Re: Configuring RSPAN

wilson_1234_2 · ‎08-01-2007

I have two 6509 switches trunked together.

6509 #1 is downstairs, 6509 #2 is up stairs.

There is also a router connected to the 6509 upstairs that connects our remote sites to the main site.

I have a 3550 switch downstairs that is used in a training room, also trunked to the 6509 upstairs.

We have a network monitoring device that is going to sit upstairs on the 6509 #2.

We would like to set up a session that will capture all traffic on the internal network.

If I create an RSPAN session on the switches to capture all vlans that I want to monitor and the destination port is on the upstairs 6509, will I also be able to capture the traffic on the upstairs 6509?

The source vlans are on all switches and I am unclear when configuring the RSPAN session, if the destination port on the upstairs 6509 will also capture traffic on the VLAN ports on the same switch.

For example, if I configure the RSPAN to capture (source VLANs) VLAN 2-20 and the destination port is on the upstairs 6509, will I also capture the traffic on the ports that are members of VLANs 2-20 on the upstairs 6509 where the destination port resides?

Question 2:

Will I also capture the traffic inbound from the router in those VLANS on the upstars switch?

hardiklodhia · ‎08-01-2007

Hi,

As per the rspan functoinality,all configured source vlans/ports traffic will be carried in rspan vlan which is specifically confugured to forward rspan traffic to destination port/monitoring port.

check this:http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080121d34.html

so answer is yes it will carry if configured on upstair switch.

hope this will help.

rgrds,

wilson_1234_2 · ‎08-01-2007

Ok then if I can do it then, I will configure this on the remote switches:

Conf t

vlan 998

remote-span

monitor session 1 source VLAN 2-20

monitor session 1 destination remote vlan 998

But how do I configure the destination switch to to monitor the source VLANs locally and remotely?

For example, my understanding is that the source switches are going to send all VLANs configured to VLAN998

on the destination switch:

conf t

monitor session 1 source vlan xxx

monitor session 1 destination interface fa X/x -> port connected to the monitoring server.

How do I set the upstairs switch to be the destination switch for remote RSPN vlan 998 and to source all the other local VLANs on it?

byju70 · ‎09-06-2007

Configure the RSpan vlan in destination switch and also trunk the vlan 998 to other switch.

vlan 998

remote-span

monitor session 1 source remote vlan 998

monitor session 1 destination int X/X

deepak.pandey · ‎09-08-2007

Here the RSPAN configuration for 6509#2 connected to the network monitoring device.

!Define the RSPAN VLAN Let's say vlan 100

vlan 100

remote-span

! Monitor session 1 captures bidirectional traffic from source vlan's to RSPAN VLAN 100.

monitor session 1 source vlan 2 - 20

monitor session 1 destination remote vlan 100

! Monitor session 2 captures bidirectional traffic from RSPAN VLAN 100 to interface conected to network monitoring device

!for ex fa4/29 connected to network monitoring device

monitor session 2 source remote vlan 100

monitor session 2 destination interface fa4/29

On downstair switches do the following configuration

!Define the RSPAN VLAN Let's say vlan 100

vlan 100

remote-span

! Monitor session 1 captures bidirectional traffic from source vlans to RSPAN VLAN 100

monitor session 1 source vlan 2 - 20

monitor session 1 destination remote vlan 100

hope this will help

Regrds

Deepak Pandey

cindylee27 · ‎09-10-2007

Hi All,

Add-on ..lets say if I have one remote switch at floor 5 that I only want to monitor port fa0/14 and it is on vlan 3, how can I do it at the destination switch in floor 10.THe port i wanna sniff with ethereal is at port fa0/5 switch at floor 10.

What is the configuration for the source and destination switch?

thanks in advanced!