I did go through the RSPAN documentation. There are only 2 ethernet interface for my IDS sensor, which means there is only one destination port I can configure on switch1.

I have no problem configuring rspan in switch1, but when I try to configure the second rspan connection to the same destination port, the switch does not accept the command and give me error saying not allow to have the same destination port.

If so happen that u have a working configuration, could u share out the configuration? Thanks.

I am remote at the moment and do not have acces to a config.

If memory serves, on Switch1 do a SPAN that includes the PIX port and one open port, On Switch2 do an RSPAN and plud the port into the open port on Switch1. I think this should do it. Anyone else wanna chinme in?

Please remmebner to rate the post if this helps.

Just thought about it. YOu might be able to do this w/o RSPAN if you are having rouble with it. Do SPAN on switch1 with the PIX port and include an open port. Do SPAN on switch2 and plug the destination port into the open port on switch1. I think that should work as well.

You can't have the switch port connected to the sensor be both a Span desgtination and an RSPAN destination.

Instead of doing a Span on switch 1 and an RSPAN on switch 2, you would want to do an RSPAN on both switches.

This way the switch port will be the destination for the one RSPAN session that covers BOTH switches.

You will need to have the 2 switches connected with a trunk port that carries the RSPAN vlan.

Here is an example configuration.

(Firewall2 connected to Switch2 on port 4/1,

Firewall1 connected to Switch1 on port 5/1,

Sensor connected to Switch1 on port 6/1)

On switch 2:

set vlan 500 rspan

set rspan source 4/1 500 both create

On switch 1:

set vlan 500 rspan

set rspan source 5/1 500 both create

set rspan destination 6/1 500

I'm using Catalsyt 4507 (IOS) with RSPAN features.

The set command can bind to RSPAN vlan and the source port as well.

In IOS, I only can specified rspan vlan alone for the source. If I create another session for the source using physical interface, then it would not accept and says cannot add port as source for session - a rspan destination session.

Thank.

In Native IOS you will need one span session on switch2, but 2 separate span sessions on switch1.

In one session the Rspan vlan is the destination, and in the second session the Rspan vlan is the source:

ON SWITCH2:

Router(config)# monitor session 1 source interface fastethernet 5/15 , 7/3

Router(config)# monitor session 1 destination remote vlan 901

The above span session will span traffic from ports 5/15 and 7/3 to the rspan vlan.

ON SWITCH1:

Router(config)# monitor session 1 source interface fastethernet 4/11 , 4/12

Router(config)# monitor session 1 destination remote vlan 901

The above span session will span traffic from ports 4/11, and 4/12 to the rspan vlan.

HOWEVER A SECOND SESSION ON SWITCH1 IS THEN NECESSARY TO SEND THE RSPAN TRAFFIC FROM BOTH SWITCHES TO THE SNIFFING PORT OF THE SENSOR:

Router(config)# monitor session 2 source remote vlan 901

Router(config)# monitor session 2 destination interface gig 6/1

So you see that you need to create span sessions on each switch with the source being the real ports of vlans and the Destination being the Rspan Vlan.

And then a second span session on the switch with the sensor where the RSPAN itself is the Source and the sensor the Destination.

If you try the above and it does not work, then please paste in the appropriate lines from your switch configuration for the vlans or ports you want to monitor, and the configured span sessions. And then paste in a copy of where you attempt to modify the sessions and receive your error.