Well in that case, I'll give

spfister336 · ‎02-02-2016

I have an application where I need to copy traffic at a remote site and record it at a central site. At the remote site, all devices are in their own VLAN and are all connected to a single WS-C2960X-48FPD-L switch. At the central site, there are several switches I can use for the recording server (until the server is set up, using a laptop and Wireshark to test).

At first, I thought RSPAN. I've never done an RSPAN session, but I got it working in a test setup at the central site. I tried the same thing with the remote site, but can't get anything but broadcasts.

The central site and all remote sites are connected to each other over AT&T's Opt-E-MAN switched Ethernet service. Will RSPAN work over Opt-E-MAN? I'm starting to think maybe not. Should I try RSPAN over a GRE tunnel? Can I use VACL capture? I haven't tried to set up either before.

Prabath Godevithanage · ‎02-02-2016

Hi,

You'd need to be extremely careful when you try something like this over WAN.

As you may know simply, with RSPAN you are duplicating your traffic stream from a data port or a group of ports over Layer2. Lets say if you are spanning a port with 200MB traffic stream from your remote site to the Central site over 100MB WAN??needless to say what would happen

Your best bet will be to set up a sensor/PC at your remote site to capture and do the analysis at the remote site without sending over WAN

Opt-E-MAN seems like a MPLS service and I have only used ERSPAN over MPLS successfully in the past although Cisco documents say GRE tunnels would work too and in theory yes

Cheers

Prabath

***Please rate all the useful posts***
-Prabath

spfister336 · ‎02-03-2016

Yes, that's true, but the traffic is a small handful of ip phones and we're hoping the traffic won't be a problem. Bandwidth usage from that site isn't very high to start with. Ultimately, we may need to do the recording to a server onsite, but we're trying to avoid that if we can.

Prabath Godevithanage · ‎02-03-2016

Well in that case, I'll give you some directions, hopefully someone else shed some light on this for you as well

The central site and all remote sites are connected to each other over AT&T's Opt-E-MAN switched Ethernet service. Will RSPAN work over Opt-E-MAN?

not natively you'd have to use xconnect to set up some form of L2 tunnelling but bit complex to setup and analysis as at the analyser we want the remote traffic to be in its simplest form for analysis

RSPAN over a GRE tunnel?

this would work in theory again wouldn't be simple to get it going if you do not have ERSPAN (ERSPAN already does this natively but have to have a supporting device)

Can I use VACL capture?

Wouldn't help in your case,VACL is simply there to capture traffic in a granular from using ACLs, Still need a mechanism to send data across to your central analyser, (there'll be some licensing restrictions for 2960-X as well)

***Please rate all the useful posts***
-Prabath

spfister336 · ‎02-04-2016

So, is RSPAN over a GRE tunnel our best bet? I'd like to try ERSPAN, but it requires a 6500, doesn't it? We have one at the central site, but options at the remote sites are pretty limited.

Unfortunately, the server for the central site has already been purchased. There may be some sort of option to record locally, but we're trying to avoid needing to buy anything further for this project.

Prabath Godevithanage · ‎02-16-2016

yes it seems like but not something that I would try for all the reasons that I mentioned earlier.

ERSPAN is only available on quite few models like 6500,N7k,ASR etc..Depaending on your product (Analyser or monitor) you'd be able to get agents for remote locations

***Please rate all the useful posts***
-Prabath

spfister336 · ‎02-16-2016

How about RSPAN over L2TPv3?

RSPAN over WAN/MAN