Solved: Combining SPAN and RSPAN

Tom Ribbens · ‎10-14-2013

Hi all,

For a fire department we have configured some IP Phones to use RSPAN to record them.

So switch A has this configuration:

monitor session 2 source interface Fa0/5 , Fa0/27 , Fa0/47 - 48

monitor session 2 filter vlan 136

monitor session 2 destination remote vlan 981

And switch B has this:

monitor session 2 destination interface Fa0/24

monitor session 2 source remote vlan 981

Now is there a phone connected to switch B that we would also like to mirror to the same port. I tried using this additional configuration on switch B, but that doesn't seem to work:

monitor session 3 source interface Fa0/44

monitor session 3 filter vlan 136

monitor session 3 destination remote vlan 981

Is there any way to do this?

Wantser1981_2 · ‎10-16-2013

Hi,

You cannot have a local destination RSPAN port on a RSPAN source switch. So although your configuration is accepted, the only port the traffic from the switch B attached phone would be visible on is if the RSPAN destination port is on another device. This will obviously not be possible if you only have one collector.

The general priciple with RSPAN is that you do not attach any devices you want to monitor to the device of the desintation port. You can only use SPAN for this. You cannot mix both as you can only use one destination port per session. With a single collector (voice recorder capture NIC), you would need to have it on a device that does not have a device with a recording requirement attached.

You could try SPAN sessions on each switch with the switch A connecting port to switch B the destination port in its session, which is in tern a source port in switch B's session. Use another connection (dedicated cable) as this will not forward traffic (only monitor). You can then add the local port to the single session.

As long as it is voice traffic and you use filters, are careful with potetial loops etc, this should work, but it is not scalable. Fine if it is only two switches in the deployment.

I have done something similar in the past to condense two sessions to one recorder working within the limitations of 2 sessions.

HTH

Wantser

View solution in original post

Lei Tian · ‎10-14-2013

Hi,

What platform are you using? Can you change the monitor session 3 destination port to f0/24?

HTH,

Lei Tian

Tom Ribbens · ‎10-16-2013

Hi Lei,

I can't change the destination port to f0/24, because it then says that port is already in use as monitor destination port (for the session 2).

This is on a WS-C3560V2-48PS-S.

Cheers,

Tom

Wantser1981_2 · ‎10-16-2013

Hi,

You cannot have a local destination RSPAN port on a RSPAN source switch. So although your configuration is accepted, the only port the traffic from the switch B attached phone would be visible on is if the RSPAN destination port is on another device. This will obviously not be possible if you only have one collector.

The general priciple with RSPAN is that you do not attach any devices you want to monitor to the device of the desintation port. You can only use SPAN for this. You cannot mix both as you can only use one destination port per session. With a single collector (voice recorder capture NIC), you would need to have it on a device that does not have a device with a recording requirement attached.

You could try SPAN sessions on each switch with the switch A connecting port to switch B the destination port in its session, which is in tern a source port in switch B's session. Use another connection (dedicated cable) as this will not forward traffic (only monitor). You can then add the local port to the single session.

As long as it is voice traffic and you use filters, are careful with potetial loops etc, this should work, but it is not scalable. Fine if it is only two switches in the deployment.

I have done something similar in the past to condense two sessions to one recorder working within the limitations of 2 sessions.

HTH

Wantser

Tom Ribbens · ‎10-16-2013

I was afraid this would be the case. I'll have to move the phone then, but that is slightly less optimal from a availability point of view in that scenario. I was just wondering if it was somehow possible.

Wantser1981_2 · ‎10-16-2013

Hi Tim,

The scenario I briefly described would work. If you only have two switches in the recording domain that is.

Switch A and Switch B are connected via an uplink trunking vlans. This is your data path.

If you connected another link between these two with switch A configured to monitor the local ports in a SPAN and use this additional uplink port as the destination port, this would copy the traffic to "second uplink" local port....this port would be in a monitoring state IE not forwarding data so whilst in monitor mode, wont cause a loop. On switch B, the other end of this link, that port can be a source of SwitchB' SPAN session. Also the port connecting your phone can be in this source group. The destination port on switch B would receive the SPAN traffic from SwitchA and via the local SPAN and also the traffic from the locally attached phone.

Like I said, this is more of a fudge and not particularly pretty, but it does work. If your setup is relatively small, its all about making the features working for you. If you have more switches in the scenario you could still use RSPAN by moving the destination port to a switch that doesn't have any recording requirement.

Have a play with that......or just move the phone

HTH

Wantser

Mohsin Hussain · ‎05-15-2014

Thanks Wantser if this work then it will be really helpful