RSPAN... limiting VLAN sources?!?

andyroles · ‎10-08-2012

Hi there,

I posted this thread a few days ago but didn’t manage to get to the bottom of the issue then. Thank you to Giuseppe for his contribution to that thread.

The RSPAN config shown at the bottom of this thread isn’t doing as I expected. I want to only see the output from 3 voice VLANs (32,34 and 36) that are configured across two switches (connected by a VLAN trunked L2 port channel).

The problem is: Currently I’m seeing traffic from all VLANs for the switches when sniffing the port gig 7/10 on SW01.

Configured across the trunk are VLANs 1, 32, 33, 34, 35, 36, 39, 40, 41, 42, 44, 45, 46,47 and 951 (remote-span vlan).

Strangely, if I only configure one vlan source e.g. VLAN 32 within the contect 'monitor session 1 type rspan-source' then that is the only traffic that I see (as i would expect). As soon as I add more VLAN sources to the list however then traffic from all VLANs start to show up in the Wireshark trace?

The configuration I've applied is shown below. Any comments welcome.

DISTRIBUTION SW 01 -

vlan 951

name RSPAN_VLAN_951

remote-span

!

spanning-tree vlan 951 priority 8192

interface Port-channel1

switchport trunk allowed vlan add 951

monitor session 1 type rspan-source

source vlan 32 , 34 , 36

destination remote vlan 951

!

monitor session 11 type rspan-destination

source remote vlan 951

destination interface Gi7/10

interface GigabitEthernet7/10

description ** VOICE RECORDING PORT **

switchport

speed 1000

duplex full

end

DISTRIBUTION SW 02 -

Vlan 951

name RSPAN_VLAN_951

remote-span

!

spanning-tree vlan 951 priority 16384

interface Port-channel1

switchport trunk allowed vlan add 951

monitor session 1 type rspan-source

source vlan 32 , 34 , 36

destination remote vlan 951

!

we're currently running - disk1:/s72033-ipservices_wan-mz.122-33.SXH4.bin

Many thanks in advance and thanks for reading my post –

Andy

Giuseppe Larosa · ‎10-08-2012

Hello Andy,

looking at the configuration guide I have found the feature of Vlan filtering on destination port that might help

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/span.html#wp1147320

It says that if you configure the destination port, the one connected to the network analyzer, as a trunk port with a list of allowed vlan = 32,34,36 you should see only frames belonging to these three vlans

Hope to help

Giuseppe

andyroles · ‎10-08-2012

Guiseppe. Thanks. This sounds like a solution. I'm keeping my fingers crossed. Thank you for all your help.

Robert R · ‎10-08-2012

Hi Andy,

I'm not sure what platform you're running this on, but we use Catalyst 4500 and 6500 series for this, and this is how we do it.

Assuming your trunking and vlans are setup correctly (and they appear to be)

Distribution SW02

monitor session 1 source interface

monitor session 1 filter vlan 32, 34, 36

monitor session 1 destination remote vlan 951

Distribution SW01

monitor session 1 source remote vlan 951

monitor session 1 destination interface gi 7/10

I haven't had much success rspanning a source vlan, plus for our purposes, we were only interested in certain interfaces voice traffic, and not the whole vlan.

Hope that helps.

Rob

andyroles · ‎10-08-2012

Rob, many thanks for this. I think this would work fine for a relatively small number of ports but i need to monitor 4 blades worth of interfaces! and I think this method is limited by the number of interfaces that can be monitored. Thanks again for your feedback tho.

Robert R · ‎10-08-2012

Andy,

Glad to help, are the interfaces solely on the remote switch SW02? or are there some on SW01 as well? I ask because according to the following document, your configuration of SW01 is not supported.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#sameID

Towards the bottom is the following excerpt.

Can a RSPAN Source Session and the Destination Session Exist on the Same Catalyst Switch?

No. RSPAN does not work when the RSPAN source session and the RSPAN destination session are on the same switch.

If an RSPAN source session is configured with a particular RSPAN VLAN and an RSPAN destination session for that RSPAN VLAN is configured on the same switch, then the RSPAN destination session's destination port will not transmit the captured packets from the RSPAN source session due to hardware limitations. This is not supported on the 4500 Series and 3750 Series Switches. This issue is documented in Cisco bug ID CSCeg08870 (registered customers only) .

This is an example:

monitor session 1 source interface Gi6/44
monitor session 1 destination remote vlan 666
monitor session 2 destination interface Gi6/2
monitor session 2 source remote vlan 666

The workaround for this issue is to use the regular SPAN.

It appears as if you will need a third switch to act as the destination of the RSPAN and simply use SW01 as another source for the vlans into the remote vlan 951.

Rob

Bruno Plantier · ‎10-10-2012

Another "funny thing" you can do, if you dont have a third switch, is to make a physical loop between the destination interface of the RSPAN and another interface (i know, thats really bad ), and configure it as source of a new SPAN together with your local port..

monitor session 2 source remote vlan 666
monitor session 2 destination interface Gi6/45     
#  Gi 6/45 is looped on Gi 6/46        
monitor session 1 source interface Gi6/44, interface Gi/46 
monitor session 1 destination Gig6/2               
# Gig 6/2 is plugged on the analyzer

andyroles · ‎10-11-2012

Thanks Bruno.

I think i can see how this would work and it's an interesting way around the problem.

I can't be absolutely sure yet but I think I've solved the problem (at least using 3750 switches) - you can see outline of how on my last post. I'm going to give this config a go on our 6500 infrastructure next.. Fingers crossed!

Cheers,

Andy

andyroles · ‎10-11-2012

Rob,

Thanks. I had some success with something along the lines of what you suggested. I just used the voice VLANs as the source instead of the interfaces (I did this on a pair of 3750s however so I'm hoping this will work for 6509s)

On switch 01 (where the Voice Recorder is connected on port Gi7/10) the monitoring config I used was is follows:

monitor session 1 source vlan 49 , 51

monitor session 1 destination remote vlan 951

monitor session 11 destination interface Gi7/10

monitor session 11 source remote vlan 951

On switch 02 (another source where I need to SPAN traffic from) the monitoring config I used here was:

monitor session 1 source vlan 49 , 51

monitor session 1 destination remote vlan 951

In other words I used local SPANing on the remote switch to monitor the source, and then sent the traffic 'sourced' to the remote destination VLAN 951.

I then used these commands on switch 01. But switch 01 also had the destination config on it to handle the sending of the traffic on source remote VLAN 951 to the destination interface Gi7/10.

As far as I can tell all calls are recording now for this set up. I've tested connecting two phones to switch 02 and managed to record the voice stream between the two phones. In theory the conversation between the two phones connecting to the remote switch (02) should only traverse that switch and not switch 01 so this hopefully means all is good!

Many thanks for your assistance.

Regards,

Andy