Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
617
Views
8
Helpful
14
Replies

Port Mirroring Cisco 9500 / 9300 / 9200 / 2960

anilgupta1974
Level 1
Level 1

‎02-25-2025 09:26 PM

Need help on one scenario i have.  I have one IP Phone recording solution which need a port mirroring, where source IP phones are connected on multiple switches in our network and recording server is connected on one of our switch which will be destination for all.  VLAN is 115, passed on trunk to every switch and respective ports are configured as access port of this vlan on each switch.  What and how i can achieve this.  I tried connecting IP phone and recording software on one switch and used monitor session source and monitor source destination, it work, but if multiple switch i am not able to understand how to do this.  If anyone can help on this please.

Labels:
0 Helpful
14 Replies 14

M02@rt37
VIP
VIP

‎02-25-2025 09:51 PM - edited ‎02-25-2025 09:52 PM

Hello @anilgupta1974 

Please see for RSPAN configuration since the source IP phones are spread across multiple switches, and the recording server is on a different switch.

https://www.cisco.com/c/en/us/support/docs/switches/catalyst-9500-series-switches/218111-verify-span-and-erspan-on-catalyst-9000.html

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

AshSe
VIP
VIP

‎02-25-2025 09:55 PM

Hi @anilgupta1974 

To achieve port mirroring (SPAN) across multiple switches in your network for your IP phone recording solution, you need to consider the following:

Problem Overview:

  1. You have IP phones connected to multiple switches.
  2. The recording server is connected to one switch.
  3. VLAN 115 is used for the IP phones and is passed as a trunk across all switches.
  4. You need to mirror traffic from all IP phones (on multiple switches) to the recording server.

Solution:

To mirror traffic from multiple switches to a single destination (the recording server), you can use RSPAN (Remote SPAN) or ERSPAN (if supported).

Let me know, if you need details of how to enable these solutions. I will be more than happy to help!

 

Hope This Helps!!!

AshSe

 

Community Etiquette: 

  1. Insert photos/images inline - don't attach.
  2. Always mark helpful and correct answers, it helps others find what they need.
  3. For a prompt reply, kindly tag @name. An email will be automatically sent to the member.

anilgupta1974
Level 1
Level 1
In response to AshSe

‎02-25-2025 11:25 PM

Hi AshSe,  It would be great help if you can guide me with the commands i need to give on all the switches to configure RSPAN so that source IP phones on VLAN 115 traffic can go from all the switches to the switch, where destination server is connected on my network with VLAN 115 access.  I will configure all the switches one by one and test if it works.  Thanks in advance for helping me out on this.

0 Helpful

AshSe
VIP
VIP
In response to anilgupta1974

‎02-26-2025 12:10 AM - edited ‎02-26-2025 12:19 AM

Hi @anilgupta1974 

 

@anilgupta1974 wrote:

Hi AshSe,  It would be great help if you can guide me with the commands i need to give on all the switches to configure RSPAN so that source IP phones on VLAN 115 traffic can go from all the switches to the switch, where destination server is connected on my network with VLAN 115 access.  I will configure all the switches one by one and test if it works.  Thanks in advance for helping me out on this.

from this post, it seems that both Source (IP phones) and Destination (Recording Server) are in the same VLAN 115. Is that correct?

0 Helpful

anilgupta1974
Level 1
Level 1
In response to AshSe

‎02-26-2025 12:24 AM

Yes, my source devices and destination server are in vlan 115

0 Helpful

AshSe
VIP
VIP
In response to anilgupta1974

‎02-26-2025 12:39 AM

Hi @anilgupta1974 

Here’s a step-by-step guide to configure RSPAN for VLAN 115 traffic:

Step 1: Create an RSPAN VLAN

  1. On all switches in the path (source, intermediate, and destination switches), create a dedicated RSPAN VLAN. This VLAN will carry the mirrored traffic across the network.

    configure terminal
    vlan <RSPAN-VLAN-ID> # Choose an unused VLAN ID for RSPAN
    remote-span
    exit
     

    Example:

    configure terminal
    vlan 999
    remote-span
    exit
     

    Note: The remote-span keyword is required to designate this VLAN as an RSPAN VLAN.

Step 2: Configure the Source Switch

On the switch where the IP phones (source traffic) are connected:

  1. Define a monitor session to capture traffic from VLAN 115.

  2. Set the RSPAN VLAN as the destination for the mirrored traffic.

    configure terminal
    monitor session 1 source vlan 115
    monitor session 1 destination remote vlan <RSPAN-VLAN-ID>
    exit
     

    Example:

    configure terminal
    monitor session 1 source vlan 115
    monitor session 1 destination remote vlan 999
    exit
     

    Explanation:

    1. monitor session 1 source vlan 115: Specifies VLAN 115 as the source of the mirrored traffic.
    2. monitor session 1 destination remote vlan 999: Sends the mirrored traffic to the RSPAN VLAN (999 in this case).

Step 3: Configure Intermediate Switches

On all intermediate switches between the source and destination switches:

  1. Ensure the RSPAN VLAN is allowed on the trunk links.

    configure terminal
    interface <trunk-interface>
    switchport trunk allowed vlan add <RSPAN-VLAN-ID>
    exit
     

    Example:

    configure terminal
    interface GigabitEthernet1/0/1
    switchport trunk allowed vlan add 999
    exit
     

    Explanation:

    1. Add the RSPAN VLAN (e.g., VLAN 999) to the allowed VLANs on all trunk links between switches.

Step 4: Configure the Destination Switch

On the switch where the monitoring server is connected:

  1. Define a monitor session to capture traffic from the RSPAN VLAN.

  2. Specify the destination port where the monitoring server is connected.

    configure terminal
    monitor session 1 source remote vlan <RSPAN-VLAN-ID>
    monitor session 1 destination interface <destination-interface>
    exit
     

    Example:

    configure terminal
    monitor session 1 source remote vlan 999
    monitor session 1 destination interface GigabitEthernet1/0/2
    exit
     

    Explanation:

    1. monitor session 1 source remote vlan 999: Specifies the RSPAN VLAN (999) as the source of the mirrored traffic.
    2. monitor session 1 destination interface GigabitEthernet1/0/2: Sends the mirrored traffic to the monitoring server connected to GigabitEthernet1/0/2.

