregate policer Allowed byte Bytes exceed
count excess rate
2Mbps 0 0
I tried to use port-based QoS with no success.
Am I doing something wrong? Any help will be appreciated.Ooops, thanks for the reminder.
I configured IP ACL but again the output was the same.
I changed the policer to port-based and it worked.
Is this something to do with the fact that the port is in trunking mode? -
EoMPLS : QinQ, Vlan-based
Hi I'm on a EoMPLS project. I succed to connect Customer site accross EoMPLS tunnel.
This is my architecture :
LAN1 -- CE1 --- PE1 (7200)---- MPLS backbone --- PE2 (7200) -- CE2 -- LAN2
Now I know how to transport vlan between CE but my problem is to understand the difference.
In my mind, "Vlan-based" use one VLAN operator (So 1 pseudowire) to transmit all frame tagged or not to CE2. And, "QinQ" allow to do the difference between different Customer VLANs and forward accross MPLS backbone frame on different VLAN operator.
2 questions :
1. Have I correctly understand ??
2. If I'm right, Why we need QinQ ?? What QinQ bring it more than VLAN-BASED ??
3. My goal is to create on Site 1 any vlans and with VTP transport them to Site 2. What kind of these two technology based on VLAN use ??
Thanks for answer !Ok thanks for answer.
I understand the principle but PE in my case is a 7200 emulated router. I work with dynagen/dynamips server and only 7200 can be emulated no 7600 !!
I have looked these following links :
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_9_ea1/configuration/guide/swtunnel.html#wp1010370
http://www.cisco.com/en/US/docs/ios/ios_xe/mpls/configuration/guide/mp_qnq_tunneling_atom_xe.html#wp1001506
In the first link we can see the dot1q tunnel mode with some layer 2 protocol transport CDP, STP, and VTP.
Ideally this is my first goal --> transport VTP on site 2 by EoMPLS but it was only on switch multilayer (like 7600) or with specially cards, I don't know. But what I know it's with my 7200 I don't have command switchport to activate switchport mode dot1q-tunnel and l2protocol-tunnel vtp for example.
Is it true ??
Secondly, in the second link I read I should to be able to transport vlan frame of site 1 to site 2 but simply carry and not propagate different vlan that I created !!!
Again, Have I correctly understand ??
Thanks for help -
GE cards supported for port- vlan based EoMPLS on 7600/sup720
Hi,
Can anyone explain/point where I can find de proper documentation where I can find the support for port- vlan based EoMPLS support cards on a 7600 with a sup720 engine on the CCO site ?
WHich GE port cards are supporting EoMPLS and which GE cards will support it not.try
www.cisco.com/go/fn
-Waris -
7609 RSP vlan based internet bandwidth rate limit
Hi,
I have a requirements to restrict the bandwidth for CORP internet users in our metro network, Could you check this template is good to go for to restrict the download and upload speed in Users WAN interface which is VLAN, my bandwidth limitations is 5 Mbps downlink and 5 Mbps uplink.
class-map match-all corp_traffic1
match access-group name corp_traffic
policy-map CORP_ingress
class corp_traffic1
police 5000000 500000 conform-action transmit exceed-action drop
ip access-list extended corp_traffic
permit ip 172.25.5.0 0.0.0.255 any
permit ip any 172.25.5.0 0.0.0.255
Interface vl 351
service-policy input CORP_ingress
service-policy output CORP_ingress
Thanks&Regards
-SajiRiccardo,
Thank you for your response..
I have RSP as SUP and ES20 as uplink card..
but I have clarfication...Is service policy input is realy required...
