07-09-2009 06:41 AM - edited 03-06-2019 06:40 AM
I am having difficulties with getting RSPAN traffic over my trunk link.
Here's the setup .
PC1 ---Gi1/0/1--- Core Sw -Gi1/0/2---Gi1/0/1--- Access switch ---Gi1/0/2--- PC2
PC3 ---Gi1/0/3--------|
PC 3 is sniffer.
PC1: 192.168.1.1/24
Core switch: 192.168.1.2/24 (Gi1/0/1)
Core Switch: 192.168.2.2/24 (Gi1/0/2)
Access switch: 192.168.2.1/24 (Gi1/0/1)
Access switch: 192.168.3.1/24 (Gi1/0/2)
PC2: 192.168.3.2/24
Cisco IOS 3750
Core sw
Interface Gi1/0/1
no switchport
ip address 192.168.1.2 255.255.255.0
no shut
Interface Gi1/0/2
no switchport
ip address 192.168.2.2 255.255.255.0
no shut
monitor session 1 source remote vlan 999
monitor session 1 destination interface Gi1/0/3
monitor session 2 source interface Gi1/0/1 rx
monitor session 2 destination remote vlan 999
Cisco IOS 3750
Access switch
Interface Gi1/0/1
no switchport
ip address 192.168.2.1 255.255.255.0
no shut
Interface Gi1/0/2
no switchport
ip address 192.168.3.1 255.255.255.0
no shut
monitor session 1 source interface gi1/0/2 rx
monitor session 1 destination remote vlan 999
I'm trying to ping from PC 2 to PC 1. Aparently, it wasn't captured on PC3 for some reason.
Could anyone help look at whether my "monitor session" statements are correctly configured.
Thanks.
07-09-2009 06:49 AM
You need to tell the VLAN he is a remote span VLAN.
conf t
vlan 199
remote span
verify the remote-span vlan by using "show vlan remote-span" it should be a remote span vlan on all switches. Make sure no other traffic is using that VLAN.
HTH,
Craig
07-09-2009 07:06 AM
That command i think is a 6500 switch command. Is there a 3750 equivalent command?
07-09-2009 07:09 AM
I just verified it on my 3750, works fine.
IOS 12.2(46)SE Adv IP Services image.
HTH,
Craig
07-09-2009 07:18 AM
Thanks Craig.
I will try it out tomorrow first thing in the morning. Will keep ya posted.
07-09-2009 06:35 PM
monitor session 1 source remote vlan 999
monitor session 1 destination interface Gi1/0/3
monitor session 2 source interface Gi1/0/1 rx
monitor session 2 destination remote vlan 999
I have gotten the output from remote vlan. But it doesn't have all the output I want. Seems like nothing is coming out from
monitor session 2 source interface Gi1/0/1 rx
monitor session 2 destination remote vlan 999
For the above statement,
Is it right to copy the traffic to the remote vlan 999 and have the remote vlan 999 traffic go to destination port on the same switch? The reason I'm asking is because I am not getting any output from the above 2 statements.
07-10-2009 06:20 AM
Is there a reason you are sending it to an RSPAN on the same switch? I don't know if that would work.
What I would recommend (since the 3750 supports 2 source span sessions):
monitor session 1 source interface gi 1/0/3
monitor session 1 destination interface gi 1/0/3
monitor session 2 source interface gi 1/0/1
monitor session 2 destination remote vlan 999
This would send traffic to the gi 1/0/3 interface as well as the RSPAN.
HTH,
Craig
07-10-2009 07:36 AM
In order to carry the RSPAN traffic accross the switch you need to have RSPAN Vlan configured on all the switches. Also Please make sure that you have L2 trunk link between all the switches for RSPAN to work. It looks like you are configuring the link between the switches as L3 links and I wonder that it will not work the same way as you are expecting. Do the following:
A. Please remove the L3 port interface config from the switches.
B. Assign the same IP to the Vlan SVI's.
C. Create trunk link between all the switches and make sure that RSPAN vlan exists on all the switches.
This should work fine and in case of any problem, paste your config.
HTH,
-amit singh
07-10-2009 07:53 AM
amit,
I don't mean to hijack this thread, but I have a question regarding SPAN sessions and the direction of traffic.
