Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

RSPAN Sessions and IDS

Are RSPAN "Sessions" Inclusive or exclusive of each other?

Can you send traffic from 1 session to another?

In other words, if I want to monitor 3 vlans with active hosts that reside across several switches including the one with the destination port (IDS) will this work?

monitor session 1 source vlan 10 - 12 rx

monitor session 1 destination remote vlan 555 reflector-port Fa0/10

monitor session 2 source remote vlan 555

monitor session 2 destination interface Fa0/24

Does Session 1 "move" the traffic to be inspected by session 2 (where the IDS is located per f0/24)?

Or does session 1 just send the traffic back over the Trunk (RSPAN Vlan) link?

1 REPLY
Cisco Employee

Re: RSPAN Sessions and IDS

This is the line that confuses me:

monitor session 1 destination remote vlan 555 reflector-port Fa0/10

I don't know what the "reflector-port Fa0/10" will do. Is this a Cat 6K? I have not seen that option in the Cat 6K documentation.

My experience has all been on the cat 6K.

On the Cat 6K with Native IOS if you execute the following commands:

monitor session 1 source vlan 10 - 12 rx

monitor session 1 destination remote vlan 555

monitor session 2 source remote vlan 555

monitor session 2 destination interface Fa0/24

Then the session 1 traffic from vlans 10-12 WILL be spanned to port Fa0/24 (along with the traffic from remote spans from other connected switches).

The sesssion 1 source traffic WILL becomes session 2 source traffic in the above configuration on a Cat 6K.

What I can't guarantee you is if the same will hold true on the span command on other Cisco switches.

128
Views
0
Helpful
1
Replies
CreatePlease to create content