It seems input position is not working from this below logs..It is not matching the same
ABR#sh policy-map interface vlan 3xx
Service-policy input: CORP_ingress
class-map: corp_traffic1 (match-all)
Match: access-group name corp_traffic
police :
5000000 bps 156000 limit 156000 extended limit
Earl in slot 1 :
0 bytes
5 minute offered rate 0 bps
aggregate-forwarded 0 bytes action: transmit
exceeded 0 bytes action: drop
aggregate-forward 0 bps exceed 0 bps
Earl in slot 2 :
0 bytes
5 minute offered rate 0 bps
aggregate-forwarded 0 bytes action: transmit
exceeded 0 bytes action: drop
aggregate-forward 0 bps exceed 0 bps
Earl in slot 3 :
0 bytes
5 minute offered rate 0 bps
aggregate-forwarded 0 bytes action: transmit
exceeded 0 bytes action: drop
aggregate-forward 0 bps exceed 0 bps
Earl in slot 5 :
0 bytes
5 minute offered rate 0 bps
aggregate-forwarded 0 bytes action: transmit
exceeded 0 bytes action: drop
aggregate-forward 0 bps exceed 0 bps
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any
0 packets, 0 bytes
5 minute rate 0 bps
Service-policy output: CORP_ingress
class-map: corp_traffic1 (match-all)
Match: access-group name corp_traffic
police :
5000000 bps 156000 limit 156000 extended limit
Earl in slot 1 :
3739884 bytes
5 minute offered rate 20576 bps
aggregate-forwarded 3739884 bytes action: transmit
exceeded 0 bytes action: drop
aggregate-forward 17464 bps exceed 0 bps
Earl in slot 2 :
0 bytes
5 minute offered rate 0 bps
aggregate-forwarded 0 bytes action: transmit
exceeded 0 bytes action: drop
aggregate-forward 0 bps exceed 0 bps
Earl in slot 3 :
105048931 bytes
5 minute offered rate 539032 bps
aggregate-forwarded 105048931 bytes action: transmit
exceeded 0 bytes action: drop
aggregate-forward 545760 bps exceed 0 bps
Earl in slot 5 :
0 bytes
5 minute offered rate 0 bps
aggregate-forwarded 0 bytes action: transmit
exceeded 0 bytes action: drop
aggregate-forward 0 bps exceed 0 bps
I will post more update on this...as I am waiting for the clients to test the same.. -
Alteon Web OS allows you to assign different default gateways for each VLAN. You can effectively map multiple customers to specific gateways on a single switch.
do cisco load balancers support different default gateway for each vlan?one way of doing it today would be to define a serverfarm for each gateway, and have a vserver match_all for every vlan.
For example,
serverfarm gateway_1
no nat client
no nat server
real
x.x.x.x
serverfarm gateway_2
<...>
vserver gateway_vlan1
virtual 0.0.0.0 /0 any
serverfarm gateway_1
vlan
vserver gateway_vlan2
virtual 0.0.0.0 /0 any
serverfarm gateway_2
vlan -
AP 1262 don´t negotiate with Gig Interface
Hi !!
I have new 1262 APs, this have Gig Interface, when I connect the AP in my 6500 with PoE Gig Interface, the AP turn on, but the interface never get up.
I need to change the speed to 100 in the 6500 switch port, when I do this, the interface become UP.
This is the model of the card WS-X6148A-GE-45AF
This is the Switch IOS s3223-ipservicesk9_wan-mz.122-18.SXF11.bin
The controller is 5500 version 7.2
This is the interface config:
interface GigabitEthernet4/36
switchport
switchport access vlan 308
switchport mode access
switchport port-security
switchport port-security maximum 5
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
no ip address
speed 100
duplex full
wrr-queue bandwidth 30 40 30
wrr-queue queue-limit 40 30 15
wrr-queue threshold 2 60 80 100 100 100 100 100 100
wrr-queue threshold 3 60 80 100 100 100 100 100 100
wrr-queue random-detect min-threshold 1 40 60 80 80 80 80 80 80
wrr-queue random-detect max-threshold 1 70 80 100 100 100 100 100 100
no wrr-queue random-detect 2
no wrr-queue random-detect 3
wrr-queue cos-map 1 1 1
wrr-queue cos-map 1 3 0
wrr-queue cos-map 2 2 2
wrr-queue cos-map 2 3 4
wrr-queue cos-map 3 2 3
wrr-queue cos-map 3 3 6 7
mls qos vlan-based
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
end
switch#sh power inline | i Gi4/36
Gi4/36 auto on 17.3 15.4 cisco AIR-LAP1262N- 3
Have you seen this before?I need to change the speed to 100 in the 6500 switch port, when I do this, the interface become UP.Have you seen this before?
Yes I do. ALL the time.
This is caused by a fault in your cable. Pair D of your cable controls GigabitEthernet and it could be the fault. There's one way of testing and it would mean running a TDR from the 6500. Here are the process:
1. Command: test cable tdr int Gi4/36;
2. Wait for 61 seconds (Yes, it takes THAT long when dealing with 4500/6500 line cards);
3. Command: sh cable tdr int Gi4/36;
4. Please post the output. -
Policy-map based rate-limiting per vlan
Hi
I was thinking if someone could help me to come up with solution to a problem. Scenario as follow:
I have a trunk interface with multiple vlans on:
interface GigabitEthernet2/0/3
description TRUNK-to-*********
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 415,416,610,1191-1193,1195
switchport mode trunk
duplex full
storm-control broadcast level pps 1k
storm-control multicast level pps 3k
storm-control unicast level pps 250k
storm-control action trap
spanning-tree portfast trunk
spanning-tree bpdufilter enable
I'm trying to rate limit two of the vlans that are present on this trunk interface - vlan 415 and vlan 1192.
So I'm putting the class-map (to be later applied under the policy-map which is not significant here):
(config)#class-map match-any 120-mbps-class
(config-cmap)#match input-interface vlan 415
(config-cmap)#match input-interface vlan 1192
Now, when you show the class-map I created, I can see this:
sh class-map 120-mbps-class
Class Map match-any 120-mbps-class (id 1)
Match input-interface Vlan415
Match input-interface FastEthernet0
For some bizzare reason class-map is matching the Fa0. I have researched this, and this is most probably because you can only match 1 vlan instance under the class-map.
And here's my problem - I can't police whole interface as the other vlans should not be policed - how can I police those two vlans ?
Any thoughts ? All help appreciated as always.
Rob.Hi Daniel,
I have labed it and unfortuantely it does not work as expected. I have put 1x 3750 and 1x 2960 trunk between them, each box had an access port for laptop to create some traffic across. All vlan-based qos has been applied on 3750G.
3750G config
Interface g1/0/20
descriprion trunk
swicthport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 100,120
Interface g1/0/1
description access
switchport mode access
switchport access vlan 100
Interface vlan 100
ip address 192.168.100.254
service-policy input PARENT-POLICER
Interface vlan 120
ip address 10.10.10.1
Policy-map PARENT-POLICER
class PERMIT-ANY-CLASS
trust COS
service-policy CHILD-POLICER
class-map match-any PERMIT-ANY-CLASS
match access-group name POLICY-LIST
Extended IP access list POLICY-LIST
10 permit ip any any
Policy-map CHILD-POLICER
class INTERFACE-POLICE-CLASS
police 100000 8000 exceed-action drop
Class Map match-any INTERFACE-POLICE-CLASS
Match input-interface GigabitEthernet1/0/20
2960 config:
interface g0/20
switchport mode trunk
switchport trunk allowed vlan 100,120
interface g0/1
switchport mode access
switchport access vlan 100
interface vlan 100
ip address 192.168.100.253
interface vlan 120
ip address 10.10.10.2
So as you can see vlan 100 is the one it need to be rate limited (I have only rate limited to 100kbps just to see if it's working) and vlan 120 is only on the trunk ports to confirm if the traffic for this one is not affected.
Unfortunately when the policing is applied on 3750 vlan 100 (and policing is working fine) then I can see the packet loss while pinging between switches on vlan 120 suggesting that the policy is affecting the other vlan as well. When I take the policy out of the vlan 100 I cannot observe the packet loss on vlan 120 meaning is no longer affected.
Not sure if I have explained this clear enough so far, if not let me know.
Do you have any suggestions ?
Thanks! -
How to span vlans across core layer in core/distribution/access campus design?
Hi,
I studied Cisco Borderless Campus Design Guide 1.0 (http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/Borderless_Campus_Network_1-0/Borderless_Campus_1-0_Design_Guide.html) last week because we plan to redesign our campus backbone to a three tier Core/Distribution/Access Design.
Today we use a collapsed backbone where a lot of vlans are spanned across the backbone because they are needed in different buildings.
Could anybody give me a hint how Cisco recommends to deal with that kind of vlans in the multi-tier design?
In my eyes between core and distribution layer there is only routing functionality and no l2 transport of vlans.
So using the same vlan in different buildings seems not to be supported?
Best Regards,
ThorstenThorsten
Just to add to Joseph's post.
It is quite common for a vlan to be spanned when it doesn't actually need to be ie. the network has evolved that way.
Most things do not need L2 adjacency, they can happily use L3. Servers sometimes do but in the campus design your servers are usually located in one site so you don't need to extend vlans to other sites in your campus.
Not suggesting this is the case for you but it may be worth checking whether you really do. (apologies if you already have)
As Joseph mentioned you really want to avoid it if at all possible ie. ideally all connections to the core switches are L3 ie. no need for vlans at all in the core.
If you need to extend a few vlans then you can do this but still route for all other vlans ie. you would configure your distribution to core connections as trunks and then allow the vlans you need to extend plus one other vlan, unique per distribution pair, to route all other vlans. So per site your distribution switches route all vlans except the extended vlans and of they need to route to a vlan in another site they use that unique vlan.
But this is not ideal because you then need to extend certain vlans across the core and because you are using L2 connections STP could come into it although that does depend on your core switch selection eg. 4500/6500 VSS etc. would alleviate this.
There are ways to extend vlans across a L3 network but the solutions available are very much dependant on the kit you use and their capabilities so if you do need multiple vlans in multiple sites but still want to keep a L3 core you may want to investigate some of those before purchasing kit (unless of course you have already purchased it).
What you do really depends on just how many vlans you actually need to extend between sites.
Jon -
802.1x dynamic vlan assignment based on MAC?
Hello,
I am using Catalyst3750 and Widows AD Authentication.
Our customers' pc is runnnig Windows (isn't 802.1x capable) that is connected to the catalyst switch.
Is it possible to dynamic assign a Vlan based on MAC?
When possible, we want to make it without using VMPS.
and, is there any document relating to the above.
Thanks a lot for you help.
TomoyukiHello Tomoyuki,
which Radius Server are you using to authenticate your Clients?
For the Secure ACS you can configure a feature called "MAC-Authentication-Bypass" which fullfils your requirements.
This Feature must be configured on the Switch and on the Radius Server (which does the vlan assigment based on the MAC-Address of the Client)
An Overwiew of this feature can be found here:
http://www.cisco.com/univercd/cc/td/doc/solution/macauthb.pdf
I hope this helps,
Kind regards,
Chris -
SPAN for vlan across Nexus vPC
Dear Team,
Anyone have the experience for monitor the vlan traffic across 2 Nexus 6k switches? My scenario are 1 of the monitor server are direct attached to the 1st unit of N6k intend to monitor 2 vlans, but this 2 vlans are span across vPC where it can be transit across both units of N6K according to the vPC traffic flow methodology. I can easily span the local N6K from the 2 vlan to the destination (monitor server) ports, but how I could monitor the traffic (for that 2 vlans) arrived on 2nd unit of N6K?
I try searching for N6K doc there is no RSPAN feature but now introduce ERSPAN, but ERSPAN got limitation stated •A destination port can only be configured in one SPAN session at a time.
Meaning I can't configured both local SPAN and ERSPAN at N6K unit 1 to the same destination port to monitoring server?!!!