According to Cisco documentation:
"Monitored Traffic Direction
You can configure local SPAN sessions, RSPAN source sessions, and ERSPAN source sessions to monitor ingress traffic (called ingress SPAN), or to monitor egress traffic (called egress SPAN), or to monitor traffic flowing in both directions.
Ingress SPAN copies traffic received by the source ports and VLANs for analysis at the destination port. Egress SPAN copies traffic transmitted from the source ports and VLANs. When you enter the both keyword, SPAN copies the traffic received and transmitted by the source ports and VLANs to the destination port."
I can understand how either direction of traffic on a port is mirrored to the destination port.
But if you have a layer three switch and you desiginate the direction of traffic like so:
monitor session 1 source vlan 2-20 rx
monitor session 1 destination interface Gi1/1
It the traffic mirrored from the layer 2 vlan or the SVI of the vlan on the switch?
If it is the layer 2 vlan, what is considered the ingress or egress point of the layer 2 vlan?
If it is the SVI of the vlan, would the mirrored traffic be the traffic received on the SVI from the devices in the vlan using the SVI as a default gateway?
07-10-2009 08:24 AM
It the traffic mirrored from the layer 2 vlan or the SVI of the vlan on the switch?
Traffic is mirrored from the Layer 2 VLAN, in effect it really just adds all the ports that are assigned to VLAN 2 including trunk interfaces.
If it is the layer 2 vlan, what is considered the ingress or egress point of the layer 2 vlan?
Either ingress, egress or both, again you are just monitoring all the ports in the specified VLAN.
If it is the SVI of the vlan, would the mirrored traffic be the traffic received on the SVI from the devices in the vlan using the SVI as a default gateway?
Not the SVI, any traffic routed will not be monitored, whether ingress or egress.
HTH,
Craig
07-10-2009 08:11 AM
Hi amit,
Besides the L3 ports, I have trunk ports between switches configured. They work fine.
Apparently it works for the one part (Access switch to core) , and the part (RSPAN on core switch) that doesn't work is the one which I have mentioned.
I understand remote span works across switches. But it seems to me that copying traffic from a source port to a desintation remote span vlan on the same switch didn't give any output. So I was just clarify what I didn't do right.
07-10-2009 09:20 AM
Sorry, just looked over my post, I mistyped one of your interfaces.
monitor session 1 source interface gi 1/0/1
monitor session 1 destination interface gi 1/0/3
monitor session 2 source interface gi 1/0/1
monitor session 2 destination remote vlan 999
First line should have been a source interface of gi 1/0/1, so this would send span traffic to Gi 1/0/3 and to your RSPAN for int gi 1/0/1.
Craig
07-10-2009 09:43 AM
Thanks Craig,
So uisng this explanation:
"Traffic is mirrored from the Layer 2 VLAN, in effect it really just adds all the ports that are assigned to VLAN 2 including trunk interfaces.
If it is the layer 2 vlan, what is considered the ingress or egress point of the layer 2 vlan?
Either ingress, egress or both, again you are just monitoring all the ports in the specified VLAN.'
And with this config:
monitor session 1 source vlan 2-20 rx
monitor session 1 destination interface Gi1/1
We can say that all traffic on the ingress of each individual port in vlans 2-20 will be mirrored to interface Gi1/1?
and conversely,
We can say that all traffic on the egress of each individual port in vlans 2-20 will be mirrored to interface Gi1/1 with this config:
monitor session 1 source vlan 2-20 tx
monitor session 1 destination interface Gi1/1
07-10-2009 09:46 AM
Absolutely, and here is a link that probably explains it better than I did :)
Craig
07-10-2009 09:49 AM
I would like to monitor both PC 1 and 2 and copy the traffic to Gi1/0/3. How does the following lines do that?
Am I right in saying that based on the following lines proposed? I won't be monitoring traffic from remote vlans since I don't see "source remote vlan 999" in the proposed line.
#####################
monitor session 1 source interface gi 1/0/1
monitor session 1 destination interface gi 1/0/3
monitor session 2 source interface gi 1/0/1
monitor session 2 destination remote vlan 999
First line should have been a source interface of gi 1/0/1, so this would send span traffic to Gi 1/0/3 and to your RSPAN for int gi 1/0/1.
#####################
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide