Hello,

but if I have just two 2950 switches?  Not Cat 6500?

Do you want to say that this is possible for SW2 to mirror traffic for the specific VLAN (where Client 2 is) ?

Hello,

You did not specify in first port which switches you have :-)

For 2950 the RSPAN configuration is described in this guide:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_19_ea1/configuration/guide/swspan.html#wp1081130

Did you mean vlan as source in your question?.. You said destination cannot be vlan.

Actually, for RSPAN it is remote vlan set in the command:

     monitor session session_number destination remote vlan vlan-id reflector-port interface

Then, on SW2 you specify which physical interface this traffic is going to (connected to Client 2).

But valid source interfaces include only physical interfaces and port-channel logical interfaces, not vlans. So you will have to mirror the physical interfaces on SW 1 to Client 1 (set as source) with RSPAN to SW2 with connected client 2 (see configuration doe RSPAN destination sessions).

Overall this mirroing of traffic can be done with RSPAN.

Kind Regards,
Ivan

**Please grade this post if you find it useful.

Thank you Ivan.

I will try to use RSPAN configuration.

Welcome! Let me know if you encounter any issues configuring it.

Please take a look at the first question again Ivan. I edited it a bit.  

Hi,

Since a destination port is a trunk, it should pass tagged traffic to the connected destination host. So if your source host Client 1 is sending tagged traffic to SW1, then I think destination host would receive the traffic with same tag and put it into corresponding VLAN/VM.

Kind Regards,
Ivan

**Please grade this post if you find it useful.

Hi Ivan!

In this situation I'm interested just in traffic, which is going from WAN to the Client 1. ( We don't care about outbound traffic which is going from Client 1.)

What is the confuiguration of the ports on SW1 towards WAN and towards Client? Are any of them  trunks?

Configuration of these ports is not a trunks. It is just an access ports.  (SW1)

Hi,

I have rechecked 2950 switch RSPAN behavior with tagged traffic and all packets  appear on the destination port as untagged, as long as you don't add "encap dot1q" parameter in destination session command. So you could either:

1. specify the native vlan on a trunk to have this untagged traffic sent in the vlan corresponding to your VM:

     switchport trunk native vlan vlan-id

2. or set up "encap dot1q" on SW2:

     monitor session 1 destination interface encap dot1q

Changes to destination port should be made before configuring the destination monitor session.

By the way, note that regular traffic won't be sent on this trunk anymore and other VM machines won't be able to communicate with through this interface because when destination port is active, incoming traffic is disabled.  The port does not transmit any traffic except that required for the SPAN  session.

Kind Regards,
Ivan

Thank you very much Ivan.

I was looking for this solution.

And that's ok, I don't need any regular traffic on that trunk link ( on the trunk link between SW1 and SW2 , but what about the trunk link between SW2 and the server? Can virtual machines use this trunk?)

I will try to implement this today

Thank you!

Welcome again! :-)

Ok. I updated the picture :

There is a trunk between SW1 and SW2. Just one VLAN is allowed, VLAN 999 ( remote - span VLAN ).

My configuration looks like this:

On SW1 :

monitor session 1 source interface Fa0/21 tx

monitor session 1 destination remote vlan 999 reflector-port Fa0/20

On SW2:

monitor session 1 destination interface Fa0/24 encapsulation dot1q ingress vlan 999

monitor session 1 source remote vlan 999

Virtual machine is in VLAN 999.

The problem is, when I just apply configuration on SW1 , interface Fa0/23 on SW2 goes down. ( Status and protocol is down/down).

Then on SW1 interface Fa0/20 is with status up/down . We can see this if these ports are configured as access ports not  as  a trunk ports too.

I can't see any sniffed traffic on Virtual Machine in VLAN 999 :/