cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
258
Views
0
Helpful
2
Replies

RSPAN help

kossuth78
Level 1
Level 1

Hello all,

Needing some help with RSPAN.  Looked at various online guides and some of my books and haven't quite gathered enough information to make me comfortable.  Long story short I'm doing the best to make the best of a situation given the hardware I have to work with. 

The devices in question are a pair of 3560G-24PS running ipbase 12.2.55 SE10.  There are 2 vlans on the devices, vlan 200 and vlan 400.  Vlan 200 is the data vlan and vlan 400 is the remote vlan.  There are two interfaces interconnecting the two switches configured as a trunk and bundled into an etherchannel.  Vlan 200 must be monitored (spanned) on both the first and second switch.  There is a security sensor that is connected to the second switch. 

I have been messing with this for a bit and thought I had this figured out, but once I put the system online I started seeing some weird traffic (CDP neighbors on interfaces where they weren't physically connected etc).  The configurations below are the configurations that I finally settled in on before seeing the issues I have.  Long story the settings below netted the best performance and spanned the traffic.  Other attempts of mine using snippets from various configuration guides (no example I saw 100% matched my situation) severely degraded the network.  Here is the current configuration snippet for the first switch.   

{

vlan 200

name example

vlan 400

name example-span

remote-span

vlan 4093

name Native-vlan

int range g0/1 - 2

switchport trunk encap dot1q

switchport mode trunk

switchport trunk allowed vlan 200,400

switchport trunk native vlan 4093

channel-group 1 mode active

int po1

switchport trunk encap dot1q

switchport mode trunk

switchport trunk allowed vlan 200,400

switchport trunk native vlan 4093

monitor session 1 source vlan 200

monitor session 1 destination remote vlan 400

}

Second Switch Configuration example

{

vlan 200

name example

vlan 400

name example-span

remote span 

vlan 4093

name Native-vlan

int range g0/1 - 2

switchport trunk encap dot1q

switchport mode trunk

switchport trunk allowed vlan 200,400

switchport trunk native vlan 4093

channel-group 1 mode active

int po1

switchport trunk encap dot1q

switchport mode trunk

switchport trunk allowed vlan 200,400

switchport trunk native vlan 4093

monitor session 1 source vlan 200 , 400

monitor session 1 destination interface G0/24

}

I have tried various different combinations of the destination portion of the command on the second switch with no success or success and very diminished performance.  I'm thinking this isn't a super uncommon thing to do, but it is behaving very odd.  I was thinking of perhaps upgrading the pair of switches to ipbase 15.0.2.SE9, but I'm not convinced yet that the IOS is the problem until I got some feedback from the community on what I may be doing wrong/right. 

P.S.  We are interface limited on the sensor so adding more ports isn't necessarily a good option.  Thanks for the help guys/gals. 

2 Replies 2

Is your destination port over utlized when turning on this SPAN?

Thank you for the reply.  I seriously doubt there is a overutilization issue.  I ran a "sh proc cpu" and I'm seeing 5-7% utilization.  There is a total of 5-6 nodes on both switches combined.  The need for two switches is more due of the nodes due to location vs port counts.  Cumulative bandwidth on average is only about 600 k/s.  It will spike at times to 50 Mb/s but obviously well in the parameters of a 1000BaseT connection.  Yes, the spanned port is connecting at 1G.  

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: