cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
586
Views
0
Helpful
6
Replies

RSPAN with Multiple Sites

mmelbourne
Level 5
Level 5

Hi,

We have a number of sites where we are using RSPAN over LAN-extension services for mirroring Voice VLAN traffic to a centralised voice recorder.

Across the sites and the core network we have configured one RSPAN VLAN. On each edge switch we are capturing voice vlan traffic (rx and tx) and setting the monitor session destination as the RSPAN VLAN. In the core, we use the RSPAN VLAN as a monitor session source and map it onto a physical destination port (where the voice recorder resides).

So, at the edge sites we have:

monitor session 1 source vlan <VOICE VLAN>

monitor session 1 destination remote 900

At in the core, we have

monitor session 1 source remote vlan 900

monitor session 1 destination interface fastEthernet 8/19

(The edge switches are 3750s, and the core is a 6509 switch with Sup720 srunning IOS 12.2(18)SXD7b).

What we are seeing is heavy utilisation on the remote site LES links and it appears to be RSPAN VLAN traffic replicated across all trunks, not just the traffic sourced from the local site and significant inbound traffic on VLAN 900 at the edge switches, which I wouldn't expect to see (we've temporarily pruned the RSPAN VLAN from a edge site trunk and seen the inbound traffic levels fall). If an RSPAN VLAN is common across a number of edge switches (because they all require RSPAN), will traffic be replicated across all trunks?

We had considered using an RSPAN VLAN per remote site, but different RSPAN source VLANs cannot map to a single physical destination port in the core.

6 Replies 6

Amit Singh
Cisco Employee
Cisco Employee

Do you have the same voice vlan across all the edge switches?

Please paste a brief network diagram

-amit singh

The voice VLAN is different at each site. The core switches are VTP servers and the edge switches are configured as VTP Transparent. VLANs are manually configured on both sides of the trunk links. Some sites are dual connected to the two core switches; other have a single connection and we are seeing the same behaviour.

One of the sites is not yet using IPT, but we are receiving about 7-8Mbps of traffic at the edge switch. If we prune the RSPAN VLAN from the trunks on the core switches, the inbound traffic on this edge switch drops to less than 1Mbps (about normal utilisation).

It does appear that the RSPAN traffic from one site is being sent towards other sites, and I am trying to understand whether this is normal behaviour, a configuration issue or a bug. There are no obvious bugs for the IOS code we're running on the Sup720s relating to RSPAN.

I may be wrong with this but I belive your problem is the 900 vlan which is present on each of the switches you have in the diagram.

Try this

543 SPAN to 901

544 SPAN to 902

545 SPAN to 903

Prune the 901 903 903 were they are not needed. Use these VLANs to carry the traffic to the switch were your recorder is connected

On that switch

monitor session 1 source remote vlan 901 902 903

monitor session 1 destination interface fastEthernet 8/19

Thanks for that, but it appears that only a single RSPAN VLAN can be specified in the monitor session source. Similarly I can't create multiple sessions (one for each RSPAN VLAN) which have a common monitor session destination.

The answer to this behaviour may be because, as specified in this document under the RSPAN VLAN section, it states that "All Traffic in the RSPAN VLAN is always flooded." and "No MAC learning takes place on the RSPAN VLAN":

http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_guide_chapter09186a00802c1133.html#wp1157376

This may well explain why all RSPAN VLAN x traffic is flooded to all switched which have VLAN 900 configured as an RSPAN VLAN and are connected to the core via a trunk carrying VLAN 900.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco