RSPAN Question

Unanswered Question
Apr 6th, 2010

I have two Cisco 3560 switches that I want to monitor the traffic going over 4 of the VLANs, all 4 VLAN travers both switches.  I understand how to create the RSPAN, using the http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.1_19_ea1/configuration/guide/swspan.html

website.  However my hang up is whether or not following this guide will allow me to monitor traffic from both switches.  Reviewing this it seems as if I'm only setting up the ability to monitor the VLAN(s) on the Remote Switch 2 and not Switch 1.  Am I reading this incorrectly or there a way to monitor the VLANs from both switches using the RSPAN, or do I simply create the RSPAN on Switch2 and then a regular SPAN on Switch1 both of which have the same destination port?

Thanks,

Bob 

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jfraasch Tue, 04/06/2010 - 11:15

You could make the destination interface your trunk port and be sure that on the other switch you have the trunk port monitored.

Kind of dirty but it would work.

James

Giuseppe Larosa Tue, 04/06/2010 - 11:19

Hello Bob,

your understanding is correct the objective of RSPAN is to capture traffic on switch 1 and to have it transferred over a L2 trunk link permitting RSPAN vlan to switch 2 where the real destination port is configured with a protocol analyzer connected to it.

You should use a dedicated trunk with high speed interface that allows only the RSPAN vlan

if you can deploy two sniffers you can use a second local SPAN session to capture traffic on switch2.

This second local SPAN will have its own separate destination port.

Also the fact that the vlans you would like to monitor are present on both switches require some thoughts.

probably the safest move would be to define a list of source ports on switch1 rather then a list of vlans

Hope to help

Giuseppe

Jon Marshall Tue, 04/06/2010 - 11:21

Bob

From the doc you linked to -

The switch does not support a combination of local SPAN and RSPAN in a single session. That is, an RSPAN source session cannot have a local destination port, an RSPAN destination session cannot have a local source port, and an RSPAN destination session and an RSPAN source session that are using the same RSPAN VLAN cannot run on the same switch.

Basically you cannot use the same destination port for both SPAN and RSPAN and yes you are correct, if you set up RPSAN on sw1 to send to sw2 then you only see sw1's traffic for those vlans. You would then need a local SPAN on sw2 and it can't use the same destination port.

Jon

bob.mckinley Tue, 04/06/2010 - 11:28

Thanks everyone... I see where I missed that "does not support a combination of local SPAN and RSPAN in a single session"in the documentation.  I guess I'm just going to have to install another NIC in the server running the Sniffer application and setup two different SPAN in each switch, plugging each NIC into it the switches individually.

Thanks,

Bob

Actions

This Discussion