Just wish to know is any experts came across this scenario and have experience on alternative solution, would like to hear from your expert advice, thanks in advance.
Regards
ChongHi chuck_113th,
Did you manage to fix the problem? -
Hi All
Can someone please explain why Cisco states that in a Campus Hierarchical modle if Vlans are spanned across Access switches in a distribution block, then the Distrubution to distribution link should be Layer 2. Is this really necesary or just a recommendation, and if so why? Can't this link be a L3 link when spanning vlans across Access switches in distribution block, as I understand the benefit of having a L3 distribution to distribution link so that SPT is avoided.
Please helpHello,
The cisco recommended design is L3 links, but these is only possible if you have no vlans you need to span over the hole network.
It depends on your topology or what you want achieve.
If you need for one or more vlan's spanned the LAN, you need to use a layer 2 connection between all switches and between distribution too.
In my company we have for example a few vlans for restricted areas, like device management or else, so we can't use L3 Links in the distribution area because these vlan's are terminated at the firewall. I think these is good thing.
I would recommend you if you don't have to span one or more vlan's across the network to use L3 Links, specially in the case of redundancy way's. So you need no spanning-tree, but need to use other protocols like GLBP or else. The works faster and are not so confusing (for some people) as STP.
best regards,
Sebastian -
Hi,
I have a question about vlan based qos. I am happy with qos configuration as applied to ports. However, vlan based qos confuses me somewhat.
Is vlan based qos intended for situations where packets are to cross vlans? In that case, am I correct in assuming that vlan based qos has no effect on packet flows within that vlan? In that case the idea of vlan based qos would be to police/mark traffic leaving/joing that vlan?
Or, does vlan based qos extend queuing (priority queue etc) down to ports that are members of that vlan are configured with vlan based qos? I think not but I'm not absolutely sure.
I can't seem to get to the bottom of this on cco.
Thanks, SteveHi Steve,
Packets do not have to cross VLANs for you to need VLAN-based QoS.
VLAN-based QoS gives you an additional layer of queueing hierarchy. With port-based Qos, there is a set of software queues per physical port. As packets are scheduled from these queues, they are emitted from the port.
With VLAN-based QoS, there is another layer. Each VLAN configured for VLAN-based QoS will have a set of queues associated with it, instead of having a set of queues for the physical port. This comes in useful for providers of Metro Ethernet service who offer multiple classes of service. Such ethernet services are usually sold with a fixed bandwidth per-VLAN. At egress switch ports, the provider will use vlan-based QoS to police/shape traffic in order to conform to the sold rate. Within this shaped rate, queueing will be used to ensure that the higher classes of service get preference.
In answer to your questio, vlan-based qos does have an effect on packet flows within that vlan.
Hope that helps - pls rate the post if it does.
Regards,
Paresh.
Maybe you are looking for
-
HT2455 how do I change the order of the songs on my playlist?
I have 68 songs on my playlist. Somehow the songs are all in alphabetical order, making my duplicates all play in a row. How do I change the play order?
-
Error message with upgrading pacman
Hi, I get the following on every attempt to upgrade: core is up to date extra is up to date community is up to date :: The following packages should be upgraded first : pacman :: Do you want to cancel the current operation :: and upgrade these p
-
What is the latest version of oracle forms?
I need to migrate oracle forms from 6i version to the latest version. What is the latest verison for forms?. Also when we say oracle 11i forms does that mean we compile 6i/9i forms with 11i database?
-
Satellite A500 - Slower with Videos on Windows 7
Hi, I am desperately in need of advice, I am 78 years old and going up the wall. My Satellite A500/03P was purchased with Vista preinstalled and worked well. My particular interest is the running and creation of video training clips for other Senior
-
Need to use more than 32 parameters in the workbench
When using the workbench, we have reached the maximum number of parameters (32) but my database Iu2019m inserting into has more than 32 fields. Is there a way to work with more than 32 parameters? Currently I have to insert the first 32 parameters