Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
983
Views
0
Helpful
6
Replies

One sniffer interface, 2 switches (SPAN)

JanosKocka
Level 1
Level 1

‎07-16-2020 03:24 PM - edited ‎07-16-2020 04:16 PM

Is it possible to send the whole traffic from 2 interconnected switches into one of its physical interface ?

I mean a monitor session, where a single destination port receives all traffic from both  switches.

Labels:
0 Helpful
6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

‎07-16-2020 06:33 PM

in theory, You can RSPAN to another switch and SPAN to the sniffer. - it depends on models.

 

https://community.cisco.com/t5/networking-documents/understanding-span-rspan-and-erspan/ta-p/3144951

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

JanosKocka
Level 1
Level 1
In response to balaji.bandi

‎07-16-2020 11:38 PM - edited ‎07-16-2020 11:38 PM

Ok.

On the frist switch  i set all physical  interfaces as source, and a remote vlan for destination.

On the 2nd switch i set the the remote vlan as a first source, and the the sniffer connected interface as a destination. I need a second source on this switch, which contains all the local traffic. How can i set this ?

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to JanosKocka

‎07-17-2020 01:20 PM

yes, correct, one the first switch you configure source and using span vlan to ship to sniffer connected switch.

on the main switch, you span to sniffer connect port.

 

the guide i have posted clear instruction if you have issues post the issue and configuration, so we can look and advise.

 

example config ;

 

RSPAN :

 

BB1(config)#vlan 100  --> make sure this vlan not used any where
BB1(config-vlan)#name RSPAN-Vlan
BB1(config-vlan)#remote-span
BB1(config-vlan)#exit
BB1(config)#monitor session 1 source interface Gi1/1 rx
BB1(config)#monitor session 1 destination remote vlan 100
BB1(config)#end

Allow VLAN 100 in the Trunn port of other switch 

BB2#conf t
BB2(config)#vlan 100
BB2(config-vlan)#name RSPAN-Vlan
BB2(config-vlan)#remote-span
BB2(config-vlan)#exit
BB2(config)#monitor session 1 destination interface Gi1/2 --> where sniffer connected
BB2(config)#monitor session 1 source remote vlan 100
BB2(config)#end



 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

JanosKocka
Level 1
Level 1
In response to balaji.bandi

‎07-17-2020 02:14 PM - edited ‎07-17-2020 02:22 PM

Sorry, but it is still only  one source, the remote switch, and it doesnt inculde the traffic on the local switch. I want to  sniff both switches at the same time on one physical interface.

I need only 1 information :

What is the second source ?

You cant mix vlans and interfaces as a source.

You cant set a monitor port as a source.

How do you send the the aggregated traffic from the 2 switches  into one monitor port?

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to JanosKocka

‎07-17-2020 07:36 PM

As per my understanding, the switch does not support a combination of local SPAN and RSPAN in a single session.

 

I have just provided the example :

on the second switch ( BB2 - example here)  you can add as many as the source you want.

I am only looking at the end goal as long as the traffic coming to Sniffer or Wireshark is important.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

JanosKocka
Level 1
Level 1
In response to balaji.bandi

‎07-18-2020 04:55 AM

 

So there is no way to sniff 2 switches at the same time on a single interface ?

You have to connect the sniffer to two separate port, or you have to sniff the switches one by one ?

0 Helpful
Top