I looked through the RSPAN

julito4589 · ‎07-23-2015

Hi,

I'm configuring an Alienvault Unified Security Management (USM) unit and one of the requirements is setting up a SPAN port. The USM will be connected to a Cisco 3560X that is in the core of my network.

I'm planning to configure a RSPAN session to capture the traffic from all the switches in the rest of the network. But I'm not sure whether I have to configure a separate SPAN session for the local traffic of the interfaces in the 3560X.

So I believe I need a RSPAN session for the traffic from all remote switches and a SPAN session for the local traffic.

I can't configure an interface to be the destination for more than one SPAN session, so this means I have to have to separate destination ports.

If someone can confirm that I'm making the right assumptions here, I'd greatly appreciate it.

Thanks

julito4589 · ‎07-23-2015

I looked through the RSPAN/SPAN documentation some more and I believe that I have to configure two separate destination ports on the 3560X.

In this document

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swspan.html#14293

In the section about destination ports, it's stated that:

"[A destination port] can participate in only one SPAN session at a time (a destination port in one SPAN session cannot be a destination port for a second SPAN session)."

Again, if someone who has implemented this in the past can confirm it, I'd appreciate it.

Madhukrishnan Gopinathan Nair · ‎07-23-2015

Hello,

If the documentation says that, then that is correct.

Again I believe you need to have 2 sessions, one for local and other for remote and each session must have different destination port.

Thanks,

Madhu

Configuring SPAN Port