Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1575
Views
0
Helpful
5
Replies

RSPAN source port is trunk from Core Switch to Router

wilson_1234
Level 1
Level 1

‎07-04-2019 04:16 AM

I have a core switch with and Internet router up linked. We are installing some monitoring equipment and need the Internet traffic mirrored to an appliance on another floor.

The RSPAN session should be pretty straight forward, but I am not sure how to configure the source port to collect Internet traffic if the source is a trunk.

There are only two VLANs on the trunk, and at the moment, I do not know if we are going to collect both VLANs.

I have the following questions if anyone would like to comment:

First off, can the monitor session be configured to source the entire interface?

If so, how would that work on the destination port? Would the appliance see traffic from both VLANs (two different subnets)?

If the trunk port cannot be used as the source port in the monitor session, then I would configure the source to be a VLAN, is this correct?

If I configure the source to be VLANs, then I should be able to collect a single, or multiple VLANs, is this correct?

If anyone has any input, it would be appreciated.

 

Labels:
0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎07-04-2019 04:48 AM

You can do per vlan or multiple vlan as source to remote session.

 

below guide help you configure. :

 

https://www.networkstraining.com/how-to-configure-cisco-span-rspan-erspan/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎07-04-2019 11:39 AM - edited ‎07-04-2019 11:44 AM

Hello wilson_1234,

the source port can be a trunk and you capture traffic of all permitted Vlans on the trunk or a subset.

If you want to use RSPAN because the destination device is connected to another switch be aware of the following:

All switches on the path between the switch with the RSPAN source and the switch with RSPAN destination port must agree on the RSPAN vlan-id and on the fact that the Vlan is in RSPAN mode. (this means all switches need to have the RSPAN Vlan configured with the subcommand for remote SPAN mode in vlan configuration mode).

No access-ports should be associated to the RSPAN Vlan, because the RSPAN Vlan disables MAC address learning.

 

You need also to consider the amount of traffic you are going to send over the inter switch trunks if RSPAN Vlan is permitted over them.

If the amount of traffic is high and can impact the normal usage of access layer switches uplinks, you should consider to build a dedicated path using dedicated trunk links allowing only the RSPAN Vlan on this  and avoid to  add the RSPAN Vlan to the normal uplink trunks. This is even more true if this RSPAN has to stay for long time configured and active. In this case the RSPAN Vlan should not be allowed on the normal uplink trunks but only on the dedicated links.

If you are monitoring a GE port and you want to carry the monitored traffic over 10 GE uplinks you should be able to simply add the RSPAN Vlan  to the already existing uplink trunk ports on both ends of each link.

 

Hope to help

Giuseppe

 

0 Helpful

wilson_1234
Level 1
Level 1
In response to Giuseppe Larosa

‎07-04-2019 12:28 PM

Thank you, I think I am good on the trunk between the two switches. They are directly connected on two 10G ports.
I just have a couple of follow up questions:
There are only two VLANs on the trunk link from the Core switch to the Internet router.
I am not sure how to configure the source and destination in the monitor session.
Could I source the interface on the core switch, then use a regular destination switchport (where the analyzer will be capturing traffic)?

Switch 1
!
vlan 901
remote-span
!
Monitor session 1 source interface G1/0 both (on core switch)
Monitor session 1 destination remote vlan 901
!

Switch 2
!
vlan 901
remote-span
!
Monitor session 1 source remote vlan 901
Monitor session 1 destination interface G1/10 both
The above will capture all traffic on interface G1/0 and mirriw to G1/10
What would I do if I wanted to filter one of the VLAN on the trunk being captured?
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to wilson_1234

‎07-04-2019 08:22 PM 

monitor session 1 filter vlan XX  <-- XX is the VLAN you want to filter.

 

The RSPAN VLAN should be allowed in ALL trunks between the involved switches (Source and Destination switches in this case); if you have enabled "pruning" in your network, remove the RSPAN VLAN from the pruning, with the command: “switchport trunk pruning vlan remove <RSPAN VLAN ID>” under the interface configure as trunk.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

wilson_1234
Level 1
Level 1
In response to balaji.bandi

‎07-05-2019 03:18 AM

I am going to use a trunk that already exists and add the RSPAN VLAN for the 
RSPAN session.

Since the trunk is already there and passing traffic for the VLAN that is going to be captured in the Monitor session, I cannot prune that VLAN from a working trunk.

0 Helpful
Customers Also Viewed These Support Documents