Step 5: Verify the Configuration

  1. On each switch, verify the monitor session configuration:

    show monitor session 1
     

  2. Verify that the RSPAN VLAN is active and allowed on trunk links:

    show vlan brief
    show interfaces trunk
     

  3. On the destination switch, ensure the monitoring server is receiving the mirrored traffic.

Important Notes:

  1. Ensure the RSPAN VLAN is not used for regular data traffic. It should only be used for RSPAN purposes.
  2. The destination port on the monitoring switch will be in a "monitoring" state and cannot carry regular traffic.
  3. If you have multiple source switches, repeat the source switch configuration on each of them.
  4. Ensure that all switches in the path support RSPAN.

By following these steps, you should be able to configure RSPAN to monitor VLAN 115 traffic from all switches to the destination switch where the monitoring server is connected.

Kindly let me know if you have any question regarding why VLAN 999 is being configured.

 

Hope This Helps!!!

AshSe

 

Community Etiquette: 

  1. Insert photos/images inline - don't attach.
  2. Always mark helpful and correct answers, it helps others find what they need.
  3. For a prompt reply, kindly tag @name. An email will be automatically sent to the member.

anilgupta1974
Level 1
Level 1

‎02-26-2025 12:52 AM

That is so helpful !  Thank you so much for these detailed steps !! It is now much clear to me how to use and configure it.  Allow me to test it and will confirm you soon.

anilgupta1974
Level 1
Level 1
In response to anilgupta1974

‎02-26-2025 06:00 AM

Hi AshSe, i tried below configuration, but still destination system is not getting traffic mirrored.

***Switch 1 C9200L on which IP phones are connected***

configuration terminal
vlan 1501
remote-span
exit

configure terminal
monitor session 1 source interface gi1/0/x,gi1/0/y, gi1/0/z
monitor session 1 destination remote vlan 1501
exit

configure terminal
inter gi1/0/n
switch trunk allowed vlan add 1501

***Switch 2 C9200L which is passing on this vlan on trunk to further destination switch***
configuration terminal
vlan 1501
remote-span
exit

configure terminal
inter gi1/0/n
switch trunk allowed vlan add 1501

***Switch 3 C9500 where destination server is connected***
configure terminal
vlan 1501
remote-span
exit

configure terminal
inter te1/0/n
switch trunk allowed vlan add 1501
exit

configure terminal
monitor session 1 source remote vlan 1501
monitor session 1 destination inter te1/0/x
exit

0 Helpful

AshSe
VIP
VIP
In response to anilgupta1974

‎02-26-2025 07:05 PM

Hi @anilgupta1974 

 

***Switch 1 C9200L on which IP phones are connected***

configuration terminal
vlan 1501
remote-span
exit

configure terminal
monitor session 1 source interface gi1/0/x,gi1/0/y, gi1/0/z

Check and configure:

monitor session 1 source vlan 115

 

configure terminal
inter gi1/0/n
switch trunk allowed vlan add 1501

Which interface is it?

 

***Switch 3 C9500 where destination server is connected***
configure terminal
vlan 1501
remote-span
exit

configure terminal
inter te1/0/n
switch trunk allowed vlan add 1501
exit

configure terminal
monitor session 1 source remote vlan 1501
monitor session 1 destination inter te1/0/x
exit

Hope you are using correct interface number.

0 Helpful

anilgupta1974
Level 1
Level 1

‎02-26-2025 09:50 PM - edited ‎02-26-2025 09:52 PM

Hi AshSe, 

1. If I use monitor session 1 source vlan 115 on the switch, where IP phones are connected, all the IP phones stop working.  So when i mentioned port numbers in source, IP phones started working fine.

2. this switch port is used for trunk to next switch.

3. Yes ports are correct where trunk is connected on this destination switch and destination port also correct where the server is connected.

0 Helpful

AshSe
VIP
VIP

‎02-26-2025 10:42 PM

Hi @anilgupta1974 

I can see that all your configurations are correct. My apprehension now is with respect to the interfaces especially the trunk interfaces.

Could you please:

  • draw an end to end connectivity diagram and mark the interfaces there. 
  • make sure there is no firewall in the path and no firewall in the destination server restricting the traffic.

Lastly, I would also suggest you, 

  • take a downtime and configure "monitor session 1 source vlan 115" instead of interfaces

Also,

  • please check that the monitor session limit of the server is not exhausted.

I am sure you are doing your best!

AshSe

0 Helpful

anilgupta1974
Level 1
Level 1
In response to AshSe

‎02-26-2025 11:30 PM

Hi AshSe, 

Diagram attached herewith

anilgupta1974_0-1740641391786.png

Firewall is connected to our network, but this VLAN is not configured in our firewall, still will check with our firewall team on this.  

Will plan a downtime and will do the testing for source as VLAN 115 on Switch 1.

There is only one session for this is only monitored on each of the switches.

AshSe
VIP
VIP
In response to anilgupta1974

‎02-27-2025 10:21 PM

Hi @anilgupta1974 

all configuration looks good. Let's change the source to VLAN 115, during downtime window.

Fingers crossed

 

Customers Also Viewed These Support Documents