Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
368
Views
0
Helpful
5
Replies

2950 RSPAN issue

sunil_vakharia
Level 1
Level 1

‎08-21-2006 02:14 AM - edited ‎03-03-2019 04:36 AM

I have been trying to get RSPAN working on my two 2950 switches.

Earlier I had enabled SPAN on my switch (say Switch1) with Snort monitoring port fa0/24 and everything worked fine.

Now, I have another 2950 switch (say Switch2) which I have connected via cross cable to Switch1 between fa0/16 ports on both ends.

On both the switches, I have a VLAN 100 defined.

On both the switches, VLAN 100 comprises of port fa0/1 - fa0/15.

Port fa0/16 is connected to the other switch via cross cable.

My objective is to monitor traffic on ports fa0/1 - fa0/16 on both the switches. My sniffer is connected to fa0/24 on Switch1.

The output of show vlan on Switch1 is here:

------------paste start-----------

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa0/17, Fa0/18, Fa0/19, Fa0/20

Fa0/21, Fa0/22, Fa0/23, Fa0/24

Gi0/1, Gi0/2

100 MONITOREDVLAN active Fa0/1, Fa0/2, Fa0/3, Fa0/4

Fa0/5, Fa0/6, Fa0/7, Fa0/8

Fa0/9, Fa0/10, Fa0/11, Fa0/12

Fa0/13, Fa0/14, Fa0/15

--------paste end-------------------

I followed the Cisco documentation and did the following:

1. Created an RSPAN VLAN with vlan id 150. This got reflected on the other switch automatically, since I have VTP configured.

2. On Switch2, I configured monitor session 2 and the output is as follows:

---------

Type : Remote Source Session

Source Ports :

Both : Fa0/1-20

Reflector Port : Fa0/23

Dest RSPAN VLAN: 150

3. On Switch1, I configured monitor session 2 and the output is as follows:

Type : Remote Destination Session

Source RSPAN VLAN: 150

Destination Ports : Fa0/24

Encapsulation : Native

Ingress: Disabled

Note that on Switch2, I have configured fa0/23 as the reflector port. Currently this port is not in VLAN 100 (which I believe is the right way).

However, currently this port is not connected to anything! I don't know what needs to be done with it.

Note that on Switch1, after doing all the changes, the LED has turned amber and has remained that way...My sniffer is not picking any traffic.

What is missing?

Also, another question: How do I find out if I am using EI or SI?

Labels:
0 Helpful
5 Replies 5

sunil_vakharia
Level 1
Level 1
In response to ariazk

‎08-21-2006 04:01 AM

Thanks AriazK for the quick reply.

I had followed this document to set things up, but didn't manage. Unfortunately, I haven't been able to to find any example configurations anywhere.

Let me know...

0 Helpful

ariazk
Level 1
Level 1
In response to sunil_vakharia

‎08-22-2006 12:12 AM

check this

http://www.tech-recipes.com/cisco_switch_tips879.html

make sure you created the RSPAN vlan and redirtbuted through vtp or configured to other switch.

thanks

asim

0 Helpful

John_Nam1
Level 1
Level 1

‎08-21-2006 07:41 AM

If you enable VTP and VTP pruning, RSPAN traffic is pruned in the trunks to prevent the unwanted flooding of RSPAN traffic across the network for VLAN-IDs that are lower than 1005.

0 Helpful

sunil_vakharia
Level 1
Level 1
In response to John_Nam1

‎08-22-2006 05:41 AM

Thanks Asim and John.

I looked at that Tech Recipies link (which is for another switch).

Yes, I have created an RSPAN vlan (150) - you could get more details on that and the VTP part in the original post.

Now, John makes an interesting point on the VTP pruning. I am a newbie to VTP.

All, I can say, is VTP is enabled. How do I check if RSPAN traffic is getting pruned? How do I allow this traffic, if that be the case?

Thanks once again.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents