RSPAN configuration

Similar Messages

• RSPAN Configuration Problem

  Hi all,
  I'm having some difficulties setting up an RSPAN to work from a specific remote office.
  I have the config working for our main head office and another remote office which tells me that its probably something in the remote switch configuration, but any pointed in the right direction would be great.
  Remote Office Remote VLAN:
  nlh_mar1_f20_cs1#show vlan remote-span
  Remote SPAN VLANs
  99
  Remote Office RSPAN:
  nlh_mar1_f20_cs1#show monitor
  Session 1
  Type                   : Remote Source Session
  Source VLANs           :
      Both               : 216
  Dest RSPAN VLAN        : 99
  Remote office RSPAN config:
  monitor session 1 source vlan 216
  monitor session 1 destination remote vlan 99
  Remote office trunk to Head Office:
  interface FastEthernet0/8
   switchport trunk encapsulation dot1q
   switchport trunk native vlan 66
   switchport trunk allowed vlan 10,16,66,99,900,998,1000
   switchport mode trunk
   speed 100
   duplex full
   priority-queue out
   mls qos trust dscp
  end
  Head office trunk to remote office:
  interface GigabitEthernet3/0/14
   switchport trunk encapsulation dot1q
   switchport trunk native vlan 66
   switchport trunk allowed vlan 10,16,66,99,900,998,1000
   switchport mode trunk
   speed 100
   duplex full
   priority-queue out
  end
  Head Office RSPAN:
  HO-Core#show monitor
  Session 2
  Type                   : Remote Destination Session
  Source RSPAN VLAN      : 99
  Destination Ports      : Gi2/0/9
      Encapsulation      : Native
            Ingress      : Disabled
  Head Office RSPAN config:
  monitor session 2 destination interface Gi2/0/9
  monitor session 2 source remote vlan 99
  Head Office RSPAN VLAN:
  HO-Core#show vlan remote-span
  Remote SPAN VLANs
  99
  Ryan

  Hi - has anyone seen something similar to this happen before?

• SPAN or RSPAN Configuration for intermediate Switch.

  Hi
  I am having three switches. My Sniffer is connected with my Core Switche port 11.
  I am having 1 core SW, 2 Access SW.
  CoreSW --------------Trunk--------------->AccessSw1-----------------Trunk-------------------------AccessSw2.
  I am trying to configure Monitor session between AccessSW2 and Core SW.
  my configuration ar Core SW
  monitor session 1 destination interface Fa0/11
  monitor session 1 source remote vlan 901
  At AssessSw2
  monitor session 1 source interface Fa0/1 - 22
  monitor session 1 destination remote vlan 901
  these configurations work fine if I ommit AccessSw1.
  So what Configuration I need at AccessSW1 to communicate fine. Please help me on this..

  Alexander,
  You will have to specify the remote vlan on Sw2, just creating it won't help. Following is the config for the SW2.
  Switch(config)# monitor session 1 source remote vlan 901Switch(config)# monitor session 1 destination interface fastEthernet0/5
  The commands are a bit platform specific, as they are a bit different for the 6500 switches:
  For SW2 on Cisco6500
  Router(config)# monitor session 1 type rspan-destination
  Router(config-rspan-dst)# source remote vlan 2
  Router(config-rspan-dst)# destination interface gigabitethernet 1/2
  Thanks
  Ankur
  "Please rate the post if found useful"

• RSPAN and ARP Packets

  Hello, I am trying to solve DHCP issue with DHCP decline and experiencing problem with RSPAN.
  I have set RSPAN montor session and I monitor traffic on my laptop in another building.
  All traffic from source interfaces is mirrored, except ARP packets (which are really important in solving this issue).
  Is there a way, how to mirror L2 packets with broadcast destination mac address?
  Source - Catalyst 4500
  monitor session 1 source interface Gi1/33
  monitor session 1 source interface Gi3/40
  monitor session 1 destination remote vlan 222
  Destination - Catalyst 3750
  monitor session 1 destination interface Fa3/0/45 encapsulation replicate
  monitor session 1 source remote vlan 222
  Thank you, Jan

  You do not need a dedicated VSAN to use RSPAN, and you can use any valid VSAN. The VSAN does need to be trunked among all the switches passing RSPAN traffic. I recently set up a 4-switch (3 hop) RSPAN configuration using VSAN 1700 and it worked fine. Be sure to have an IP address in the same subnet assigned to the VSAN virtual (IPFC) interface on each switch and enable IP routing and fc-tunnel on each switch.

