RSPAN need to configure on 6500, 4500

Unanswered Question
Jul 20th, 2010

I have a seniro to configure RSPAN to monitor traffic for Web Sence

source is connected to 6509 and destination is connected to 4507R

6500 is configured as backbone with VSS configuration

and 4500 is used as a server farm both are connected each other via trunk link.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.

Good, if you need monitoring traffic in the different switches you must use RSPAN

configuration you need it is below :

,,,,,,,,,,,,,

Example :

Destination is connected to 6509 in port f0/2  ( VTP Server mode )

Web server is connected to 4507R via port F0/1 ( VTP Clint modr)

first you must configure Remote Vlan to handled the traffic between two switches

6509 :

#vlan 2

(vlan)# remote span

exit

,,,,,

4507 :

#monitor session 1 source interface f0/1 (you can choose receive, send, both)

#monitor session 1 destination remote vlan 2

,,,,,,,,,,,,,,

6509:

#monitor session 1 source remote vlan 2

#monitor session 1 destination interface f0/2

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

show command :

show monitor session 1

Remember the port was destination (f0/2) can’t send any packet only received port

Hope this help

mdzahooruddin Tue, 07/20/2010 - 04:30

Thanks for reply.

i would like to inform you that we are not using VTP Server, Client mode.

we are using normal vlans

As Source is connected to 6509 from there we need to send a copy of all triffic to WebSence i e connected to 4507R.

i think we need to configure same vlan on both switch.

example.

config 6509 # Vlan 150

config 4507 # Vlan 150

do we need to enable remote span on both switch ?

Please reply.....

If you don’t use VTP,  you must create the same vlan in both switches and configure it as remote span
if you don’t tagged this vlan as remote span vlan the RSPAN will not work probably
As you say
config 6509 # Vlan 150
config 6509 (Vlan)#remote span

config 4507 # Vlan 150
config 4507 (Vlan)#remote span

And other configuration is the same before
That’s it

for more info , see picture attach

Attachment: 
mdzahooruddin Tue, 07/20/2010 - 05:19

Dear Khalid,

Currect me if i am wrong

in my senerio which will be the source?

6500 connected to firewall to reach internet

4500 connected to web sence server

if it is still right please let me know. thanks again for your reply....

4507 :

#monitor session 1 source  interface f0/1 (you can choose receive, send, both)

#monitor  session 1 destination remote vlan 2

,,,,,,,,,,,,,,

6509:

#monitor  session 1 source remote vlan 2

#monitor session 1  destination interface f0/2

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

mdzahooruddin Tue, 07/20/2010 - 05:42

Yes

As per their request they need a copy of all traffic to web sence server that

is forwording to firewall

ok

6500 :


#monitor  session 1 source interface (port No. connect to firewall)

#monitor session 1  destination remote vlan (vlan ID)

4500 :

#monitor session 1 source  Remote vlan  (vlan ID)

#monitor  session 1 destination interface (web sence server)

,,,,,,,,,,,,,,,,,,,,,

Know web sence can’t send any traffic only received

if you try to ping after configuration the ping message (request time out) because web server port is destination port for RSPAN

But it will receive copy from all traffic

mdzahooruddin Tue, 07/20/2010 - 06:11

Thanks for reply.

one last question is it going to be an enteruption

if we are going to implement in production hours ? i e working hours

mdzahooruddin Fri, 07/23/2010 - 21:49

Thanks for reply...

we have small change in our configuration before firewall is connected to 6500. know this will be connected to WS-C3560-48PS-S switch.

i would like to know this switch is compatible with RSPAN Configuration?

mdzahooruddin Sun, 08/08/2010 - 00:13

After applying below configuration i found i was unable to reach Web Sence server

ISS SAS /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:Arial; mso-bidi-theme-font:minor-bidi;} table.MsoTableGrid {mso-style-name:"Table Grid"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-unhide:no; border:solid windowtext 1.0pt; mso-border-alt:solid windowtext .5pt; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-border-insideh:.5pt solid windowtext; mso-border-insidev:.5pt solid windowtext; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman","serif";}

3560  :

config 3560 # Vlan 150

config 3560 #(Vlan)#remote span

config 3560 #monitor  session 1 source interface fa 0/41

config 3560 #monitor session 1  destination remote vlan 150

4500 :

config 4507 # Vlan 150

config 4507 #(Vlan)#remote span

config 4507 #monitor session 1 source  Remote vlan  150

config 4507 #monitor  session 1 destination interface gig 1/18

6500 :

config 6507 # Vlan 150

config 5607 #(Vlan)#remote span

Nagaraja Thanthry Sun, 08/08/2010 - 00:42

Hello,

On 4507 please try configuring ingress forwarding feature with the SPAN

configuration.

monitor session 1 destination interface gi 1/18 ingress

You might need to add the MAC address of the Web Sense server manually to

the MAC address table and the ARP table.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/52sg/conf...

ation/guide/span.html#wp1036989

Hope this helps.

Regards,

NT

mdzahooruddin Sun, 08/08/2010 - 04:32

i have done that also configuring

i dought it might be a bug in IOS on 4500

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman","serif";}

Our problem is once we implement configuration on 4507 where server is connected, we found that our connectivity is lost.

mdzahooruddin Sun, 08/08/2010 - 22:39

No, only  i can't able to reach web scene server once I implement RSPAN configuration

Nagaraja Thanthry Sun, 08/08/2010 - 22:50

Hello,

Is the ingress VLAN you are specifying in the monitor session configuration is same as the VLAN where the WebSense device should be? Also, have you configured static MAC address table entry for the WebSense server?

Mac address-table static

Hope this helps.

Regards,

NT

Actions

This Discussion