07-23-2015 05:56 AM - edited 03-05-2019 01:56 AM
Hi,
I'm configuring an Alienvault Unified Security Management (USM) unit and one of the requirements is setting up a SPAN port. The USM will be connected to a Cisco 3560X that is in the core of my network.
I'm planning to configure a RSPAN session to capture the traffic from all the switches in the rest of the network. But I'm not sure whether I have to configure a separate SPAN session for the local traffic of the interfaces in the 3560X.
So I believe I need a RSPAN session for the traffic from all remote switches and a SPAN session for the local traffic.
I can't configure an interface to be the destination for more than one SPAN session, so this means I have to have to separate destination ports.
If someone can confirm that I'm making the right assumptions here, I'd greatly appreciate it.
Thanks
07-23-2015 06:13 AM
I looked through the RSPAN/SPAN documentation some more and I believe that I have to configure two separate destination ports on the 3560X.
In this document
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swspan.html#14293
In the section about destination ports, it's stated that:
"[A destination port] can participate in only one SPAN session at a time (a destination port in one SPAN session cannot be a destination port for a second SPAN session)."
Again, if someone who has implemented this in the past can confirm it, I'd appreciate it.
07-23-2015 12:37 PM
Hello,
If the documentation says that, then that is correct.
Again I believe you need to have 2 sessions, one for local and other for remote and each session must have different destination port.
Thanks,
Madhu
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide