Hi. I wonder if somebody could help with the following problem I'm having relating to RSPAN configuration.
Thanks in advance!
I’ve been tasked with SPANing traffic across our Cisco switch infrastructure in an office so we can mirror a subset of traffic to a single port.
The reason this is required is so we can present all voice traffic to a port connected to a voice recording server.
The network infrastructure I am currently using to test this set up is as follows:
- Primary 6509 distribution switch running IOS version: s72033-ipservices_wan-mz.122-33.SXH4.bin" (hostname - RS03-6509E-DIST-ML-01)
- Secondary 6509 distribution switch running IOS version: s72033-ipservices_wan-mz.122-33.SXH4.bin" (hostname - RS03-6509E-DIST-ML-02)
- the two switches are connected together via a statically configured VLAN trunk.
The configuration I have put in place to implement RSPAN is as shown here:
3 vlan 950
4 name RSPAN_VLAN_950
8 interface Port-channel1
9 description **** L2 PORTCHANNEL TO DC2-6509-DIST-ML02 PORTS 3/47-48 4/47-48 ****
11 switchport trunk encapsulation dot1q
12 switchport trunk allowed vlan 32-36,38-42,44-47,140,144,950
13 switchport mode trunk
15 spanning-tree vlan 32,34,36,38-40,42,44,46,140,144,950 priority 16384
18 monitor session 1 type rspan-source
19 description ** RSPAN_SRC_SESSION **
20 source vlan 32 , 34 , 36
21 destination remote vlan 950
24 monitor session 11 type rspan-destination
25 description ** RSPAN_DST_SESSION **
26 source remote vlan 950
27 destination interface Gi7/10
34 vlan 950
35 name RSPAN_VLAN_950
38 spanning-tree vlan 32,34,36,38-40,42,44,46,140,144,950 priority 8192
40 interface Port-channel1
41 description **** L2 PORTCHANNEL TO DC2-6509-DIST-ML012 PORTS 3/47-48 4/47-48 ****
43 switchport trunk encapsulation dot1q
44 switchport trunk allowed vlan 32-36,38-42,44-47,140,144,950
45 switchport mode trunk
48 monitor session 1 type rspan-source
49 description ** RSPAN_SRC_SESSION **
50 source vlan 32 , 34 , 36
51 destination remote vlan 950
54 monitor session 11 type rspan-destination
55 description ** RSPAN_DST_SESSION **
56 source remote vlan 950
57 destination interface Gi7/10
The problem I have been experiencing is that the traffic which gets presented at the destination port on either distribution switch (Gig 7/10 on both) is not limited to the 3 x VLANs that I specified in the source lists (see lines 20 and 50). When sniffing either port (on either distribution 01 or 02) using Wireshark I’m seeing traffic for all VLANs present on the switches?
Any help understanding what’s wrong with this configuration would be much appreciated i.e. any advice as to how I can limit the traffic presented to port Gi7/10 to VLANs 32, 34 and 36 only?
Hope someone can help and thank you for reading my post,
you actually have two RSPAN sessions and you should use two separate remote SPAN Vlans like vlan 950 and 951.
RSPAN vlan has MAC address learning disabled so it should be used unidirectionally
RSPAN1 from 6909A to 6509B via vlan 950
RSPAN2 from C6509B to C6509A via vlan 951
or you should use one RSPAN and one local SPAN with the constraint of putting the recording server only on one specific switch port.
I understand you would like to provide two monitoring ports one on each C6500 but it would require two RSPAN using a different RSPAN vlan and a local span on each device and one local SPAN.
Hope to help