Tag Archives: RSPAN

RSPAN and 802.1q Tags Limitation

I had to do a lot of traffic captures recently. Being a lazy guy and to avoid floor walking, I decided to use RSPAN on my Catalyst 3750 switches. I was able to collect a lot of useful data from the remote ports with except to one particular case – it’s when remote port was in a trunking mode configured to trust CoS. Although, I have changed Windows 7 registry settings to support Monitor Mode on Intel 82577LM Gigabit NIC, Wireshark was not able to see 802.1q headers of the remote frames captured from the trunk port. That driven me nuts before I understood the cause (tried to re-install NIC drivers, read Wireshark FAQ, tampered with Windows Registry).

It turned out to be a limitation of the RSPAN feature. Just quoting Cisco website:

For RSPAN, the original VLAN ID is lost because it is overwritten by the RSPAN VLAN identification. Therefore, all packets appear on the destination port as untagged.

Reasonable. You cannot use RSPAN to capture original Layer 2 headers. RSPAN forwards Layer 2 traffic to the remote switch via a trunk port and that requires to strip off the original Layer 2 headers, including 802.1q.

For more information refer to Cisco guides, i.e. Configure SPAN and RSPAN on Catalyst 3560.