07-08-2020 01:00 PM - edited 07-08-2020 01:08 PM
Hello Team,
I have a network where i have to do RSPAN port configuration to monitor traffic. The network is very big so we are doing RSPAN from each location ( 25 switch altogether) and move it towards an aggregation switch and then from there i want to forward it to an IDS (different vendor for OT technology).
My question is if i do a RSPAN port config on switch A and switch B (in figure), will Aggregation switch be able to send the RSPAN data information to the IDS if i configure RSPAN on Aggregation switch as well.
Will i need any extra config on Aggregation switch ? and will this aggregation switch be able to forward all the RSPAN information to the IDS as all RSPAN ports from 25 switches (25 ports) are terminating on Aggregation Switch. Will this work ?
In short,
25 RSPAN ports terminating on Aggregation switch --> RSPAN it again to IDS , will this work ?
07-08-2020 01:24 PM
RSPAN will do transport the logs as expected, you want have agg switch also required to Span you need to add source span information to send to IDS
here is a good example document :
Note: also look at the product documentation and limitations. (since we do not know the model of the device and IOS running on it)
07-08-2020 02:04 PM
Thank you so much for the reply. Ill go through document.
Here i have multiple span source, all terminating in an aggregation switch, which is then RSPAN to the IDS
Was just thinking How will i be able to add source span information on the IDS because the source will be aggregation switch now. Sorry if am ignorant about this.
Thank you.
07-08-2020 04:46 PM
You RSPAN All other devices to Agg Switch ( you can have dedicated VLAN to ship this information)
From Agg to IDS should be Local SPAN.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide