03-07-2016 08:27 PM - edited 03-08-2019 04:52 AM
Hello all,
Needing some help with RSPAN. Looked at various online guides and some of my books and haven't quite gathered enough information to make me comfortable. Long story short I'm doing the best to make the best of a situation given the hardware I have to work with.
The devices in question are a pair of 3560G-24PS running ipbase 12.2.55 SE10. There are 2 vlans on the devices, vlan 200 and vlan 400. Vlan 200 is the data vlan and vlan 400 is the remote vlan. There are two interfaces interconnecting the two switches configured as a trunk and bundled into an etherchannel. Vlan 200 must be monitored (spanned) on both the first and second switch. There is a security sensor that is connected to the second switch.
I have been messing with this for a bit and thought I had this figured out, but once I put the system online I started seeing some weird traffic (CDP neighbors on interfaces where they weren't physically connected etc). The configurations below are the configurations that I finally settled in on before seeing the issues I have. Long story the settings below netted the best performance and spanned the traffic. Other attempts of mine using snippets from various configuration guides (no example I saw 100% matched my situation) severely degraded the network. Here is the current configuration snippet for the first switch.
{
vlan 200
name example
vlan 400
name example-span
remote-span
vlan 4093
name Native-vlan
int range g0/1 - 2
switchport trunk encap dot1q
switchport mode trunk
switchport trunk allowed vlan 200,400
switchport trunk native vlan 4093
channel-group 1 mode active
int po1
switchport trunk encap dot1q
switchport mode trunk
switchport trunk allowed vlan 200,400
switchport trunk native vlan 4093
monitor session 1 source vlan 200
monitor session 1 destination remote vlan 400
}
Second Switch Configuration example
{
vlan 200
name example
vlan 400
name example-span
remote span
vlan 4093
name Native-vlan
int range g0/1 - 2
switchport trunk encap dot1q
switchport mode trunk
switchport trunk allowed vlan 200,400
switchport trunk native vlan 4093
channel-group 1 mode active
int po1
switchport trunk encap dot1q
switchport mode trunk
switchport trunk allowed vlan 200,400
switchport trunk native vlan 4093
monitor session 1 source vlan 200 , 400
monitor session 1 destination interface G0/24
}
I have tried various different combinations of the destination portion of the command on the second switch with no success or success and very diminished performance. I'm thinking this isn't a super uncommon thing to do, but it is behaving very odd. I was thinking of perhaps upgrading the pair of switches to ipbase 15.0.2.SE9, but I'm not convinced yet that the IOS is the problem until I got some feedback from the community on what I may be doing wrong/right.
P.S. We are interface limited on the sensor so adding more ports isn't necessarily a good option. Thanks for the help guys/gals.
03-07-2016 09:07 PM
Is your destination port over utlized when turning on this SPAN?
03-07-2016 09:37 PM
Thank you for the reply. I seriously doubt there is a overutilization issue. I ran a "sh proc cpu" and I'm seeing 5-7% utilization. There is a total of 5-6 nodes on both switches combined. The need for two switches is more due of the nodes due to location vs port counts. Cumulative bandwidth on average is only about 600 k/s. It will spike at times to 50 Mb/s but obviously well in the parameters of a 1000BaseT connection. Yes, the spanned port is connecting at 1G.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: