Capture rspan vlan on host in vmware

tiwang · ‎03-20-2023

Hi out there I try to use a windows srv to capture traffic from a rspan vlan

I have setup a portgroup under VMware with promiscuous mode permitted. This portgroup is in vlan 500.

The physical switch - a cat9300 - has a rspan enabled vlan 501 defined. If I attach a pc to a access port on that switch and define a mon session with destination to that interface where I connect the pc I can read all packets.

If I now loop the same port back to the switch to a port in vlan 500 i would expect to receive the same traffic on my vm running under VMware and a interface connected to the portgroup with vlan 500 which is defined with the promiscuous mode set to permitted. - but I don't get this - i only get broadcasts still - no unicast traffic. What am I doing wrong or mi here?

Be ti

balaji.bandi · ‎03-20-2023

you need to configure RSPAN on ESXi and tag to vlan - look at the example :

https://www.insecurewi.re/setting-up-a-linux-network-probe-with-cisco-rspan/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

tiwang · ‎03-22-2023

hi Bandi

Have you had success with this?
I have setup a distributed portgroup on a 3-server vmware cluster:

and when i do a wireshark there from a windows 2016 server with the capture interface set in promiscouse mode I see only broadcasts - no unicasts - and from the amount of traffic I see it looks to me as multiple copies of the same packet (each server is uplinked with a 4 10G link uplinks) - i would say i see a copy of the packet for each trunked interface from the cluster