Solved: Re: RSPAN in 6500 and 4500 (CatOS)

jpl861 · ‎05-23-2007

Hi,

We are required to setup an RSPAN. We are using 6500 as the core switch and 4500 as the access/distro switch. One of our client uses VLAN 155, 196, and 200. All their workstations are scattered in the entire network (including the core). I need to monitor these 3 VLANs and dump all the data to the network physics box in CoreA. The configuration in the Cisco website is kinda confusing to me. We are using version 7.6 CatOS.

My initial configuration was this:

Create RSPAN VLAN:

set vlan 600 rspan name Client_RSPAN_VLAN

To all access/distribution switches:

set rspan source 155,196,200 600 both

To PHCoreA:

set rspan source 1/1-2,2/1-9,2/11-12,2/15-16 600

set rspan destination 6/35 600

To PHCoreB:

set rspan source 2/1-3,2/5-12,2/15-16 600

set rspan source 155,196,200 600 both

I just copied how Cisco did the destination command. Base from my understanding, my source for all the access/distro switches will all be VLAN 155, 196, and 200 then the destination will be VLAN 600. But the destination port in PHCoreA was kinda confusing to me, why do I need to issue the RSPAN_VLAN as the destination port?

The network physics box is located at 6/35. Why do I need to add 600 on the line?

And why do I need to include all the trunk ports as the source? This might sniff other VLAN aside from the stated above.

Any suggestion?

-John

hoogen_82 · ‎05-24-2007

Yes for the first question. Well the trunk is likely to carry all the traffic probably most of your vlans in the network, so you would be getting unwanted traffic. Its best not to include your trunk links traffic into the rspan vlan.

-Hoogen

View solution in original post

hoogen_82 · ‎05-24-2007

Let me clear your doubts, your scenario is to monitor traffic on the vlans 155, 199, and 200.

For RSPAN first you need to create a RSPAN vlan to which all your monitored traffic will be dumped in your case it is vlan 600.

so you issue the command set vlan 600 rspan.

Next you need to get your traffic on to the RSPAN vlan.

You do this by the command

set rspan source 155,196,200 600 both (which you have done).

You do not need to get the rspan source for your trunk links again. This becomes another session.

Now coming to the part where you are going to send the data collected to the box for analysis.

You use the command set rspan destination 6/35 600.

You should see something like

Rspan Type : Destination

Destination : Port 6/35

Rspan Vlan : 600

Admin Source : -

Oper Source : -

Direction : -

Incoming Packets: disabled

Learning : enabled

Multicast : -

Filter : -

Console> (enable)

Where you are ensuring that the correct rspan vlan information is being sent to the destination for anaylsis.

One more thing you don't need to have your destination in both Core A and Core B. All your Vlan traffic is collected and can be sent to that single RSPAN destination.

Have you though about SPAN, it requires very less configuration and on your network since you are doing Vlan span its very good.

set span 155,196,200 6/35 both

do a question mark after the command and get the inpkts also enabled, the above command is just of my head i remeber configuring on my customer site. Span is good too.

HTH

Hoogen

Do rate if you find this post helpful :)

jpl861 · ‎05-24-2007

Hi Hoogen,

Thanks for the reply. So this command means like this.

set rspan destination 6/35 600.

Dump all the traffic to port 6/35 from VLAN 600? Is that what it means? Also, I noticed that in my configuration, I included module 1(Sup Engine) and 2 (GBIC module) as the source and VLAN 600 as the destination VLAN. (these are the trunk links down to the access/distro switches) In this case, I will be able to capture data not included in the given scenario. Is that right? So I need to remove that line.

Thanks.

hoogen_82 · ‎05-24-2007

Yes for the first question. Well the trunk is likely to carry all the traffic probably most of your vlans in the network, so you would be getting unwanted traffic. Its best not to include your trunk links traffic into the rspan vlan.

-Hoogen