SPAN en RSPAN question

Unanswered Question
Aug 3rd, 2009

Hi all,

I have a question about rspan which i am unable to lab up at this time. the topology is the following:

ACCESS1-----CORE-----ACCESS2

An rspan vlan 300 is defined on all switches and trunks.

Suppose i mirror some ports on the core, to the rspan vlan and then from the rspan vlan to a destination port on the core itself (this may seem strange, but it allows me to apply a vacl on the rspan vlan and filter capture traffic).

Question is: if all mirroring stays local to the core, is the rspan traffic flooded to the access switches or not ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jbrenesj Mon, 08/03/2009 - 11:17

I have been asked about this scenario several times.

You are pretty much wanting to do a "local RSPAN" and you want traffic from a local port on the core to be sent out an RSPAN vlan and then be sent back to the core itself. This is not going to work.

I have done several labs trying to find a workaround and the only one I won't recommend.

Use two sessions:

- RSPAN to capture traffic from Access1

- SPAN to capture traffic from the ports on Core

Both sessions will have different destination ports on the Core and you'll plug a hub to both ports and also connect the single monitoring server/device here.

Since a destination port will be up/down (minitoring) it won't accept input frames but if you ever disable the SPAN sessions then you'll create a loop

Once again, it's not recommended.

Wouldn't be easier to get another switch and send traffic from Access1, 2 and core via RSPAN to this new switch that will get traffic from the rspan vlan and send it to one of its ports?

gnijs Mon, 08/03/2009 - 11:36

If it is not supported, why does Cisco recommend it in its own SRND ??

Server Farm Security in the Business Ready Data Center Architecture v2.1

See page 7.18 and 7.19

Actions

This Discussion