RSPAN

altaf007 · ‎10-21-2005

Is there anyway to do RSPAN from one site to HQS over layer three connection. I got IDS at HQS and i want to capture traffic from site ? cisco documents talk about RSAPN over layer 2 network but in my case it is going to be layer 3 because it has to come to HQS from site. any idea on how to acheive this. THanks

Altaf

vkapoor5 · ‎10-28-2005

RSPAN is used if the source of the interesting traffic is on one switch and the analyzer (the capturing device, say IDS) is on the other switch. Both switches must be connected over a trunk that passes the RSPAN VLAN traffic. I am not sure if this traffic can be transported over layer 3, but I believe some tunneling techiques may be used. Anyone tried this?

tcherkon · ‎12-22-2005

I have heard of some new IOS feature which can perform this task. Does anyone know its name or have a link?

Thanks

rutledgec · ‎11-30-2006

I too have this same problem. I would love to know if anybody finds a solution.

marcabal · ‎11-30-2006

I think what you are looking for is known as ERSPAN (encapsulated RSPAN).

The ERSPAN is done thorugh a routed network with the ERSPAN packets inside of a GRE Tunnel.

I don't have any experience configuring or using ERSPAN, so I can't provide much help.

But here is a link to a User Guide that contains some more information:

http://www.cisco.com/en/US/products/hw/routers/ps368/products_configuration_guide_chapter09186a008069952a.html

Looks like to have quite a few restrictions even down to particular versions of both software and even hardware.

Howp this at leasts gets you a starting point for more research.