Hi, having issues getting RSPAN to work properly sending traffic to a PC (nProbe). After nProbe converts the flows to NetFlow and sends it to our collector (nfdump), the collector isn't really adding flows. I see some traffic but they're mainly broadcasts and multicasts from that room (which I can identify by subnet in flow source IP).
The issue could be with the collector/exporter but with local SPAN (on 2960) I was able to get more meaningful proper flows added to the collector (e.g. HTTPS traffic).
3560 > g0/1 connects to g0/2 < 2960
3560 > g0/2 connects to a room in a building.
2960 > g0/1 connects to the PC.
Both have vlan 99, remote-span configured.
RSPAN Source (3560):
interface GigabitEthernet0/1 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,99 switchport mode trunk switchport nonegotiate ! monitor session 1 source interface Gi0/2 monitor session 1 destination remote vlan 99
RSPAN Destination (2960):
interface GigabitEthernet0/1 switchport mode access spanning-tree portfast ! interface GigabitEthernet0/2 switchport trunk allowed vlan 1,99 switchport mode trunk switchport nonegotiate !
monitor session 1 destination interface Gi0/1
monitor session 1 source remote vlan 99
I would appreciate any assistance with this and if there's anything wrong with the config. Have checked counters etc. and there's definitely a lot of traffic going out / in the physical SPAN interfaces.
Solved! Go to Solution.
can you please post VLAN 99 configuration of all the switches.
show output for the below command from all the switches.
show vlan remote-span
Shoot, I forgot to do that. Will have to be in a few days if that's all right with you. I don't have physical access over the weekend and I can't manage the devices remotely.