Hello experts, I hope that you can help me figuring out why am I not able to see any EAPoL messages on my remote SPAN port configuration, this is my scenario: Laptop (authenticating) -- Switch1 -- Switch2 -- Laptop (Monitor) For more detail scenario Laptop -- <port g0="" 2=""> Switch1 (Cisco 3560-CG) <port g0="" 10=""> -- <port g1="" 0="" 15=""> Switch2 (Cisco 3750G) <port g2="" 0="" 2=""> The configuration from switch1: monitor session 1 source interface Gi0/1 - 7 monitor session 1 destination remote vlan 101 The configuration from Switch2: monitor session 2 destination interface Gi2/0/2 monitor session 2 source remote vlan 101 AS you can see I'm using remote span configuration and using remote vlan 101 to carry all my traffic. When I turn on tshark or wireshark and make a filter eapol or eth.type == 0x888e I can't see anything, no packets coming to that port. Now what's important to mention is that if I use a local port on the 3560-CG, without any remote span am able to see all the packets, eapol and eth.type... What am I missing, should the cisco SPAN port forward all packets? There are no other commands for the cisco to configure special fields. Thanks and I hope that someone can help me. Regards asked 24 Apr '17, 11:37 payala |
One Answer:
I would seriously look into the details of the Cisco equipment at hand. EAPoL is specifically destined for 'The Nearest Bridge', that means your switch port. With a local monitor port it's probably capable of capturing frames low enough near the Phy to get even the EAPoL frames, while an RSPAN probably latches on to the switching fabric, where EAPoL frames are nowhere to be found. answered 24 Apr '17, 13:47 Jaap ♦ |
Thanks for the clarification, now makes sense. If I want to check EAPoL messages then I should make them locally, there is no way to transport over RSPAN or ERSPAN. Thanks again