SPAN en RSPAN question

Unanswered Question
Aug 3rd, 2009

Hi all,

I have a question about rspan which i am unable to lab up at this time. the topology is the following:


An rspan vlan 300 is defined on all switches and trunks.

Suppose i mirror some ports on the core, to the rspan vlan and then from the rspan vlan to a destination port on the core itself (this may seem strange, but it allows me to apply a vacl on the rspan vlan and filter capture traffic).

Question is: if all mirroring stays local to the core, is the rspan traffic flooded to the access switches or not ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jbrenesj Mon, 08/03/2009 - 11:17

I have been asked about this scenario several times.

You are pretty much wanting to do a "local RSPAN" and you want traffic from a local port on the core to be sent out an RSPAN vlan and then be sent back to the core itself. This is not going to work.

I have done several labs trying to find a workaround and the only one I won't recommend.

Use two sessions:

- RSPAN to capture traffic from Access1

- SPAN to capture traffic from the ports on Core

Both sessions will have different destination ports on the Core and you'll plug a hub to both ports and also connect the single monitoring server/device here.

Since a destination port will be up/down (minitoring) it won't accept input frames but if you ever disable the SPAN sessions then you'll create a loop

Once again, it's not recommended.

Wouldn't be easier to get another switch and send traffic from Access1, 2 and core via RSPAN to this new switch that will get traffic from the rspan vlan and send it to one of its ports?

gnijs Mon, 08/03/2009 - 11:36

If it is not supported, why does Cisco recommend it in its own SRND ??

Server Farm Security in the Business Ready Data Center Architecture v2.1

See page 7.18 and 7.19


This Discussion