08-08-2010 12:31 AM - edited 03-06-2019 12:22 PM
Hello,
I'm facing a scenarion in which I have 2 sites connected with a L3 (a cloud - not p2p) connection between them.
The topology looks something like this:
VM server <--Lan--> C6500 <--LAN--> C3845 <--WAN--> C3845 <--LAN--> C4500 <--LAN--> Source IPT
The purpose of this is to monitor voice calls - which are in a separate vlan in the C4500.
I've searched the web for a solution, but all I came up with is ERSPAN which is not supported on C4500.
There's another solution with l2tpv3, but I think it is rather complicated for this secnario (many changes) - there must be something else... no?
Is it possible to accomplish L3 SPAN over a WAN to sniff the network?
Has anyone faced a situation like this?
Your feedback is highly apperciated,
Thanks for the help.
Nir.
08-08-2010 12:53 AM
Hi Nir,
As far as i know rspan is not possible over layer 3 links.
I've been searching for a solution for this myself for a while now and found out that Wireshark has some sort of remote capturing feature. http://www.wireshark.org/docs/wsug_html_chunked/ChCapInterfaceRemoteSection.html
I didn't tested it so far but i think you can install a service on a pc which is capturing a spanned port. With another Wireshark installed pc you can download the capture files or maybe even live data.
greets
Dennis
08-08-2010 05:04 AM
Hi Dennis,
Thanks for the prompt reply!
I'm looking for a different solution though, something that will not require installing something on a pc, but a config on the Switches (with the Voice Vlan), and the destination will be the VM server with the application that will analyze the traffic.
Thanks!
08-08-2010 05:17 AM
Hello Nir,
you can use vlan based L2TPv3 point to point L2 transport overe the two C3845 to carry the RSPAN vlan with the performance limitations of the software based routers and with the speed limitation of the WAN link.
Have a look at vlan based L2TPv3 on:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gtl2tpv3.html#wp1046193
the new vlan has to be enabled on links between the C3845 and the LAN switches and you would need to use 802.1Q L2 trunk on switch side and SVI for the vlan(s) where L3 communication with WAN router hat to take place.
If you are using routed ports you can use additional ports to be configured as 802.1Q trunks to carry only the new RSPAN vlan and you will need additional ports also on the C3845 routers (unless you want to migrate to 802.1Q L2 trunks the current links)
from the point of view of the two LAN switches an end-to-end L2 path for RSPAN is setup and you should be able to move captured traffic to the other site over the L3 WAN link if the WAN link speed is greater then the mirrored traffic volume.
the C3845 will need an IOS image of appropriate feature set to support L2TPv3, you can check this using feature navigator at
you can search by image name or by feature name
>> There's another solution with l2tpv3, but I think it is rather complicated for this secnario (many changes) - there must be something else... no?
with your devices L2TPv3 is the only option, EoMPLS can be used only between higher end devices.
Hope to help
Giuseppe
08-09-2010 12:46 AM
Hi Giuseppe,
Thanks for the help!
I've configured the L2TPv3 Connection between 2 routers in a lab first..
Now I need to configure the RSPAN connection to collect as source a VLAN that is on LAN1, and send as destination to the vlan of xconnect, right?
do I need to make the vlan of xconnect as the remote span vlan?
Thanks again
08-09-2010 02:43 AM
Hello Nir,
>> do I need to make the vlan of xconnect as the remote span vlan?
yes that is the idea
Hope to help
Giuseppe
08-09-2010 02:51 AM
Hi Giuseppe,
I have another question though...
Whenever I put this command:
"monitor session 1 destination remote vlan 5 reflector-port Fa0/24"
(Fast 0/24 is the connction to the router) the port goes down - and there is no possibility to remove the command "reflector-port"
This is the port that suppose to be configured... or do I have to make a separate connection for this reflector port?
Thanks,
12-16-2011 03:18 AM
Use ERSPAN, this is supported by Cisco to pass the monitored traffic over layer 3 using GRE trunnels.
Hope this what you were looking for.
See link below. http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/span.html#wp1063324
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide