RSPAN from a switch to a 3800 series router

Matt Kahle · ‎06-25-2018

Hi all,

I had a question about SPANNING traffic to a router. I am aware that a router interface doesn't support SPAN, however I'm trying to figure out a way to forward SPAN traffic to a router. I am aware that the router has switch cards, but will RSPAN work from the switch to the router's switch card, then forward the traffic to a routing HWIC card?

Please let me know what is recommending for this.

Eric101 · ‎06-25-2018

Hi Matt,
Seems like you wish to have SPAN traffic on a port on the router, and you wish to forward it out another port. Is this port an ethernet port as well, or some other media such as a serial interface?
What is it that you are trying accomplish exactly? Are you trying to get the SPAN data to a central location? If your switch supports ERSPAN capability, you may be better serviced by using that feature natively.
Optionally, you can build an L2TP tunnel across the WAN, and encapsulate your SPAN traffic within it.

Matt Kahle · ‎06-25-2018

Hi Eric,

I have a 2960s Switch that I would like to monitor SPAN traffic. I wish to forward the SPAN traffic to the edge of my network. My IDS sits on an interface on the router, which the router is pushing RITE traffic to the IDS. This traffic is helpful, but I cannot see intranet communication within the LAN switching network. This is why I would like to forward SPAN traffic to the router, so the router can push the traffic to the IDS.

I don't think the 2960s is capable of ERSPAN. I could be wrong.

Eric101 · ‎06-27-2018

Do you have the module configuration of the router? What types of card will impact what options are available
For exampled if your IDS is on an ESW card and you have a free port, you should just be able to do a local SPAN session, from a span session on the switch.

Matt Kahle · ‎06-27-2018

Hi Eric,

This is the exact question I'm seeking, I'm not sure about cards or compatibility. Currently I'm using RITE on the router, its monitoring the built in ports and forwarding to a 1GB HWIC card. To make "SPAN" work, would I need to buy a switch module? If I do, which ones are 1 GB for the 3800?

Eric101 · ‎06-28-2018

Hi Matt,

You can find supported modules below.

https://www.cisco.com/c/en/us/products/collateral/routers/2600-series-multiservice-platforms/prod_qas0900aecd802a9470.html

The challenge is that the 3800 series platform is not blessed with a large quantity of 1G ports, nor can it effectively service such a rate, an HWIC slot is limited to 400Mbps.

Based on what information you've put forward so far, you'd be best served by installing an Etherswitch Service Module, which is essentially a 3750 switch, wrapped in sheet metal which plugs into the 3800 router.

Unfortunately there is only one module which has 2 x 1G ports, NME-XD-48ES-2S-P, which may prove to be cost prohibitive for the overall solution, depending on your financial environment.

https://www.cisco.com/c/en/us/products/collateral/routers/3800-series-integrated-services-routers-isr/product_data_sheet0900aecd8028d15f.html

You would place your IDS on one port, and have a port to your switched network.

You should continue to be able to RITE your traffic passing through the router, through the NME backplane connection.

Your options change a bit if your open to changing your IDS location, e.g. must it be connected to the router? Could it connect to the switch?

or

If you replace your router with a newer model, more 1G ports are available is smaller switch modules. (e.g. 3900 and SM-ES3)

Eric