No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

L2 mode remote port mirroring (RSPAN) doesn’t work because MAC learning is enabled in the RSPAN Vlan on the intermediate switch

Publication Date:  2012-07-27 Views:  53 Downloads:  1
Issue Description
There is the following network topology (see pic 1) and customer wants to realize rspan (remote port mirroring through l2 network)

                                                                                                                              pic1
  1. SGSN/GGSN traffic are mirrored on the cisco ekb_mpls3;
  2. Then mirrored traffic are switched through ekb_s9312_dmz2 in rspan vlan 950;
  3. Finally mirrored traffic should be forwarded to sniffer system on the ekb_mls5.   

     Customer complains that sniffer can’t get mirrored SGSN&GGSN traffic, but all rspan configuration on ekb_mpls3 is correct.
 


Alarm Information
None

Handling Process
1) [ekb_s9312_dmz2-vlan950]mac-address learning disable
2) [ekb_s9312_dmz2]undo mac-address dynamic vlan 950 <- - this command is also necessary, because after disabling mac learning function, mac table still contains mac-address before its deadline and it will prevent frames switching.

Root Cause
During problem analysis it was found that traffic in vlan 950 on the switch “ekb_s9312_dmz2” was coming from interface eth-trunk2, but there was no outgoing traffic in the vlan 950 on the interface eth-trunk5 such as follows.
<ekb_s9312_dmz2>disp vlan 950 statistics
 
 board: 3
 vlan:  950
 ------------------------------------------------------------------------------------------------------
 item                                   packets                       bytes
 ------------------------------------------------------------------------------------------------------
inbound                                       0                           0
outbound                                     18                          45840
board: 5
 vlan:  950
 -------------------------------------------------------------------------------------------------
 item                                   packets                       bytes
 -------------------------------------------------------------------------------------------------
inbound                             344,560,526              71,572,768,106
outbound                                      0                           0
<ekb_s9312_dmz2>

After this it was found that in the mac-address table all macs were learned on the interface eth-trunk2.
<ekb_s9312_dmz2>disp mac-address dynamic vlan 950
mac address table of slot 3:
-------------------------------------------------------------------------------
mac address    vlan/       pevlan cevlan port            type      lsp/       
               vsi/si                                              mac-tunnel 
-------------------------------------------------------------------------------
0000-170c-bab0 950         -      -      eth-trunk2      dynamic   -          
0000-170c-b995 950         -      -      eth-trunk2      dynamic   -          
0000-170c-b58c 950         -      -      eth-trunk2      dynamic   -          
. . . . . . . . . . . .
0000-170c-ba18 950         -      -      eth-trunk2      dynamic   -          
0000-170c-b567 950         -      -      eth-trunk2      dynamic   -          
0000-170c-b996 950         -      -      eth-trunk2      dynamic   -          
-------------------------------------------------------------------------------
total matching items on slot 3 displayed = 63
mac address table of slot 5:
-------------------------------------------------------------------------------
mac address    vlan/       pevlan cevlan port            type      lsp/       
               vsi/si                                              mac-tunnel 
-------------------------------------------------------------------------------
0018-b9e8-1696 950         -      -      eth-trunk2      dynamic   -          
0000-170c-b568 950         -      -      eth-trunk2      dynamic   -          
0000-170c-ba3c 950         -      -      eth-trunk2      dynamic   -          
. . . . . . . . . . . .
0000-170c-ba21 950         -      -      eth-trunk2      dynamic   -          
0014-69d2-1f80 950         -      -      eth-trunk2      dynamic   -          
0018-74ce-7800 950         -      -      eth-trunk2      dynamic   -          
-------------------------------------------------------------------------------
total matching items on slot 5 displayed = 63
<ekb_s9312_dmz2> 
 
In case of mirroring incoming and outgoing traffic (from sgsn and ggsn) such mac-address table on the switch ekb_s9312_dmz2  is normal, but at the same time no any mirrored ethernet frames were switched and sent out through outgoing interface eth-trunk5, because switch will drop ethernet frames which come through the interface which has learned these frame’s destination mac address. For example, A is a source mac-address, B is a destination mac-address, and switch has learned A's mac-address, when B sends packets to A, and the intermediate switch gets these packets from mirroring traffic, the switch will drop these packets.
In this situation (if there is only one incoming interface and one outgoing interface in the vlan) we can disable mac address learning function in the vlan 950 and rspan will work.

Suggestions
This issue can happen only if there are following preconditions:
  1. bi-directional traffic are mirrored;
  2. there is (are) transport network switch (switches).


The way to avoid this issue is to disable mac learning function in the rspan vlans on the all intermediate switches.
If disabling mac learning function is unsafe, use two different rspan vlans for incoming and outgoing mirrored traffic respectively.

 

END