If you plan to use SPAN to mirror network ports, take care how you use it.
If you just use „monitor session # source interface xY“ and „monitor session # destination interface xY“ you can get unwanted results. Without adding „monitor session # destination interface xY ingress vlan #“ you can get frames from other uplink ports.
To preserve vlan tags you need to add „encapsulation dot1q“ to the „destination interface“ command. You also need to make sure, that your monitoring device, connected to the destination port, is able to understand dot1q tags, otherwise the monitoring device removes the tag. There are some registry hacks for monitoring devices with Windows and Intel network cards, but I can’t promise that those will work.
Also mind the duplicate packet issue with SPAN. Please see this link for details. Mike Schiffman explains it really good.
Summed up: SPAN works for me the best with following commands:
- „monitor session # source interface xY rx/tx/both“
- „monitor session # destination interface xX encapsulation dot1q ingress vlan id #“
- # stands for any number
Newer devices like the Cisco 3850 with the IOS XE release already include wireshark, but this is bound to ipbase or ipservice license. Please see this link for details. Hopefully they’ll also add it to lanbase later on.
One general hint: For debugging start from the first interface you know and handle forward through each interface you can, until you find the problem.