RSPAN Sessions and IDS

d-garnett · ‎11-25-2005

Are RSPAN "Sessions" Inclusive or exclusive of each other?

Can you send traffic from 1 session to another?

In other words, if I want to monitor 3 vlans with active hosts that reside across several switches including the one with the destination port (IDS) will this work?

monitor session 1 source vlan 10 - 12 rx

monitor session 1 destination remote vlan 555 reflector-port Fa0/10

monitor session 2 source remote vlan 555

monitor session 2 destination interface Fa0/24

Does Session 1 "move" the traffic to be inspected by session 2 (where the IDS is located per f0/24)?

Or does session 1 just send the traffic back over the Trunk (RSPAN Vlan) link?

marcabal · ‎11-28-2005

This is the line that confuses me:

monitor session 1 destination remote vlan 555 reflector-port Fa0/10

I don't know what the "reflector-port Fa0/10" will do. Is this a Cat 6K? I have not seen that option in the Cat 6K documentation.

My experience has all been on the cat 6K.

On the Cat 6K with Native IOS if you execute the following commands:

monitor session 1 source vlan 10 - 12 rx

monitor session 1 destination remote vlan 555

monitor session 2 source remote vlan 555

monitor session 2 destination interface Fa0/24

Then the session 1 traffic from vlans 10-12 WILL be spanned to port Fa0/24 (along with the traffic from remote spans from other connected switches).

The sesssion 1 source traffic WILL becomes session 2 source traffic in the above configuration on a Cat 6K.

What I can't guarantee you is if the same will hold true on the span command on other Cisco switches.