Announcement

Collapse
No announcement yet.

RSPAN does not work?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • RSPAN does not work?

    I want to enable RSPAN on a network with Catalysts 2950 switches only.
    All switches are VPT enabled, I used

    vlan 999
    name rspan
    remote-span
    end

    to create RSPAN VLAN and using

    show vlan remote-span

    I can see the VLAN advertised on all switches.
    Then I set up monitoring:

    switch A:

    monitor session 1 source interface fastEthernet 0/12
    monitor session 1 destination remote vlan 999 reflector-port
    fastEthernet 0/24

    switch B:

    monitor session 1 source interface fastEthernet 0/2 - 4 both
    monitor session 1 destination remote vlan 999 reflector-port
    fastEthernet 0/24
    monitor session 2 source remote vlan 999
    monitor session 2 destination interface
    fastEthernet 0/1 ingress vlan 1

    Using a network monitor connected to port Fa 0/1 on switch B
    I can see traffic from switch B ports 2-4,
    but not traffic from switch A port 12.

    Any tip what is wrong?

  • #2
    Re: RSPAN does not work?

    Hi rga,

    Since you have VTP enabled are you doing any VTP pruning?. What you can do to simplify your RSPAN config is create the RSPAN on the VTP server switch and the config will propogate to the other switches.

    Also what does your RSPAN configuration look like when you run show monitor session <insert_number>?

    Comment


    • #3
      Re: RSPAN does not work?

      Here you have show monitor session all output for switch B:

      #show monitor session all

      Session 1
      ---------
      Type : Remote Source Session
      Source Ports :
      Both : Fa0/2-4
      Reflector Port : Fa0/24
      Dest RSPAN VLAN : 999


      Session 2
      ---------
      Type : Remote Destination Session
      Source RSPAN VLAN : 999
      Destination Ports : Fa0/1
      Encapsulation : Native
      Ingress: Enabled, default VLAN = 1
      Ingress encapsulation: Native


      And I have disabled VTP Pruning for the RSPAN VLAN
      under interface set as trunk by

      switchport trunk pruning vlan remove 999

      #show interfaces trunk

      Port Mode Encapsulation Status Native vlan
      Fa0/23 on 802.1q trunking 1

      Port Vlans allowed on trunk
      Fa0/23 1-4094

      Port Vlans allowed and active in management domain
      Fa0/23 1,999

      Port Vlans in spanning tree forwarding state and not pruned
      Fa0/23 1,999

      Moreover I have found I cannot communicate with the rest of the network from "sniffing" device connected to Fa0/1 despite it is in default VLAN 1 and ingress vlan 1 is set for RSPAN destination interface.

      Here you can see the same for switch A:

      #show monitor session all

      Session 1
      ---------
      Type : Remote Source Session
      Source Ports :
      Both : Fa0/11-12
      Reflector Port : Fa0/24
      Dest RSPAN VLAN : 999


      #show interfaces trunk

      Port Mode Encapsulation Status Native vlan
      Fa0/23 on 802.1q trunking 1

      Port Vlans allowed on trunk
      Fa0/23 1-4094

      Port Vlans allowed and active in management domain
      Fa0/23 1,999

      Port Vlans in spanning tree forwarding state and not pruned
      Fa0/23 1,999

      I don't know where I am wrong...

      Comment


      • #4
        Re: RSPAN does not work?

        Can you provide a quick network diagram? Are you trying to configure RSPAN on just two switches (A and B)? Also I noticed that your sniffing device is connected to f0/1 and VLAN1 is doing ingress forwarding as the RSPAN destination. Is there sometype of security device (IPS or something to that nature)? RSPAN doesn't support ingress forwarding for RSPAN destination ports.

        If you have multiple 2950's they can only act as source switches unless you use a unique RSPAN session for each source switch.

        You might want to check the following link out:

        http://www.cisco.com/en/US/docs/swit...de/swspan.html

        I would like to keep working on this issue and I am sure others can had to the mix helping you getting this situation knocked out.

        Ryan
        Last edited by ryansmitty; 8th June 2009, 22:32. Reason: add more info

        Comment


        • #5
          Re: RSPAN does not work?

          Here you have my topology (topology.jpg).

          All switches are Cisco Catalyst 2950.
          All ports are assigned to default VLAN 1. No other VLAN was used up to now.
          All trunks are set to

          switchport mode trunk
          switchport nonegotiate

          Packet sniffer (switch 2, Fa0/1) is a PC with Wireshark to do packet sniffing for troubleshooting. I want to save sniffed data to a network share on different server for later usage.

          In the first step I did this on switch 2:

          monitor session 1 source interface fastEthernet 0/2 both
          monitor session 1 destination interface fastEthernet 0/1 ingress vlan 1

          It took me a while to find that I have to use ingress vlan 1 if I want to be able to communicate with rest of the network from packet sniffer (I think I don't understand background completely, but I know it works ).
          Everything worked as expected.

          But I needed to monitor packets from/to printers connected to switches 5 and 1 as well.
          So that I have removed monitor session 1 on switch 2,
          created VLAN 999 on one of switches and set it to RSPAN VLAN

          #show vlan remote-span

          Remote SPAN VLANs
          ------------------------------------------------------------------------------
          999

          Because I have VTP enabled, this information was distributed to all switches.

          I set up all trunking interfaces to exclude VLAN 999 from pruning using

          #switchport trunk pruning vlan remove 999

          Then I set it up this way:

          Switch 5:
          monitor session 1 source interface fastEthernet 0/20 both
          monitor session 1 destination remote vlan 999 reflector-port
          fastEthernet 0/24

          Switch 1:
          monitor session 1 source interface fastEthernet 0/20 both
          monitor session 1 source interface fastEthernet 0/21 both
          monitor session 1 destination remote vlan 999 reflector-port fastEthernet 0/24

          Switch 2:
          monitor session 1 source interface fastEthernet 0/2 both
          monitor session 1 destination remote vlan 999 reflector-port
          fastEthernet 0/24
          monitor session 2 source remote vlan 999
          monitor session 2 destination interface
          fastEthernet 0/1 ingress vlan 1

          But when I start capturing on packet sniffing device, I can see broadcasts only.
          No other traffic. And no traffic from (to?) the device is possible.

          I have read documentation, I thought I did it right, but probably not.
          I would appreciate any help then...
          Attached Files

          Comment


          • #6
            Re: RSPAN does not work?

            Thanks for your diagram. Because you have all 2950's you have a couple of things you need to be aware of according to cisco documentation.

            1. "If traffic for a port is monitored in both directions, make sure that the intermediate switches and the destination switch are switches other than Catalyst 2950 or 2955 switches, such as Catalyst 3550, 3750, or 6000 switches. "

            In your case you have all 2950's (both source and destination switches). I would recommend that because you are only monitoring individual interfaces that you monitor in the receive (rx) direction.

            2. "In a network consisting of only Catalyst 2950 or Catalyst 2955 switches, you must use a unique RSPAN VLAN session on each source switch. If more than one source switch uses the same RSPAN VLAN, the switches are limited to act only as source switches to ensure the delivery of all monitored traffic to the destination switch."

            Looking at your diagram and then your session configuration, you are using VLAN 999 as your RSPAN on your source switches (switches 5, 1, 2), however switch 2 is also your destination switch.

            I suggest trying the following:

            Remove all monitoring sessions on all switches: no monitor session all

            Removing VLAN 999 and create a unique RSPAN VLAN for each switch (for example VLAN 500 for switch 5 and 100 for switch1). Make sure to exclude the new VLANS from VTP pruning and configure a unique monitoring session. Your monitored interfaces stay the same and your reflector port stays the same.

            Switch 5 example (assuming you have already created new unique RSPAN VLAN)

            monitor session 1 source interface f0/20 rx
            monitor session 1 destination remote vlan 500 reflector-port fastethernet 0/24

            Switch 1 example (assuming you have already created new unique RSPAN VLAN)

            monitor session 1 source interface f0/20 21 rx
            monitor session 1 destination vlan 100 reflector-port fastethernet 0/24

            On switch 2 you have both a local span session going and it is a destination RSPAN switch so try the following

            monitor session 1 source remote vlan 500
            monitor session 1 source remote vlan 100
            monitor session 1 destination interface fastethernet f0/1 ingress vlan1

            monitor session 2 source interface f0/2 rx
            monitor session 2 destination interface f0/2 ingress vlan1

            Let me know if that helps (or doesn't).

            Ryan







            Comment


            • #7
              Re: RSPAN does not work?

              Thanks for your comments/suggestions!
              Some things make sense to me now.
              I will try to change the set up as soon as I have a bit time...

              Just one note:
              in your suggested configuration, you have

              monitor session 2 destination interface f0/2 ingress vlan1

              I suppose there should be f0/1,
              but I tried this before either and it complained
              the interface is already used as destination for a remote span session.
              I assume one interface cannot be a destination for more sessions.

              But as I wrote... I will try it again, from "scratch"...

              Comment


              • #8
                Re: RSPAN does not work?

                Originally posted by rga View Post
                Thanks for your comments/suggestions!
                Some things make sense to me now.
                I will try to change the set up as soon as I have a bit time...

                Just one note:
                in your suggested configuration, you have

                monitor session 2 destination interface f0/2 ingress vlan1

                I suppose there should be f0/1,
                but I tried this before either and it complained
                the interface is already used as destination for a remote span session.
                I assume one interface cannot be a destination for more sessions.

                But as I wrote... I will try it again, from "scratch"...
                I good catch...that should be f0/1 instead of f0/2.

                Comment


                • #9
                  Re: RSPAN does not work?

                  I just wanted to check in and see if you still having any problems.

                  Comment

                  Working...
                  X