Solved: Yes and as a result the

Supercell292929 · ‎03-15-2017

Hello,

I currently have two voice recorders on a single switch with Cisco 7965 phones dumping to the two separate voice recorders on mostly (all are separate less one) separate source vlans. This is all L2. One of the voice recorders is working fine (XXXXXDEST Session1) while the other is not. Trying to determine if both destination switch ports can be on the same RSPAN vlan (see below). Selected switch ports are assigned to remote rspan vlan 337. Since there are no fw/acl's on the entire L2 LAN, do I need to setup a remote-span vlan per device, or will one switch suffice? As it stands now, each switch within the path has a remote-span 337 setup. There is also a vlan 337 within the vlan vtp domain (only used for rspan). Vlan 337 is allowed through all port channels necessary as well for all possible paths. All remote vlans are allowed in on both sides of the port channels for XXXREMOTE1 AND 2.

NOT WORKING CURRENTLY FROM THESE TWO REMOTE SWITCHES:

REMOTE SWITCHES (2960S AND 3560):

XXXREMOTE1#mon session 2 source int gi1/0/36
XXXREMOTE1(config)#mon session 2 destination remote vlan 337

XXXREMOTE1#sho mon session 2
Session 2
---------
Type : Remote Source Session
Source Ports :
Both : Gi1/0/36
Dest RSPAN VLAN : 337

XXXREMOTE1#sho vlan remote-span

Remote SPAN VLANs
------------------------------------------------------------------------------
337

##########################################################

XXXREMOTE2#mon session 2 source int fa0/17,fa0/18,fa0/20
XXXREMOTE2(config)#mon session 2 destination remote vlan 337

XXXREMOTE2#sho mon session 2
Session 2
---------
Type : Remote Source Session
Source Ports :
Both : Fa0/17-18,Fa0/20
Dest RSPAN VLAN : 337

XXXREMOTE2#sho vlan remote-span

Remote SPAN VLANs
------------------------------------------------------------------------------
337

##########################################################

DESTINATION SWITCH (3850 STACK)

sho mon session2
Session 2
---------
Type : Local Session
Source VLANs :
Both : 311,315,353,361
Destination Ports : Gi1/0/13
Encapsulation : Native
Ingress : Enabled, default VLAN = 337
Ingress encap : Untagged

XXXXXDEST#sho vlan remote-span

Remote SPAN VLANs
------------------------------------------------------------------------------
337

INDIVIDUAL DESTINATION PORTS ON SAME XXXXXDEST (3850 STACK):

interface GigabitEthernet1/0/13 <<<<<<### NOT WORKING CURRENTLY
description Uplink to VoiceLogger (RSPAN PORT)
switchport access vlan 337
switchport mode access
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree guard root
end

interface GigabitEthernet1/0/17 <<<<<<### WORKING CURRENTLY
description RSPAN FOR xxx PCIe NIC
switchport access vlan 337
switchport mode access
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree guard root
end

WORKING CURRENTLY (SAME 3850 AS JUST ABOVE) *SOURCE PORTS FOR SESSION 1 ARE ON THE XXXXXDEST SWITCH AS WELL:

XXXXXDEST#sho mon session 2 <<<<<<### NOT WORKING CURRENTLY

Session 2
---------
Type : Local Session
Source VLANs :
Both : 311,315,353,361
Destination Ports : Gi1/0/13
Encapsulation : Native
Ingress : Enabled, default VLAN = 337
Ingress encap : Untagged

XXXXXDEST#sho mon session 1 <<<<<<### WORKING CURRENTLY
Session 1
---------
Type : Local Session
Source VLANs :
Both : 311,491
Destination Ports : Gi1/0/17
Encapsulation : Native
Ingress : Enabled, default VLAN = 337
Ingress encap : Untagged

Thank you in advance.

Julio E. Moisa · ‎03-15-2017

Hi

You can use RSPAN in order to monitor the traffic and send the information to different switches, the source traffic will be mirrored to a VLAN (in your case vlan 337), verify if:

- The RSPAN vlan is created on the destination device
- If the RSPAN is allowed under the trunk interfaces.

Now the destination port should not have any configuration applied. You can use the default command to remove the configuration on the destination port. Remember the remote vlan must be applied for end users.

conf t

default interface G X/X

On this port you are going to connect your sniffer.

Configuration example:

SOURCE SWITCH

vlan 337
remote-span

interface G1/1/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan add 10,20,337

monitor session 1 source interface G1/15 both
monitor session 1 destination remote vlan 337

DESTINATION SWITCH

vlan 337
remote-span

interface G1/24
description SNIFFER_SERVER_1

interface G1/1/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan add 10,20,337

monitor session 1 source remote vlan 337
monitor session 1 destination interface G1/24

Usually some the recording systems have 2 NIC's, one for sniffing and the other is for management.

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

Julio E. Moisa · ‎03-15-2017

Hi

You can use RSPAN in order to monitor the traffic and send the information to different switches, the source traffic will be mirrored to a VLAN (in your case vlan 337), verify if:

- The RSPAN vlan is created on the destination device
- If the RSPAN is allowed under the trunk interfaces.

Now the destination port should not have any configuration applied. You can use the default command to remove the configuration on the destination port. Remember the remote vlan must be applied for end users.

conf t

default interface G X/X

On this port you are going to connect your sniffer.

