RSPAN in 6500 and 4500 (CatOS)

Answered Question
May 23rd, 2007
User Badges:

Hi,


We are required to setup an RSPAN. We are using 6500 as the core switch and 4500 as the access/distro switch. One of our client uses VLAN 155, 196, and 200. All their workstations are scattered in the entire network (including the core). I need to monitor these 3 VLANs and dump all the data to the network physics box in CoreA. The configuration in the Cisco website is kinda confusing to me. We are using version 7.6 CatOS.


My initial configuration was this:



Create RSPAN VLAN:

set vlan 600 rspan name Client_RSPAN_VLAN


To all access/distribution switches:

set rspan source 155,196,200 600 both


To PHCoreA:

set rspan source 1/1-2,2/1-9,2/11-12,2/15-16 600

set rspan destination 6/35 600


To PHCoreB:

set rspan source 2/1-3,2/5-12,2/15-16 600

set rspan source 155,196,200 600 both


I just copied how Cisco did the destination command. Base from my understanding, my source for all the access/distro switches will all be VLAN 155, 196, and 200 then the destination will be VLAN 600. But the destination port in PHCoreA was kinda confusing to me, why do I need to issue the RSPAN_VLAN as the destination port?


The network physics box is located at 6/35. Why do I need to add 600 on the line?


And why do I need to include all the trunk ports as the source? This might sniff other VLAN aside from the stated above.


Any suggestion?


-John

Correct Answer by hoogen_82 about 9 years 11 months ago

Yes for the first question. Well the trunk is likely to carry all the traffic probably most of your vlans in the network, so you would be getting unwanted traffic. Its best not to include your trunk links traffic into the rspan vlan.


-Hoogen

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
hoogen_82 Thu, 05/24/2007 - 00:55
User Badges:
  • Silver, 250 points or more

Let me clear your doubts, your scenario is to monitor traffic on the vlans 155, 199, and 200.


For RSPAN first you need to create a RSPAN vlan to which all your monitored traffic will be dumped in your case it is vlan 600.


so you issue the command set vlan 600 rspan.


Next you need to get your traffic on to the RSPAN vlan.


You do this by the command


set rspan source 155,196,200 600 both (which you have done).


You do not need to get the rspan source for your trunk links again. This becomes another session.


Now coming to the part where you are going to send the data collected to the box for analysis.


You use the command set rspan destination 6/35 600.


You should see something like


Rspan Type : Destination


Destination : Port 6/35


Rspan Vlan : 600


Admin Source : -


Oper Source : -


Direction : -


Incoming Packets: disabled


Learning : enabled


Multicast : -


Filter : -


Console> (enable)


Where you are ensuring that the correct rspan vlan information is being sent to the destination for anaylsis.


One more thing you don't need to have your destination in both Core A and Core B. All your Vlan traffic is collected and can be sent to that single RSPAN destination.


Have you though about SPAN, it requires very less configuration and on your network since you are doing Vlan span its very good.


set span 155,196,200 6/35 both


do a question mark after the command and get the inpkts also enabled, the above command is just of my head i remeber configuring on my customer site. Span is good too.


HTH

Hoogen


Do rate if you find this post helpful :)

John Patrick Lopez Thu, 05/24/2007 - 06:05
User Badges:

Hi Hoogen,


Thanks for the reply. So this command means like this.


set rspan destination 6/35 600.


Dump all the traffic to port 6/35 from VLAN 600? Is that what it means? Also, I noticed that in my configuration, I included module 1(Sup Engine) and 2 (GBIC module) as the source and VLAN 600 as the destination VLAN. (these are the trunk links down to the access/distro switches) In this case, I will be able to capture data not included in the given scenario. Is that right? So I need to remove that line.


Thanks.

Correct Answer
hoogen_82 Thu, 05/24/2007 - 08:54
User Badges:
  • Silver, 250 points or more

Yes for the first question. Well the trunk is likely to carry all the traffic probably most of your vlans in the network, so you would be getting unwanted traffic. Its best not to include your trunk links traffic into the rspan vlan.


-Hoogen

Actions

This Discussion