I am trying to capture both local switch traffic and traffic from a remote switch with NetScout. I have one NetScout interface set as the SPAN destination port on the switch. Do I need another destination interface on the switch for RSPAN traffic? Can I run both SPAN and RSPAN at the same time on the switch. I only have two switches and one NetScout probe (4 interfaces). I cannot physically connect the NetScout to the remote switch, so I have to have both SPAN and RSPAN destination ports (I believe)
Which switches are these. I dont think that you can have the source as local SPAN traffic in a RSPAN session. You have to get two destination ports configured each for SPAN and RSPAN session.
The answer to your question about whether you can run SPAN and RSPAN on a switch at the same time is that YES you can run both at the same time on a switch. I have some switches that are doing both SPAN and RSPAN at the same time. But the SPAN ports are separate from the RSPAN ports.
If I understand your situation correctly then I believe that the solution that you want is to run RSPAN (and not run SPAN). Your RSPAN source ports can be on both switches and your RSPAN destination will be the single switch port where the NetScout is connected. I have several pairs of switches set up in this way where there are active source ports on both switches and a destination port on one switch.
Just to clarify, since I'm running into a similar configuration dilemma (which intuitively doesn't seem that hard)...
In this case I'm doing VOIP call recording with sources on 2 switches that are trunked together. Recording system (glorified sniffer) on one switch, along with local phones, and RSPAN configured on the remote switch which has other phones. RSPAN is working great from the remote switch, but how to add in the local ports is the question. Is it simply a matter of also monitoring those local phone ports to the destination of the RSPAN VLAN, which in turn is pointing its monitor destination to the recording system?
If you already have RSPAN working great (source ports on the remote switch, an RSPAN trunk between switches, and an RSPAN output port on the other switch) then all you need to do is to configure additional source ports on the switch where the RSPAN destination is located.
Thanks Rick! Just finding lots of tech notes and NetPro notes that suggest that WON'T work for various reasons. But I always tend to side with the guy who says he's actually DOING it.
So there's no reason I should have to do something silly like have a separate (Local) SPAN NIC or offload the recording server to a separate switch that doesn't have phones. Two 3560's with source (phone) ports can monitor to the RSPAN VLAN even though the RSPAN destination (recorder) lives on one of those switches...?
I do not know tech notes and NetPro notes you are looking at that suggest that it wont work. And perhaps there is some aspect of your environment that I do not yet understand that is a challenge. But it certainly does work to run RSPAN with source ports to monitor on both switches and an output port on one switch. Is there some apsect of your situation that I am not understanding?
Nope, I don't think so. And it doesn't seem logically like this should be that much of an issue. Just something that popped up at the end of the day, and trying to work the boards tonight to see what should/shouldn't work in the morning.
Thanks for your help!
I wouldn't have thought this was that much of a challenge, but all roads seem to point back to this not being possible.
This is the SPAN config we're talking about that doesn't work:
monitor session 1 destination interface Fa0/44
monitor session 1 source remote vlan 888
monitor session 2 source interface Fa0/22 , Fa0/39
monitor session 2 destination remote vlan 888
Switches fiber-trunked off this guy trapping to vlan 888 work just fine, but any local devices on this switch are NOT getting spanned.
Am I missing something here? Since I think you mentioned you're doing it in production, do you happen to have a config snippet that DOES work?
The ones that I have done were running hybrid and so not so good a model for you. I have found some done by one of my colleagues running native which I believe are working ok. Here is the essence of that config:
monitor session 1 type rspan-source
source interface Gi3/12 - 13 rx
destination remote vlan 999
monitor session 2 type rspan-destination
source remote vlan 999
destination interface Gi9/47
Looks like we may be running into a difference between 6500 (which I assume you're talking about) and 3560 RSPAN implementations.