RSPAN Questions

carlsbad05 · ‎07-26-2013

Good morning CSF,

Here is my problem. I will try to keep this short and sweet. I have read the below document countless times and am still confused. The entire purpose of setting SPAN/RSPAN up on our network is to filter and record VOICE traffic across the LAN. We have a Eventide Call Recorder setup, as well as an Eventide Gateway.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.1_19_ea1/configuration/guide/swspan.html#wp1081130

I have read other people's posts, and they don't seem to answer the basic questions that I think most people probably already know.

My questions are these:

1.) When setting up SPAN/RSPAN, can I just put a local SPAN session on my "core" switch that all of my client layer switches connect to, and point the session to all of the trunk ports that are configured locally to pass the traffic? I mean, my "span" vlan is on these trunk ports anyway, so why not just grab the data once it hits the ports on the "core" switch, and filter the data at that point?

2.) If I do in fact have to configure RSPAN on each of the client-layer switches, as well as a local SPAN session on my "core" switch, then the below question needs to be answered.

a.) For the RSPAN sessions, I monitor the VLAN I created for RSPAN, but on the local session on my "core" switch, I monitor the actual VOICE VLAN, right? My understanding from the above document is that on the local SPAN session, you do NOT monitor the RSPAN VLAN. Let's just say my VOICE VLAN is 1, and my RSPAN VLAN is 2 and I want to make this session ID 3. On the remote switches (client-layer), I use "monitor session 3 source vlan 1 both", and "monitor session 3 destination remote vlan 2". On the "core" switch where I'm configuring the local session, I would use the following: "monitor session 3 source vlan 1 both" and "monitor session 3 destination interface gi1/1/1 - 3 encapsulation replicate".

Is that a valid configuration? After doing this, my ports that I placed in the destination are the ports going to my Call Recorder and my Gateway. If that is in fact valid, these ports can't be access ports, is that correct?

I also do not have EtherChannel setup for these, as I understand it is not a requirement. I know I'm probably either missing really simple steps, or reading into this way too much, but I'm trying to assist the Sys Admin with this and it's not really working out for us.

At one point, we were able to ping across the board, which as I understand isn't actually a good thing since we didn't have "ingress" statements on the session configs. But when we reconfigured everything and started from scratch, the destination interfaces went into "monitoring" mode, and we couldn't ping. I know that is what is supposed to happen, but we still aren't getting anything recorded, so we don't really know what is wrong. When we put the "ingress" statement in the config, we still couldn't ping, so we are still pretty sure it's a configuration issue in the switch, and not a Gateway/CCM/Recorder issue.

Any assistance is greatly appreciated. I know this is long, I meant to keep it short. I apologize for the long read. Thanks in advance! Cheers!

~ Carl

Peter Paluch · ‎07-27-2013

Hi Carl,

1.) When setting up SPAN/RSPAN, can I just put a local SPAN session on  my "core" switch that all of my client layer switches connect to, and  point the session to all of the trunk ports that are configured locally  to pass the traffic? I mean, my "span" vlan is on these trunk ports  anyway, so why not just grab the data once it hits the ports on the  "core" switch, and filter the data at that point?

If you are sure all your voice traffic hits the core switch then absolutely yes - you can simply define a local SPAN session on your core switch, capture all traffic in your voice VLAN and have it monitored. The gotcha in this approach lies in the fact whether all your voice traffic you want to monitor indeed arrives at the core switch. If it does not - if it is switched locally on some access switches - then you won't capture all you want.

 a.) For the RSPAN sessions, I monitor the VLAN I created for RSPAN, but  on the local session on my "core" switch, I monitor the actual VOICE  VLAN, right? My understanding from the above document is that on the  local SPAN session, you do NOT monitor the RSPAN VLAN.

No, this is not correct. In RSPAN, you have two sessions each referring to a remote object:

A source RSPAN session. This session sources data from local ports or VLAN, and its destination is always the designated RSPAN VLAN.
A destination RSPAN session. This session sources data from the designated RSPAN VLAN and its destination is always a local port.

A source session would be configured as follows:

vlan 2

name RSPAN_VLAN

remote-span

!

monitor session 3 source vlan 1 both

monitor session 3 destination remote vlan 2

A destination session would be configured as follows:

vlan 2

name RSPAN_VLAN

remote-span

!

monitor session 3 source remote vlan 2

monitor session 3 destnation interface Gi1/1/1

Also, in the source RSPAN session, I suggest monitoring only Rx or Tx traffic. If the traffic is switched across the switch doing the RSPAN monitoring, you will get the traffic recorded twice. So the source session would be modified as follows:

vlan 2

name RSPAN_VLAN

remote-span

!

monitor session 3 source vlan 1 rx

monitor session 3 destination remote vlan 2

The destination session would not be modified. Using encapsulation replicate is not possible with RSPAN sessions.

Would this help at this stage? Please feel welcome to ask further.

Best regards,

Peter

carlsbad05 · ‎07-30-2013

Peter,

Thank you so much for your reply. I wanted to type up a short message saying that I did read your response, and we are using the information provided towards a solution. However, we have hit somewhat of a roadblock, as the gentleman in charge of actually installing the hardware/updating software to latest version/etc can't even get the hardware working right now. So we have to wait for him to get it all back to how it was, and then we can start playing with SPAN some more. Thanks again for the assistance. I'll update when I have more!

~ Carl

Peter Paluch · ‎07-30-2013

Hi Carl,

Thanks for letting me know!

Best regards,

Peter

carlsbad05 · ‎09-10-2013

Hey Peter (or anyone else),

Got an update on this situation. Been a little busy with network upgrades and lifecycle replacements (fun). At this point, we have recording on almost all of the phones. In fact, in one building we can hear the audio on all but two of the voip phones in that building. They are on the same switch, so we know the span session is configured the same way between the two phones. We also have ensured the ports are configured the same, etc etc. The phone works just fine for everything other than recording audio. When you make the call, the voice recorder sees the call and "tries" to record audio, but when playing the audio back, you hear nothing. My guys have been working on this for about two weeks straight now and are about to rip their hair out. The other strange thing occurs when trying to call between phones is that sometimes two phones on one of the "problematic" switch won't record audio either.

At this point, I am reading about gratuitous arp and I'm wondering, am I insane to think this could be occuring with phones that we have moved around a lot? Maybe moved once or twice on the same switch...so I had to clear port security on a couple of them and then deal with the arp entries. Could clearing the arp cache maybe fix the issue? I'm just reaching at this point I'm sure, but we're pretty stumped. If you need more info, I can of course get a "sanitized" readout of the wireshark or gateway recording info for the calls in question.

Thanks in advance!!

~ Carl