cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
769
Views
0
Helpful
4
Replies

RSPAN Question

bob.mckinley
Level 1
Level 1

I have two Cisco 3560 switches that I want to monitor the traffic going over 4 of the VLANs, all 4 VLAN travers both switches.  I understand how to create the RSPAN, using the http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.1_19_ea1/configuration/guide/swspan.html

website.  However my hang up is whether or not following this guide will allow me to monitor traffic from both switches.  Reviewing this it seems as if I'm only setting up the ability to monitor the VLAN(s) on the Remote Switch 2 and not Switch 1.  Am I reading this incorrectly or there a way to monitor the VLANs from both switches using the RSPAN, or do I simply create the RSPAN on Switch2 and then a regular SPAN on Switch1 both of which have the same destination port?

Thanks,

Bob 

4 Replies 4

jfraasch
Level 3
Level 3

You could make the destination interface your trunk port and be sure that on the other switch you have the trunk port monitored.

Kind of dirty but it would work.

James

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Bob,

your understanding is correct the objective of RSPAN is to capture traffic on switch 1 and to have it transferred over a L2 trunk link permitting RSPAN vlan to switch 2 where the real destination port is configured with a protocol analyzer connected to it.

You should use a dedicated trunk with high speed interface that allows only the RSPAN vlan

if you can deploy two sniffers you can use a second local SPAN session to capture traffic on switch2.

This second local SPAN will have its own separate destination port.

Also the fact that the vlans you would like to monitor are present on both switches require some thoughts.

probably the safest move would be to define a list of source ports on switch1 rather then a list of vlans

Hope to help

Giuseppe

Jon Marshall
Hall of Fame
Hall of Fame

Bob

From the doc you linked to -

The switch does not support a combination of local SPAN and RSPAN in a single session. That is, an RSPAN source session cannot have a local destination port, an RSPAN destination session cannot have a local source port, and an RSPAN destination session and an RSPAN source session that are using the same RSPAN VLAN cannot run on the same switch.

Basically you cannot use the same destination port for both SPAN and RSPAN and yes you are correct, if you set up RPSAN on sw1 to send to sw2 then you only see sw1's traffic for those vlans. You would then need a local SPAN on sw2 and it can't use the same destination port.

Jon

Thanks everyone... I see where I missed that "does not support a combination of local SPAN and RSPAN in a single session"in the documentation.  I guess I'm just going to have to install another NIC in the server running the Sniffer application and setup two different SPAN in each switch, plugging each NIC into it the switches individually.

Thanks,

Bob

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco