Re: 6500 RSPAN....Again

rodney · ‎08-18-2005

Here is the scenario.

We have 2 6500's with 2 vlans that exist on both switchs. Let's say Vlan 10 and Vlan 20. I need to RSPAN the traffic from Vlan 10 to an IDS sensor connected to 1 switch, and the same for Vlan 20 to a second IDS sensor on the same switch.

Here is a breakdown......

Switch A:

Vlan 10

Vlan 20

Port 13/16 is RSPAN trunk to Switch B

Switch B:

Vlan 10

Vlan 20

IDS1 for Vlan 10 on port 4/1

IDS2 for Vlan 20 on port 4/2

Port 13/16 is RSPAN trunk to switch A

I need to get traffic from Vlan 10 on Switch A and B to IDS1 and traffic from Vlan 20 on Switch A and B to IDS2. I tried to configure RSPAN per cisco documentation with no luck.....not sure what I'm missing. Any config help here would be very appreciated.

wbreitenmoser · ‎08-18-2005

good morning

you have to set 2 rspan-vlan like this:

set vlan 100 rspan name rspan state active

set vlan 101 rspan name rspan2 state active

then you can set the source span for vlan 10 on switch A and B and set the IDS1-port as destinations..

same for vlan 20

amit-singh · ‎08-18-2005

For this you have to basically create 2 RSPAN session if you want to monitor the Vlans on 2 diff IDS. You have to set up two RSPAN vlans for each session.

Let me know if you r running Cat OS or IOS on your Box. Also please paste the config and will modify it for you.

regards,

-amit singh

frenzeus · ‎08-19-2005

Hi,

the number of rspan source sessions is limited to 1 on any 1 6500 box, unless u're running the box with a supervisor 720, which in this case would allow u to configure a max of 2 rspan source session. Check out the link below which tells the number span/rspan sessions that u can configure on the box:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_4/confg_gd/span.htm#wp1019903

U can find some good configuration examples as u scroll along the page.

But like the others that have pointed out, create 2 rspan vlans:

set vlan 100 rspan state active

set vlan 101 rspan state active

configure rspan sources, which in this case, vlan 10 & 20, in their respective sessions:

set rspan source 10 100 both create

set rspan source 20 101 both create

on the destination switch where ur ids are connected, configure the ports where they are connected as the rspan destination ports.

HTH!

rodney · ‎08-19-2005

I forgot to mention I'm using IOS not CatOS. Anyway, here is the config I tried to use.

Switch A:

vlan 100

name RSPAN_10-20

remote-span

interface GigabitEthernet13/10

no ip address

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 10, 20, 100

switchport mode trunk

monitor session 1 source vlan 10, 20

monitor session 1 destination remote vlan 910

Switch B:

vlan 100

name RSPAN_10-20

remote-span

interface GigabitEthernet13/10

no ip address

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 10, 20, 100

switchport mode trunk

interface FastEthernet4/7

description *** IDS1 Monitoring Port ***

no ip address

speed 100

duplex full

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 10

switchport mode trunk

end

interface FastEthernet4/8

description *** IDS2 Monitoring Port ***

no ip address

speed 100

duplex full

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 20

switchport mode trunk

end

monitor session 1 source vlan 10, 20

monitor session 1 destination remote vlan 100

monitor session 2 source remote vlan 100

monitor session 2 destination interface Fa4/7

monitor session 3 source remote vlan 100

monitor session 3 destination interface Fa4/8

As you can see I was trying to filter vlans on the outbound monitor port.

amit-singh · ‎08-19-2005

Rodney,

Here are few thing that I have noticed after checking your config.

On the switch 1 you have configured RSPAN vlan as Vlan 100 but you defining the destination vlan as 910...error.

On switch 2, you are defining multiple RSPAN souce session , which will not work as only one RSPAN sesion is supported.

This can be done only using one IDS and you can monitor the traffic from switch for vlan 10,20 on the switch2. Now if you want to monitor the Vlan10,20 traffic which is local on switch 2 then you have to create a local SPAN session with ingress traffic only...that's the limitation.

Now on switch A configure like this :

vlan 100

name RSPAN_10-20

remote-span

monitor session 1 source vlan 10, 20

monitor session 1 destination remote vlan 100

On Switch Vlan 2

vlan 100

name RSPAN_10-20

remote-span

monitor session 1 source remote vlan 100

monitor session 1 destination interface fa 4/7

## This will monitor all the traffic from Switch A for vlan 10,20 to IDS on 4/7 ##

*** To monitor the local traffic for Vlan 10,20 on switch B **

monitor session 2 source vlan 10,20 rx

monitor session 2 destination interface Fa4/8

Try this and let me know how it goes !!!!

regards,

-amit singh

rodney · ‎08-22-2005

Your config looks like it sends both vlan 10 and 20 to port 4/7 and 4/8. I actually need port 4/7 to only see vlan 10 traffic and 4/8 to see vlan 20 traffic.

Is it possible to do that?

amit-singh · ‎08-23-2005

Rodney, That's not possible. For that you have to setup to diff RSPAN session using 2 diff RSPAN vlans but that is not supported on IOS.

regards,

-amit singh