Configuration example:

SOURCE SWITCH

vlan 337
remote-span

interface G1/1/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan add 10,20,337

monitor session 1 source interface G1/15 both
monitor session 1 destination remote vlan 337

DESTINATION SWITCH

vlan 337
remote-span

interface G1/24
description SNIFFER_SERVER_1

interface G1/1/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan add 10,20,337

monitor session 1 source remote vlan 337
monitor session 1 destination interface G1/24

Usually some the recording systems have 2 NIC's, one for sniffing and the other is for management.

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Supercell292929 · ‎03-15-2017

Thank you for this! Still testing. The only glitch was this:

XXXXDEST(config)#monitor session 2 des remote vlan 337
% Session - 2 is a not a Remote Source session. Can't add RSPAN VLAN as destination

Julio E. Moisa · ‎03-15-2017

You are welcome :-)

Did you add the following on the destination switch?, remember this vlan should not be used for other role than remote span.

vlan 337
remote-span

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Supercell292929 · ‎03-15-2017

Yes and as a result the logger is working now. :~)

I originally had vlan 337 within the vtp domain. I removed that prior to following your instructions.

Thank you Julio!

Julio E. Moisa · ‎03-15-2017

Great! You are welcome my friend

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Supercell292929 · ‎03-16-2017

If I have another Cisco phone that is 4 hops away (one Nexus 9000 in the path), do I need to add vlan 337 remote-span to each switch in-between since vtp does not carry this vlan?

Julio E. Moisa · ‎03-16-2017

Hi

If you are restricting the vlans under the trunk interfaces, yes. The vlans are important locally unless you are using VTP.

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Supercell292929 · ‎03-16-2017

So I could have created an rspan vlan via the vtp server instead of locally on each switch? (all port channels already accept vlan 337)

Supercell292929 · ‎03-17-2017

Hi Julio,

See attached JPEG.

Well, what I thought was working was only partially working. The phone logger would only reveal a few calls from these rspanned Cisco phones per day when it should have been pulling a lot more (you would think that rspan would either work, or it would not.) Ultimately, I had to physically move the specific rspanned Cisco phones to the same 3850 stack that the actual voice log server was on. This immediately solved the issue (now a span, but did not setup span, nor did I alter the rspan config that you previously recommended.)

I can't wrap my head around this one. Are the former 3650/2960 switches that the phones were previously on incompatible with the 3850 when it comes to rspan, or does having the Cisco Nexus 9504 within the path mess things up?

Again - via vtp, all switches (including the Nexus 9504) contain the rspan vlan 337. Nothing else is using it and all port channels within the path of the sourced phones and the rspan destination contain vlan 337.

What is interesting is that the other voice log (from now on referred to as "voice logger #2") server for a different set of Cisco phones (also using rspan vlan 337) only works due to the fact that the Cisco phones are also on the same physical switch as the logger #2 itself. Try as I might - I cannot get a phone in another building to be seen by this voice logger #2.

I will need to figure this out soon as the voice logger is going virtual and will be moved to another location, thus separated physically from the Cisco phones. This will mean that rspan will definitely have to work.

Is there any way to troubleshoot rspan by using any Cisco related cli commands, or is Wireshark my best bet?

Can both voice loggers share the same rspan vlan (337), or should I create two separate rspan vlans?

Thank you once again,

Supercell

Julio E. Moisa · ‎03-18-2017

Hi my friend, apologies a busy week, about the VTP you can use that to propagate the remote vlan but I have not used remote-span with VTP, but it could be work.

If you enable VTP you will the vlan 337 like my vlan 100 example:

sh vlan id 100

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
100 VLAN0100 active Fa1/0/7, Fa1/0/8, Fa1/0/9
Fa1/0/10

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
100 enet 100100 1500 - - - - - 0 0

Remote SPAN VLAN
----------------
Enabled

Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Supercell292929 · ‎03-18-2017

No apologies necessary. :~)

Please see my attachment in last post to see my possible voice recorder dilemma.

:~)

Network TSC Vuitton · ‎04-03-2017

Hi,

We have two 2960X switches in a call center and two call recording servers connected to port 40 in both switches. (switch is not a stack).

They need to monitor voice vlan of both switches in to both recording servers.
(SW1 & SW2 voice vlan traffic mirror to port 40 of SW1 & SW2.)

Can somebody help us with any idea? Thank you very much.

Julio E. Moisa · ‎03-18-2017

Hi

If you are going to have a recording server on a different location (passing routed network), you can use ERSPAN.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/lanswitch/configuration/xe-3s/lanswitch-xe-3s-book/lnsw-conf-erspan.html

http://packetpushers.net/erspan-new-favorite-packet-capturing-trick/

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Supercell292929 · ‎03-18-2017

Despite the fact that the 9504 is a L3 device, I have rspan setup via vtp purely on its own L2 (no SVI for vlan 337) going through the 9504 and to the voice recorder destination. I don't see any issue there (no need for ERSPAN.)

What I do have a question about is this:

Can I have two voice recorders on the same rspan vlan for two separate groups of Cisco phones, or should I create two separate rspan vlan's?

You've been very helpful so far! :~)

RSPAN: Multiple destination switch ports for single RSPAN vlan