08-03-2009 11:04 AM - edited 03-06-2019 07:04 AM
Hi all,
I have a question about rspan which i am unable to lab up at this time. the topology is the following:
ACCESS1-----CORE-----ACCESS2
An rspan vlan 300 is defined on all switches and trunks.
Suppose i mirror some ports on the core, to the rspan vlan and then from the rspan vlan to a destination port on the core itself (this may seem strange, but it allows me to apply a vacl on the rspan vlan and filter capture traffic).
Question is: if all mirroring stays local to the core, is the rspan traffic flooded to the access switches or not ?
08-03-2009 11:17 AM
I have been asked about this scenario several times.
You are pretty much wanting to do a "local RSPAN" and you want traffic from a local port on the core to be sent out an RSPAN vlan and then be sent back to the core itself. This is not going to work.
I have done several labs trying to find a workaround and the only one I won't recommend.
Use two sessions:
- RSPAN to capture traffic from Access1
- SPAN to capture traffic from the ports on Core
Both sessions will have different destination ports on the Core and you'll plug a hub to both ports and also connect the single monitoring server/device here.
Since a destination port will be up/down (minitoring) it won't accept input frames but if you ever disable the SPAN sessions then you'll create a loop
Once again, it's not recommended.
Wouldn't be easier to get another switch and send traffic from Access1, 2 and core via RSPAN to this new switch that will get traffic from the rspan vlan and send it to one of its ports?
08-03-2009 11:36 AM
If it is not supported, why does Cisco recommend it in its own SRND ??
Server Farm Security in the Business Ready Data Center Architecture v2.1
See page 7.18 and 7.19
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide