04-16-2007 09:29 AM - edited 03-05-2019 03:29 PM
We are trying to monitor all of our VOIP traffic and have been running into some issues so I'm in need of some help. In our current environment, we have a whole bunch of Cisco IP phones that are connected to both Cisco 3560, and 2950 switches. The 3560 and 2950 switches are trunked to two 3560 switches and the server that is sniffing the traffic is connected to one of the core switches. What we have found is that there are a lot of duplicate packets being received by the sniffer which is causing some issues there so I need to determine a better way to sniff the VOIP traffic. I have been reviewing the Cisco documentation on SPAN and RSPAN and just need to know which would be a more efficient way to capture the data. Currently the core switch is setup like this:
interface GigabitEthernet0/25
description SPAN port
switchport access vlan 10
switchport trunk encapsulation dot1q
monitor session 2 source vlan 10
monitor session 2 destination interface Gi0/25
VLAN 10 is our voice vlan and all of the ports on the 3560 and 2950 switches that the phones connect to are in that VLAN, here is an example of the ports configuration:
interface FastEthernet0/3
switchport access vlan 2
switchport mode access
switchport voice vlan 10
switchport port-security
switchport port-security maximum 3
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
macro description cisco-phone
auto qos voip cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
So what I am wondering is should I configure a RSPAN VLAN and set the switches up to send the traffic there, or is there a more efficient way to use the current configuration with SPAN to see about avoiding the duplicate packets. Any assistance on this would be greatly appreciated.
04-20-2007 06:20 AM
RSPAN could be used if your sniffer is in another vlan. With rspan you could effectively send the traffic to be monitored to the device.
04-20-2007 07:36 AM
I understand that but the sniffer is in the same VLAN (vlan 10) so if I understand correctly, I should not need to go with RSPAN even though the traffic passes through different switches since it all comes together in VLAN 10 on my core switches which is where the sniffer is connected. That is where my confusion comes in, is it necessary to setup the RSPAN in order to sniff the traffic on the same VLAN across multiple switches. I'm still doing some looking and will hopefully get is figured out. Thank you.
04-20-2007 08:20 AM
Matt,
You are getting duplicate packets because you are capturing packets as they are received into the vlan and as they are transmitted out.
Try this:
monitor session 2 source vlan 10 rx
The default is for both rx and tx.
Please rate helpful posts.
Dave
04-20-2007 10:48 AM
OK, I will give that a shot and see if we get better results. Thanks for the help there.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide