RSPAN over multiply switches

Unanswered Question
Mar 23rd, 2009
User Badges:
  • Silver, 250 points or more

Hello, All!

I have problem with RSPAN monitoring session over multiply switches.

My configuration is like this:

|catalyst1 2960|---|some switch1|---|some switch2|---|catalyst2 2960|

catalysts is under my control, while some switch 1 and 2 under control of other admins. Probably, "some switches" is HP switches.

vlan 100 span this switches and operates correctly.


Catalyst1 configuration:

vlan 100

name rspan-vlan

remote-span

!

monitor session 1 source vlan 123

monitor session 1 destination remote vlan 100

!

Catalyst2 configuration:

vlan 100

name rspan-vlan

remote-span

!

monitor session 2 destination interface Fa0/1

monitor session 2 source remote vlan 100

!


However, traffic from vlan 123 is not reaching remote destination port. What is the problem?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
thotsaphon Mon, 03/23/2009 - 12:28
User Badges:
  • Gold, 750 points or more

Hi Eugeniy,

Please let me know that some sw1 and some sw2 already know about vlan 100. How are 4 switches connecting? Trunk? Access?


HTH,

Toshi

Eugene Khabarov Mon, 03/23/2009 - 12:34
User Badges:
  • Silver, 250 points or more

Yes, it is connected via trunk ports.

VLAN 100 is fully operational.

Giuseppe Larosa Mon, 03/23/2009 - 12:37
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Eugeniy,

remote span could be a Cisco proprietary feature.

the remote-span command instructs the switches to disable MAC address learning.


However you need a clean L2 path end to end with vlan 100 defined on all links in the list of permitted vlans and all links have to be trunk ports.


in the CCO configuration examples also the switches in the middle define the vlan as remote-span vlan.


You can configure any VLAN as an RSPAN VLAN as long as these conditions are met:


-The same RSPAN VLAN is used for an RSPAN session in all the switches.


>>>-All participating switches support RSPAN.


see


http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/swspan.html#wp1073772


So I'm afraid you cannot go through the two HP switches


Hope to help

Giuseppe


thotsaphon Mon, 03/23/2009 - 12:46
User Badges:
  • Gold, 750 points or more

hi,

I'm afraid that Giuseppe nailed this problem.


Good Job! 5P.

Toshi

Eugene Khabarov Mon, 03/23/2009 - 12:49
User Badges:
  • Silver, 250 points or more

Yes, you right.

>>All participating switches support RSPAN

This is clearly defined.

So any ideas about how to monitor traffic on vlan 123?

Giuseppe Larosa Mon, 03/23/2009 - 13:11
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Eugeniy,

the only possible option is a local span with a sniffer connected to the destination port of the first C2960.


for a short time capture you can think to use a laptop with wireshark (ethereal) installed.


hint: if you have a PC with two NICs you can control it remotely.


Hope to help

Giuseppe


thotsaphon Mon, 03/23/2009 - 13:16
User Badges:
  • Gold, 750 points or more

Eugene,

Can I allow Vlan123 go through Cat1->someSw1->someSw2->Cat2? I will then do a span-port(Locally) on Cat2. It's not a good idea though. (grin)


Giuseppe has provided a good solution .

Toshi

Eugene Khabarov Tue, 03/24/2009 - 00:22
User Badges:
  • Silver, 250 points or more

>>Can I allow Vlan123 go through Cat1->someSw1->someSw2->Cat2? I will then do a span-port(Locally) on Cat2. It's not a good idea though. (grin)

You can allow vlan 123 through this switches, but SPAN in this case will not collect traffic from Cat1.

And you right, this is not good idea.

Eugene Khabarov Tue, 03/24/2009 - 00:24
User Badges:
  • Silver, 250 points or more

>>for a short time capture you can think to use a laptop with wireshark (ethereal) installed.

This is not good idea. Collector is special server, connected to Cat2

Actions

This Discussion