cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1159
Views
0
Helpful
2
Replies

RSPAN and LOCAL SPAN on the same switch ?

uthayaman
Level 1
Level 1

Hi,

We have two switches in my netwrork which are connected back to back with trunk port.I have created a VLAN for users and users are distributed between the switches.

I want to log all traffic from all the user in two logger servers which are distributed between the switches(one logger is connected on switch-A and another on switch-B).

I understood that A destination port can participate in only one SPAN session at a time.

Suggest whether this will work...

I will configure a RSPAN VLAN and source will be my user vlan

Then configuring my RSPAN VLAN as a source vlan in the same switch and destination port as my logger switch port will work ?

If not...Suggest me some solution to log the traffic on two switches conneced on two loggers.Both loggers should log all the traffic.

1 Accepted Solution

Accepted Solutions

Ian Jay
Level 1
Level 1

There is no way to utilize this in a distributed way as you've indicated. Since you are using the RSPAN vlan as destination, you cannot also set this as a source VLAN on the same device. Trying this in the lab:

"% This vlan is already being monitored as destination vlan. Rejecting entry"

The only way to combine the monitored traffic would be to make sure your capture devices have a common clock source (via NTP) and combine the two captures from each device.

This may not be completely accurate in terms of time, but would allow you to combine the two capture locations.

View solution in original post

2 Replies 2

Ian Jay
Level 1
Level 1

There is no way to utilize this in a distributed way as you've indicated. Since you are using the RSPAN vlan as destination, you cannot also set this as a source VLAN on the same device. Trying this in the lab:

"% This vlan is already being monitored as destination vlan. Rejecting entry"

The only way to combine the monitored traffic would be to make sure your capture devices have a common clock source (via NTP) and combine the two captures from each device.

This may not be completely accurate in terms of time, but would allow you to combine the two capture locations.

Thx for the clarification...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco