[OSL | CCIE_Security] RSPAN with SPAN

[Ben Shaw]

Hi All

I am doing question 4.6 in INE WB1 on IPS and have found and issue with
tagging of traffic on the destination SPAN port. Here is my configuration:

SW1#sh run | i monit
monitor session 12 source vlan 12
monitor session 12 destination remote vlan 400
SW1#sh monitor session 2
 No SPAN configuration is present in the system for session [2].

SW1#sh monitor session 12
Session 12
----------
Type                   : Remote Source Session
Source VLANs           :
    Both               : 12
Dest RSPAN VLAN        : 400


SW2#sh run | i monit
monitor session 34 source vlan 34 , 400
monitor session 34 destination interface Gi1/0/10 encapsulation replicate
SW2#sho mon ses 34
Session 34
----------
Type                   : Local Session
Source VLANs           :
    Both               : 34,400
Destination Ports      : Gi1/0/10
    Encapsulation      : Replicate
          Ingress      : Disabled

The issue I am having is that SW2 is not tagging one of the source SPAN
VLANs correctly. What I am finding is that traffic from SW1 which is being
sent to SW2 as an RSPAN session on VLAN 400 is being tagged correctly and
is therefor being picked up correctly on the IPS VLAN Group interface which
is listening for VLAN 400 off interface Gig1/0/10. The traffic from source
VLAN 34 on SW2 is being sent untagged out the SPAN port and being seen on
the IPS as VLAN 0 so it not being picked up by the second VLAN Group
interface which is listening on VLAN 34. I can tell this as after I create
a third VLAN Group interface on the IPS for unassigned traffic, the SPAN
traffic from VLAN 34 is collected by this third VLAN Group interface and I
can see in the logs it has an VLAN of 0.

The issue to me seems to be the switch not tagging VLAN 34 correctly before
sending it out interface Gig1/0/10. I have tried the following version of
the "monitor session 34" command on SW2 but with the same result.

SW2(config)#monitor session 34 destination interface gig1/0/10
encapsulation dot1q
% Warning: One or more specified dest port does not support requested
encapsulation.

Interesting I get the error above when I apply this command but the command
still seems to stay in the configuration.

I am trying to do this on 3750 switches which I know are not used on the
lab but I wanted to see if maybe I am just missing something.

Thanks
Ben

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com