cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4237
Views
3
Helpful
19
Replies

RSPAN need to configure on 6500, 4500

mdzahooruddin
Level 1
Level 1

I have a seniro to configure RSPAN to monitor traffic for Web Sence

source is connected to 6509 and destination is connected to 4507R

6500 is configured as backbone with VSS configuration

and 4500 is used as a server farm both are connected each other via trunk link.

19 Replies 19

altheb_5
Level 1
Level 1

Good, if you need monitoring traffic in the different switches you must use RSPAN

configuration you need it is below :

,,,,,,,,,,,,,

Example :

Destination is connected to 6509 in port f0/2  ( VTP Server mode )

Web server is connected to 4507R via port F0/1 ( VTP Clint modr)

first you must configure Remote Vlan to handled the traffic between two switches

6509 :

#vlan 2

(vlan)# remote span

exit

,,,,,

4507 :

#monitor session 1 source interface f0/1 (you can choose receive, send, both)

#monitor session 1 destination remote vlan 2

,,,,,,,,,,,,,,

6509:

#monitor session 1 source remote vlan 2

#monitor session 1 destination interface f0/2

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

show command :

show monitor session 1

Remember the port was destination (f0/2) can’t send any packet only received port

Hope this help

Thanks for reply.

i would like to inform you that we are not using VTP Server, Client mode.

we are using normal vlans

As Source is connected to 6509 from there we need to send a copy of all triffic to WebSence i e connected to 4507R.

i think we need to configure same vlan on both switch.

example.

config 6509 # Vlan 150

config 4507 # Vlan 150

do we need to enable remote span on both switch ?

Please reply.....

If you don’t use VTP,  you must create the same vlan in both switches and configure it as remote span
if you don’t tagged this vlan as remote span vlan the RSPAN will not work probably
As you say
config 6509 # Vlan 150
config 6509 (Vlan)#remote span

config 4507 # Vlan 150
config 4507 (Vlan)#remote span

And other configuration is the same before
That’s it

for more info , see picture attach

Dear Khalid,

Currect me if i am wrong

in my senerio which will be the source?

6500 connected to firewall to reach internet

4500 connected to web sence server

if it is still right please let me know. thanks again for your reply....

4507 :

#monitor session 1 source  interface f0/1 (you can choose receive, send, both)

#monitor  session 1 destination remote vlan 2

,,,,,,,,,,,,,,

6509:

#monitor  session 1 source remote vlan 2

#monitor session 1  destination interface f0/2

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

In your case , answer my question
Q1/ did you need copy of traffic that 6500 send it to firewall then send the copy to web senc server?

Yes

As per their request they need a copy of all traffic to web sence server that

is forwording to firewall

ok

6500 :


#monitor  session 1 source interface (port No. connect to firewall)

#monitor session 1  destination remote vlan (vlan ID)

4500 :

#monitor session 1 source  Remote vlan  (vlan ID)

#monitor  session 1 destination interface (web sence server)

,,,,,,,,,,,,,,,,,,,,,

Know web sence can’t send any traffic only received

if you try to ping after configuration the ping message (request time out) because web server port is destination port for RSPAN

But it will receive copy from all traffic

Thanks for reply.

one last question is it going to be an enteruption

if we are going to implement in production hours ? i e working hours

No problem you can do it in work hours

But if you need my recommendation , create vlan , and do it after work hours it will take 2 min
to be in safe side

Thanks for reply...

we have small change in our configuration before firewall is connected to 6500. know this will be connected to WS-C3560-48PS-S switch.

i would like to know this switch is compatible with RSPAN Configuration?

yes , 3560 compatible with RSPAN Configuration

After applying below configuration i found i was unable to reach Web Sence server

ISS SAS

3560  :

config 3560 # Vlan 150

config 3560 #(Vlan)#remote span

config 3560 #monitor  session 1 source interface fa 0/41

config 3560 #monitor session 1  destination remote vlan 150

4500 :

config 4507 # Vlan 150

config 4507 #(Vlan)#remote span

config 4507 #monitor session 1 source  Remote vlan  150

config 4507 #monitor  session 1 destination interface gig 1/18

6500 :

config 6507 # Vlan 150

config 5607 #(Vlan)#remote span

Hello,

On 4507 please try configuring ingress forwarding feature with the SPAN

configuration.

monitor session 1 destination interface gi 1/18 ingress

You might need to add the MAC address of the Web Sense server manually to

the MAC address table and the ARP table.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/52sg/configur

ation/guide/span.html#wp1036989

Hope this helps.

Regards,

NT

I was told you before the destination port will be received port only , so you cant ping , ... etc
The port will Only received copy of traffic.
,,,,
you can use two network adapter in Web Sence server ,,
One for received traffic (Destination in RSPAN)
Second port for management.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco