RSPAN, SPAN and general monitoring techniques

Answered Question
Oct 22nd, 2007

I have a dilemma. I need to monitor 4 links. for inbound and outbound traffic. A hub is out of the question as traffic won't be seperated. Currently I am using a product called nTap to tap the four links back to a Cisco switch. The problem is SPAN only allows for 2 sessions. So 2 links can't be monitored. Attached is a diagram. Would RSPAN be better? Is RSPAN easier to configure? What exactly is VSPAN and when would it be best applicable?



Attachment: 
Correct Answer by Kevin Dorrell about 9 years 4 months ago

So, create an RSPAN VLAN and make sure it goes wherever you need it.


Then, on the switch(es) you want to source from:


monitor session 1 source interface f2/2 options

monitor session 1 source interface f2/8 options

etc

monitor session 1 destination remote vlan 40

exit

show monitor


On your sniffing switch


monitor session 1 source remote vlan 40

monitor session 1 destination interface f0/4

exit

show monitor


Kevin Dorrell

Luxembourg



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Kevin Dorrell Tue, 10/23/2007 - 07:15

I am sure this will be possible.


Generally, it is not one session per port source monitored. Each session can monitor several ports in the switch.


But before I give you a load of configs that you cannot use, what sort of switches are you working with: IOS or CatOS. And what model?


Kevin Dorrell

Luxembourg


brandon.n Tue, 10/23/2007 - 07:28

Thanks Kevin... we have any switch you can name. Preferably I want to do it on a 3550 but a 3750 is okay as well. IOS version only, no CatOS.

Correct Answer
Kevin Dorrell Tue, 10/23/2007 - 07:53

So, create an RSPAN VLAN and make sure it goes wherever you need it.


Then, on the switch(es) you want to source from:


monitor session 1 source interface f2/2 options

monitor session 1 source interface f2/8 options

etc

monitor session 1 destination remote vlan 40

exit

show monitor


On your sniffing switch


monitor session 1 source remote vlan 40

monitor session 1 destination interface f0/4

exit

show monitor


Kevin Dorrell

Luxembourg



brandon.n Tue, 10/23/2007 - 08:18

Excellent Kevin.. I will try this. Your help is greatly appreciated :)

Konstantin Dunaev Tue, 10/23/2007 - 23:31

don't forget that on low-end switches eg. 2950, 2970 you need the mirror port to configure the RSPAN session. that ports should no be used and should not be in "disable" status.


Actions

This Discussion