• RSPAN in Catalyst 4500

  Hi,
  Does anyone have experience doing the following RSPAN configuration:
  vlan 992
  remote-span
  monitor session 1 source remote vlan 992
  monitor session 1 destination interface Gi2/10
  monitor session 2 source vlan 991
  monitor session 2 destination remote vlan 992
  Will the above configuration work?
  Background
  ==========
  The reason for the above is we have a collapsed core topology (both Catalyst 4503) and there is a requirement to span vlan 991 to one port at one of the switches.  We don't have any access switch.
  So I can't use a local span because vlan 991 existed in both core switches.
  But if i use remote-span I have the above 'curious' situation.  I would appreciate any input as to how best to fulfill the requirement.

  Hi,Does anyone have experience doing the following RSPAN configuration:vlan 992 remote-spanmonitor session 1 source remote vlan 992monitor session 1 destination interface Gi2/10monitor session 2 source vlan 991monitor session 2 destination remote vlan 992Will the above configuration work?Background==========The
  reason for the above is we have a collapsed core topology (both
  Catalyst 4503) and there is a requirement to span vlan 991 to one port
  at one of the switches.  We don't have any access switch.So I can't use a local span because vlan 991 existed in both core switches.But
  if i use remote-span I have the above 'curious' situation.  I would
  appreciate any input as to how best to fulfill the requirement.
  Hi,
  Check out the below link for configuring the RSPAN on 4500 switches
  http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/20ew/configuration/guide/span.html
  Hope to Help !!
  Ganesh.H

• Switching Loops

  Hello all,
  I had a weird issue that I had to deal with today.  I was in the process of running a capture of the traffic to the inside interface of our ASAs.  Our ASAs are in an active-standby failover and each is connected to a 6506.  On our cores we have RSPAN configured (VLAN 400).  I wasn't sure which switch the active ASA was connected to which is why I decided to monitor both devices.  I ran the following commands on both 6506s:
  monitor session 10 source interface <Physical Interface>
  monitor session 10 destination remote vlan 400
  I then configured the following command on my local switch (3560) at my desk where my PC with 2 NICs is located:
  monitor session 10 source remote vlan 400
  monitor session 10 destination interface Fa0/1
  I put my PC's Fa0/1 interface in VLAN 400 and began running my capture.  After a few minutes, our network came to a crawl and halted.  Could capturing traffic from these ASAs cause my network to crash?  Considering that our firewall is hit by a lot of traffic on both the inside and outside interfaces, I would think that this is possible.
  Thanks!
  Regards,
  Terence

  You can register for events dynamically. This way it is possible to create conditions for events and to use event structures in subVI, but I would advice you to avoid this kind of solution. If two subVIs use event structures, your application can stuck.
  I used the attached VI sometime ago. It worked, but at the end I preferred to transfer the event structure to the main VI and use subVIs to make the job of each event.
  Search the LV User Guide for Event Strucutures. It will be helpful.
  Regards,
  Rasputin
  LV7.1 <> W2K
  Attachments:
  Get parameters dynEvent.vi ‏127 KB

• RSPAN is breaking my connection to the Internet

  We have two Cisco 2960S switches and I am trying to setup RSPAN to monitor the trunk port to the gateway and send the traffic to a port on the second switch which is setup in a daisy chain.  The problem is that every time I enter the monitor session command on the switch to be monitored it shuts down the connection and no one can get to the Internet.  I noticed that the reflector command was no longer available in the configuration so I located the newest configuration process I could find and still the same problem.  I have found other people in forums with the same issues but they never posted on solutions if they found them.  Does anyone have any thoughts on this problem?  Also just for clarity, I am trying to monitor traffic in both directions across the trunk.  Any thoughts would be greatly appreciated.
  Thanks,
  Brandon

  Hi
  My ISP is Earthlink. I don't know what other details you may need. It is a DSL connection. It works great on my one PC but not on my laptop.

• How can I use Local SPAN with RSPAN ??

  How can I use Local SPAN with RSPAN ??
  I want to mirror traffics from ISP-A and ISP-B to Anomaly-detector module.
  so I had configured like this...
  C6500-A
  vlan 1000
  name RSPAN
  remote-span
  monitor session 10 source interface Gi5/1 - 2 rx
  monitor session 10 destination remote vlan 1000
  monitor session 20 destination anomaly-detector-module 3 data-port 1
  monitor session 20 source remote vlan 1000
  interface GigabitEthernet1/13
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1000
  switchport mode trunk
  no ip address
  C6500-B
  vlan 1000
  name RSPAN
  remote-span
  monitor session 10 source interface Gi5/1 - 2 rx
  monitor session 10 destination remote vlan 1000
  interface GigabitEthernet1/13
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1000
  switchport mode trunk
  no ip address
  end
  but it was not working..
  it wasn't any change of input packet hit count when
  I'd enter a command 'show anomaly-detector module 3 data-port 1 traffic'
  was upper configuration wrong..?
  Can I use VACL configuration ?

  try to change "monitor session 10 destination remote vlan 1000 " to "monitor session 10 destination anomaly-detector-module 3 data-port 1 " on C6500-A

• UCCX 8.0(2) SPAN/RSPAN based VOIP Monitoring

  Hi Alll,
  UCCX 8.0(2) High Availability (both servers are co-located in data center, where agents and supervisors are in building across the street over fibre)
  SRND for UCCX 8 describes that it supports SPAN and/or RSPAN based voip monitoring, which is a requirement for my client as they have CAD Agents running on Citrix thin client and Supervisors on Thick client PCs.
  However I am struggling to find a way to achieve this solution for my client with UCCX 8.x, UCCX 7 we would not have had this problem as you can configure 2nd NIC adaptor on UCCX server to be configured as VOIP Monitoring server port/IP under PostInstall and sniff all traffic for all Agent phone devices as configured under CDA.
  Desktop Monitoring is not supported for thin client environment. Customer may eventually purchase QM/WFM, but for now we urgently require the essentials of agent monitoring on UCCX.
  Please has anybody successfully had this configuration described above achieved? or have any ideas?
  Thank you,
  Yavuz

  Have you been able to get a response to this post?  I am running into the exact same issue with an upgrade to UCCx 8.0.  SPAN on the 2nd NIC isn't allowed, and now the customer has lost functionality.
  Thanks,
  Ben

• RSPAN Broadcast, impact network intermitten

  HI All,
  I've configured RSPAN on the customer network.
  The impact is, there's a network intermitten on the customer network.
  And the source problem is broadcast traffic from the destination port on the RSPAN.
  Is anyone found out broadcast problem while configuring RSPAN?
  Thansk

  Hi Daniel,
  Thanks replying.
  I'm mirror source from 10 port on one access switch. All the 10 port is connecting 10 IP Phone and 10 PC.
  Then the destination port is Server farm switch on port something.
  ip phone and pc ---- access switch --- distribution switch --- core switch --- server farm switch --- server recording
  After running for several week, we found out network intermitten on the LAN.
  Impact is a lot of request time out on when ping to the interface vlan from client pc (on LAN)
  The server monitoring found out, broadcast from the source VLAN RSPAN.
  I'm wondering to know what is the source problem here, and way to check it out.
  Thanks

• SPAN or RSPAN

  Hi,
  I need to setup port mirroring on Catalyst 4006 switch. Both source and destination port is on the same switch.
  I need to capture all traffics across the LAN for analysis. Is it enough by configuring SPAN? Please advise.

