cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
308
Views
4
Helpful
5
Replies

Doubt abou RSPAN

conectividade
Level 1
Level 1

Hi, friends!

I wish you have a happy and good new year!

I would like do the right thing about RSPAN, so I´d like to ask before I configure:

(topo attached)

I have one IDS connected on this net of switches, and I need put a probe in another switch.

IDS and probe are in the same VLAN (VLAN 7) and needs to listen all switches sw-1a even sw-4a.

This probe can work with 802.1q, so I can listen more than one VLAN.

The switches SWi1-swi4 that does the connection between sites where pass more vlans and probably I will need watch the traffic of other vlans with the same probe.

All this switches are 2950G (EI).

- What could be a good configuration?

thanks in advance,

Renato

5 Replies 5

johansens
Level 4
Level 4

I'm not sure what you are asking for, complete RSPAN-configs for all the switches or what?

Anyways, when using the 2950's, there are some ASIC-limitations which come into play when using RSPAN:

From: http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00801cde7c.html#1073772

# If traffic for a port is monitored in one direction, you can use Catalyst 2950 or 2955 switches as source, intermediate, or destination switches.

# If traffic for a port is monitored in both directions, make sure that the intermediate switches and the destination switch are switches other than Catalyst 2950 or 2955 switches, such as Catalyst 3550, 3750, or 6000 switches.

And you'll get trouble if there is a device connected to a VLAN which sends a packet with the same source and destination MAC-address... as soon as it's received by the intermediate or destination switch, nothing more will be received.. :( You'll have to send the recive and transmit traffic in different RSPAN VLAN's and hope there aren't any loopback-packets entering.. :)

Red more on the link above to get more info on configuration of RSPAN..

Did it help?

Johansens,

your answer helps me, but I'd like asking more:

so, with this limitations, I need connect probe and IDS in switches sw-1a e sw3a and another probe and IDS in switches sw-2a e sw4a?

This configuration must be something like this:

sw1a- with SPAN:

the monitor session 1 source will the interfaces will be monitoring and

monitor session 1 destination will be the interface of IDS and PROBE (Could be more than one interface?).

and

sw3a-with RSPAN:

the monitor session 1 source will the interfaces will be monitoring and

monitor session 1 destination will be the trunk interface.

that is correct?

thanks,

Renato

Hi again Renato,

Well, not exactly.. (your destination on the sw3a is wrong, should be a RSPAN VLAN) first of all I need to understand what your components do..

Your IDS does any monitoring of the traffic itself?

Your probe is a extension of the IDS?

The probe and IDS talk together on VLAN 7?

Does this mean your IDS and probe has two interfaces each, one for listening (monitoring) and one for talking (management/trafficexchange)???

Or is it only the probes which do the monitoring and report to the IDS over a separate interface?

When it comes to configuring RSPAN, do as follows:

- Make one RSPAN VLAN for each L2-broadcast domain and direction you want to monitor on each switch:

ie. If you have a single VLAN or interface you want to monitor and you want to check both received and transmitted traffic in this VLAN or interface, you'll need two RSPAN VLAN's, one for each direction.

If you have two or more VLAN's or interfaces you want to monitor on the SAME SWITCH, you could use the same RSPAN VLAN for each corresponding direction as long as you are not interested in separating the traffic for some reason. You may NOT use the same RSPAN VLAN in another switch.. it will only be available to listen to the traffic in other switches (it you use the same VLAN, the switch will only act as source, not as intermediate)!!

- Make sure to include the RSPAN VLANs on your trunks so it's possible to propagate to the other switches..

You should never let the RSPAN VLAN have redundant paths.. ie. prune the VLAN from the redundant paths (either manually or with VTP pruning).

- Now use the RSPAN VLAN as source in the switch you want the traffic to exit from and speficy the interface you want the traffic to exit in the destination for the SPAN-session...

Again, you should read this page:

http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00801cde7c.html#1073772

Did it help?

Johansens,

More one time, thanks for your atention!

My last topo had a mistake about probe and IDS o site 2.

Before that I'm fired (laugh), I'd ask:

- If I use one switch to receive RSPAN of

different switches? It could be work?

Please look another draw attached to this msg.

thanks in advanced,

Renato

Johansens,

More one time, thanks for your atention!

My last topo had a mistake about probe and IDS o site 2.

Before that I'm fired (laugh), I'd ask:

- If I use one switch to receive RSPAN of

different switches? It could be work?

Please look another draw attached to this msg.

thanks in advanced,

Renato

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: