Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7168
Views
0
Helpful
7
Replies

RSPAN over layer 3 links

nir.antebi.85
Level 1
Level 1

‎08-08-2010 12:31 AM - edited ‎03-06-2019 12:22 PM

Hello,

I'm facing a scenarion in which I have 2 sites connected with a L3 (a cloud - not p2p) connection between them.

The topology looks something like this:

VM server <--Lan--> C6500 <--LAN--> C3845 <--WAN--> C3845 <--LAN--> C4500 <--LAN--> Source IPT

The purpose of this is to monitor voice calls - which are in a separate vlan in the C4500.

I've searched the web for a solution, but all I came up with is ERSPAN which is not supported on C4500.

There's another solution with l2tpv3, but I think it is rather complicated for this secnario (many changes) - there must be something else... no?

Is it possible to accomplish L3 SPAN over a WAN to sniff the network?

Has anyone faced a situation like this?

Your feedback is highly apperciated,

Thanks for the help.

Nir.

Labels:
0 Helpful
7 Replies 7

dennisv99
Level 1
Level 1

‎08-08-2010 12:53 AM

Hi Nir,

As far as i know rspan is not possible over layer 3 links.

I've been searching for a solution for this myself for a while now and found out that Wireshark has some sort of remote capturing feature. http://www.wireshark.org/docs/wsug_html_chunked/ChCapInterfaceRemoteSection.html

I didn't tested it so far but i think you can install a service on a pc which is capturing a spanned port. With another Wireshark installed pc you can download the capture files or maybe even live data.

greets

Dennis

0 Helpful

nir.antebi.85
Level 1
Level 1
In response to dennisv99

‎08-08-2010 05:04 AM

Hi Dennis,

Thanks for the prompt reply!

I'm looking for a different solution though, something that will not require installing something on a pc, but a config on the Switches (with the Voice Vlan), and the destination will be the VM server with the application that will analyze the traffic.

Thanks!

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎08-08-2010 05:17 AM

Hello Nir,

you can use vlan based L2TPv3 point to point L2 transport overe the two C3845 to carry the RSPAN vlan with the performance limitations of the software based routers and with the speed limitation of the WAN link.

Have a look at vlan based L2TPv3 on:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gtl2tpv3.html#wp1046193

the new vlan has to be enabled on links between the C3845 and the LAN switches and you would need to use 802.1Q L2 trunk on switch side and SVI for the vlan(s) where L3 communication with WAN router hat to take place.

If you are using routed ports you can use additional ports to be configured as 802.1Q trunks to carry only the new RSPAN vlan and you will need additional ports also on the C3845 routers (unless you want to migrate to 802.1Q L2 trunks the current links)

from the point of view of the two LAN switches an end-to-end L2 path for RSPAN is setup and you should be able to move captured traffic to the other site over the L3 WAN link if the WAN link speed is greater then the mirrored traffic volume.

the C3845 will need an IOS image of appropriate feature set to support L2TPv3, you can check this using feature navigator at

http://www.cisco.com/go/fn

you can search by image name or by feature name

>> There's another solution with l2tpv3, but I think it is rather complicated for this secnario (many changes) - there must be something else... no?

with your devices L2TPv3 is the only option, EoMPLS can be used only between higher end devices.

Hope to help

Giuseppe

0 Helpful

nir.antebi.85
Level 1
Level 1
In response to Giuseppe Larosa

‎08-09-2010 12:46 AM

Hi Giuseppe,

Thanks for the help!

I've configured the L2TPv3 Connection between 2 routers in a lab first..

Now I need to configure the RSPAN connection to collect as source a VLAN that is on LAN1, and send as destination to the vlan of xconnect, right?

do I need to make the vlan of xconnect as the remote span vlan?

Thanks again

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to nir.antebi.85

‎08-09-2010 02:43 AM

Hello Nir,

>> do I need to make the vlan of xconnect as the remote span vlan?

yes that is the idea

Hope to help

Giuseppe

0 Helpful

nir.antebi.85
Level 1
Level 1
In response to Giuseppe Larosa

‎08-09-2010 02:51 AM

Hi Giuseppe,

I have another question though...

Whenever I put this command:

"monitor session 1 destination remote vlan 5 reflector-port Fa0/24"

(Fast 0/24 is the connction to the router) the port goes down - and there is no possibility to remove the command "reflector-port"

This is the port that suppose to be configured... or do I have to make a separate connection for this reflector port?

Thanks,

0 Helpful

mohzlazli
Level 1
Level 1
In response to nir.antebi.85

‎12-16-2011 03:18 AM

Use ERSPAN, this is supported by Cisco to pass the monitored traffic over layer 3 using GRE trunnels.

Hope this what you were looking for.

See link below. http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/span.html#wp1063324

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card