cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
418
Views
4
Helpful
4
Replies

SPAN or RSPAN - which would be better

mpozorski
Level 1
Level 1

We are trying to monitor all of our VOIP traffic and have been running into some issues so I'm in need of some help. In our current environment, we have a whole bunch of Cisco IP phones that are connected to both Cisco 3560, and 2950 switches. The 3560 and 2950 switches are trunked to two 3560 switches and the server that is sniffing the traffic is connected to one of the core switches. What we have found is that there are a lot of duplicate packets being received by the sniffer which is causing some issues there so I need to determine a better way to sniff the VOIP traffic. I have been reviewing the Cisco documentation on SPAN and RSPAN and just need to know which would be a more efficient way to capture the data. Currently the core switch is setup like this:

interface GigabitEthernet0/25

description SPAN port

switchport access vlan 10

switchport trunk encapsulation dot1q

monitor session 2 source vlan 10

monitor session 2 destination interface Gi0/25

VLAN 10 is our voice vlan and all of the ports on the 3560 and 2950 switches that the phones connect to are in that VLAN, here is an example of the ports configuration:

interface FastEthernet0/3

switchport access vlan 2

switchport mode access

switchport voice vlan 10

switchport port-security

switchport port-security maximum 3

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape 10 0 0 0

mls qos trust device cisco-phone

mls qos trust cos

macro description cisco-phone

auto qos voip cisco-phone

spanning-tree portfast

spanning-tree bpduguard enable

So what I am wondering is should I configure a RSPAN VLAN and set the switches up to send the traffic there, or is there a more efficient way to use the current configuration with SPAN to see about avoiding the duplicate packets. Any assistance on this would be greatly appreciated.

4 Replies 4

carenas123
Level 5
Level 5

RSPAN could be used if your sniffer is in another vlan. With rspan you could effectively send the traffic to be monitored to the device.

I understand that but the sniffer is in the same VLAN (vlan 10) so if I understand correctly, I should not need to go with RSPAN even though the traffic passes through different switches since it all comes together in VLAN 10 on my core switches which is where the sniffer is connected. That is where my confusion comes in, is it necessary to setup the RSPAN in order to sniff the traffic on the same VLAN across multiple switches. I'm still doing some looking and will hopefully get is figured out. Thank you.

dgahm
Level 8
Level 8

Matt,

You are getting duplicate packets because you are capturing packets as they are received into the vlan and as they are transmitted out.

Try this:

monitor session 2 source vlan 10 rx

The default is for both rx and tx.

Please rate helpful posts.

Dave

OK, I will give that a shot and see if we get better results. Thanks for the help there.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: