Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1083
Views
0
Helpful
2
Replies

SPAN RSPAN Configuration

gdelpanta
Level 1
Level 1

‎08-25-2005 09:55 AM - edited ‎03-02-2019 11:49 PM

Hello,

I have two 6513 sup 720 IOS 12.2(18)SXD5, named SW1 and SW2.

SW1 and SW2 are connected with a 10Gb trunk. VAN 101 (Server Farm) is spreaded between the switches.

SW1 and SW2 are connected L3 (routed port) with a GW to Intranet and Internet.

I have only an IDS with only a monitoring port.

I want monitor traffic of Server Farm and from Gateway.

I'v connected IDS to port 5/47 of SW1

I'v tried to configure 998 VLAN for RSPAN

i'v configured a session on SW2 with source portes (rx traffic) and destination remote VLAN 998.

i'v configured on SW1 VLAN as source and a port 5/47 as destination of monitoring.

At this point i'm not able to configure SPAN on port 1 on same session. If i try to add source port i receive:

% Cannot add interfaces as sources for SPAN session 1.

if i use another session i can ... but i'cant use port 5/47 already used in prevous session.

There is a configuration solution or i need to use two IDS ???

Thank you !

Labels:
0 Helpful
2 Replies 2

Georg Pauwen
VIP
VIP

‎08-25-2005 11:12 AM

Hello,

not sure if I fully understand your setup, but keep in mind the following guidelines:

A particular SPAN session can either monitor VLANs or monitor individual interfaces—you cannot have a SPAN session that monitors both specific interfaces and specific VLANs. If you first configure a SPAN session with a source interface, and then try to add a source VLAN to the same SPAN session, you will get an error. You will also get an error if you configure a SPAN session with a source VLAN and then try to add a source interface to that session. You must first clear any sources for a SPAN session before switching to another type of source.

Does that make sense ?

Regards,

GP

0 Helpful

baileja
Level 1
Level 1

‎08-25-2005 06:25 PM

RSPAN will only work with layer two links. You will need to use ERSPAN in order to traverse a layer 3 link. You additionally can not use SPAN and VSPAN (Vlan and Port Switchport Analyzer) in the same session. You will not need to get two IDS though if you have an additional interface on your IDS. Just create two SPAN sessions, one for your VLAN and one for the ports you want to monitor, and dump them to two different switchports that connect to your IDS. For everything accross your layer three link, use ERSPAN. The following link should give you everything you need to configure this.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080160a5a.html

0 Helpful
Customers Also Viewed These Support Documents