Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
402
Views
0
Helpful
3
Replies

RSPAN with intermidiate switch. Where ports on intermidiate switch also acts as a RSPAN source

MaximBudyonny
Level 1
Level 1

‎09-02-2010 07:51 AM - edited ‎03-06-2019 12:47 PM

Hello,

I'm confused with rspan.
The task.

Send mirrored traffic from sw2 to the sensor connected to sw3 through sw1. The issue is that sw1 have been already configured to act as source for rspan.

Here is the scheme:

endpoints to be monitored 2
|

trunk

|
[[[sw2 cat3750]]]
|

trunk
|
[[[sw1 cat4507]]]---endpoints that are already monitored
|

trunk
|
[[[sw3 cat4503]]]--sensor

Just now, traffic from sources connected to sw1 is sending via rspan to sensor sw1-->sw3. It works pretty fine.

Can I just add rspan as a remote source on sw2?

==on sw2==
vlan 1000
remote-span

monitor session 1 source interface <list>
monitor session 1 destination remote vlan 1000

==on sw1==
--------here is already working rspan config
monitor session 2 source interface  <list>
monitor session 2 destination remote vlan 1000

==on sw3==
--------here is already working rspan config
monitor session 2 destination interface Gi2/18
monitor session 2 source remote vlan 1000

Labels:
0 Helpful
3 Replies 3

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎09-02-2010 08:11 AM

Hello Maxim,

you would need a second RSPAN session to be on the safe side as RSPAN vlan disables mac address learning

Hope to help

Giuseppe

0 Helpful

MaximBudyonny
Level 1
Level 1
In response to Giuseppe Larosa

‎09-02-2010 08:45 AM

Thank you for reply.

As I understand you have proposed to create new rspan session with a new vlan on sw2 and simply carry this new vlan through sw1 to sw3.

I also thought to do it in the same way.

But on sw3 (cat4503) it's not possible to create monitor sessions with 2 or more rspan sources.

New monitor on the sw3 session for a new rspan vlan  is not a solution, because destination interface have been already configured in another session.

May be I'm not clearly understand your answer?

I'm thinking about direct connection of the sw2 to the sw3 and distributing vlan 1000 (existed rspan vlan) accros the triangle but I'm afraid of network loops.

0 Helpful

MaximBudyonny
Level 1
Level 1
In response to Giuseppe Larosa

‎09-03-2010 01:32 AM

Hello!

I've just added additional  session on sw2 and all works fine.

May be this trick is no correct but it works

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card