Timothy Burns

Setup Port Span in 6509 VSS pair

We have a pair of 6509's setup in VSS. Our distribution layer is port channeled to the 6509VSS, one connection going to 6509A and the other going to 6509B. Our vlans live in the 6509's.

We are setting up a trustwave NAC appliance and have a spanned port setup on 6509A that is spanning vlan 10 which is plugged into the NAC. I was on a support call with trustwave and they were thinking that we would need to setup an additional spanned port for vlan 10 on 6509B in order to make sure we gathered all traffic for vlan 10. The explanation they gave was that at the distribution that is port channeled, if traffic is routed to the link that goes to  6509B then that information may not be captured by the spanned port we have setup on the 6509A.

To sum my question up, is the vlan traffic known by both 6509's in the VSS pair?

Let me know if I have left any information out.

Cisco Employee

I suppose that you have a MEC between you distribution layer and your VSS, right?

Anyway, if from what I am understanding your SPAN destination is a link of chassis A of your VSS there is no need to add anything else on chassis B. Traffic in vlan 10 will traverse the VSL link from chassi B to reach your destination port on chassis A.

This is something you should be aware of anyway... you might congest the VSL link in this case (the locality rule prevent this from happening on normal circumstances; traffic leaving a VSS MEC will always use the local leg(s) of the MEC unless it is down). Make sure you have enough bandwidth on your VSL link.