  Hi Friend,
  If your both source and destination port are on a same switch you are good to go with SPAN.
  Have a look at this link to configure SPAN on cat4k switch
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/rel7_1/config/span.htm
  But as you also said you want to capture traffic acorss the lan in this case the source port may exist on different switches and incase your source port and destination port exist on different switch then you surely need a RSPAN.
  Also instead of configuring a specific source port to capture you can capture complete vlan when you configure SPAN you can also configure source vlan to capture all traffic on and for that vlan.
  HTH, if yes please rate the post.
  Ankur

• SPAN and RSPAN, ISL and TRUNKING

  Hello,
  I have some questions regarding the do's and don'ts of SPANNING. If you have for example several switches with one port, say port 48 SPANNED to another switch that collapses all the traffic to be monitored by an IDS or network analyzer.
  What would be the best way to do this if you were concerned about multiple VLAN's being on the switches you were SPANNING from?
  My idea was to turn each of the SPAN ports into a TRUNK PORTS and also use ISL encapsulation between the switches and the “Aggregate Switch” that everything collapses to. Then, I would have a Monitor Session “Another SPAN taking all of those SPAN's for the other switches to a single port for monitoring.
  This was because on each of the switches have TRUNKED 802.1q FIBER PORTS and are capable of receiving any VLAN. Also, although 802.1q is common, for this I was thinking of using ISL because it does not require a Native VLAN. If a port on the switch is changed to a different VLAN (Switch Port Access VLAN XX) and the Monitor “SPAN” is not set for TRUNKING, I don't think we would see that traffic from a different VLAN would we?
  RSPAN could be used but there are already physical SPAN's coming from each of the switches to monitor. Is there any down side to using physically cabled SPAN's vs RSPAN?
  What is the best practice for monitoring segregated networks that cannot use RSPAN? Physically cabled SPAN's with Monitor Sessions?
  Am I thinking of this correctly or have I derailed?
  Thanks

  If you have source ports belonging to several different VLANs, or if you are using SPAN on several VLANs on a trunk port, you may want to identify to which VLAN a packet you are receiving on the destination SPAN port belongs. This is possible by enabling trunking on the destination port before configuring it for SPAN. This way, all packets forwarded to the
  sniffer will also be tagged with their respective VLAN IDs.

• [rspan in 'hub+spoke' topology]

  Hi,
  I have the topology depicted in the attached drawing.
  What we want to achieve is to enable rspan to replicate monitored traffic from access switches (3550 spokes) to a core switch (6500 hub).
  The configuration in general is working and looks like this:
  HUB:
  monitor session 1 destination interface Gix/y
  monitor session 1 source remote vlan z
  SPOKES:
  monitor session 1 source interface Gix/y
  monitor session 1 destination remote vlan z
  As stated previosly the environment is working, but...we're having one problem. The uplinks from the spokes to the hub are almost full. After doing some troubleshooting, we found that span traffic is being replicated by the hub to the spokes. The reason I say this is that when i remove the rspan vlan (on the core switch) from the uplink to the hubs the output traffic from core to access (or input on the access switches) goes down in the same amount being received by the network analyzer. when i add the vlan on the uplink trunk again, the traffic going out of the core to the access switches goes up by the same amount being sent to the network analyzer.
  Like i said, the rspan part seems to be working fine, but the uplinks to the access switches are getting full because the hub switch is copying the span traffic to all uplinks which is not what we want.
  Two questions here:
  1.- Is this the way rspan is supposed to work in this environment?
  2.- if not, is there a way to turn off this behavior or does it sound like a bug to you?
  Thanks in advance!
  c.

  Hello,
  in Hub and Spoke - as in any other L3VPN - traffic will flow in the opposite direction of IP routing updates. In a Hub and Spoke setup the spoke sites should get routing updates from the hub site. Thus one faces a split horizon problem: updates learned at the hub CE from a neighbor (PE) will not be sent back over the same interface to that neighbor. Hence the simple solution is: one VRF and interface to announce spoke routes from the PE to the hub CE and another interface terminating in a second VRF to announce the routes from the hub CE back into the MPLS VPN environment.
  Just as a side note: this results in an unusual load pattern on the two hub CE interfaces. Both interfaces will have nearly only load in one direction.
  Hope this helps! Please rate all posts.
  Regards, Martin

• Why cant see the video flow by rspan

  on the sw (Catalyst 4500 L3 Switch Software (cat4500-IPBASE-M), Version 12.2(31)SGA2),use the rspan to sniffer the video netflow,but the sniffer cant capture the flow,why.
  the configure like this
  vlan 500 is the rspan vlan.
  on the first 45 sw config:
  monitor session 2 sour interface f0/9(the port conn to polycom terminal)
  monitor session 2 dest remote vlan 500
  on the other 45sw config:
  monitor session 2 sour remote vlan 500
  monitor session 2 dest interface f0/10(the port connect to pc with sniffer)
  pls take me why

  If those video files have the extension .mov, .mp4 or .m4v at the end of the file name, Quicktime should be able to play them. If those video files don't have one of those extensions attached to them, you can add it manually.
  Luckily, there are HUNDREDS of video/media players and Extensions, avaliable for the Mac, many of them FREE. Some of them are...
       Perian
       http://perian.org/
       Quicktime 7.6.6
       http://support.apple.com/kb/DL923
       VLC
       http://www.videolan.org/vlc/index.html
       NicePlayer
       http://www.macupdate.com/app/mac/15136/niceplayer
  And if that still doesn't work, there is a possibility that those video files may be corrupted.

• IDSM-2 capture configuration

  Hi friends,
  I have enabled capture on the IDSM data-port 1 (Gig0/7). Now, i want to use data port 2 (Gig 0/8) also to capture another segment.
  A snippet of my current config is as follows:
  ip access-list extended MATCHALL
  permit ip any any
  vlan access-map CAPTUREALL 10
  match address MATCHALL
  action forward capture
  vlan-filter CAPTUREALL vlan-list x
  intrusion-detection module 3 management-port access-vlan 5
  intrusion-detection module 3 data-port 1 capture
  intrusion-detection module 3 data-port 1 capture allowed-vlan 1-4094
  intrusion-detection module 3 data-port 1 autostate include
  intrusion-detection module 3 data-port 1 portfast enable
  My question is:
  If i enable data port 2, then how do i bind a VACL to data port 2 only?
  Thanks a lot
  Gautam

  You can't bind a VACL to a particular data port.
  You can only tell a capture port what vlans to monitor. The capture port will monitor all captured packets from those vlans regardless of what VACL was used to mark those packets as capture packets.
  Your data-port 1 is already monitoring all 4094 vlans so there are no additional vlans that data-port 2 would need to capture packets for.
  If your switch does routing then your configuration is correct. Even though the VACL is applied to a limited set of a vlan-list X, the packets marked for capture could wind up being routed to any vlan and so all vlans have to be monitored.
  NOW you could add additional vlans to your exising vlan-list, or even create another VACL and apply it to a separate vlan list. BUT in either case your data-port 1 would already be configured for monitoring them.
  If your switch is NOT doing routing (pretty rare these days), then you do have an alternative. You can change the "capture allowed-vlan" list for data-port 1 to be the same "vlan-list X" that your VACL is assigned to. Then you can create a new VACL and assign it to a list Y, and configure data-port 2 to be a capture port for allowed-vlan list Y.
  But this really doesn't gain you a whole lot. You could just simply add vlan list Y to data-port 1 and still monitor everything with data-port 1.
  Data-port 2 doesn't really gain you much as you as a 2nd capture port.
  Where data-port 2 comes in handy is when you want to do a different type of monitoring.
  Data-port 2 could be setup as a Span or Rspan destination port.
  OR data-port 2 coudl be setup for InLine monitoring with InLine Vlan Pairs.
  It is only when you need the second type of monitoring that you can really make use of data-port 2.
  For capturing traffic on additional vlans you can just continue to use data-port 1.