Re: SPAN and RSPAN with 2x 3560-CX configuration question

Paul Flint · ‎02-19-2024

I have two 3560 in separate buildings connected by a fibre using SFP port 2
I want to monitor all traffic on both switches using a device connected to switch 1

switch 1
Gi0/1 to Gi0/8 Vlan 1
Gi0/9 to Gi0/12 Vlan 2
Gi0/16 SFP fibre link to switch 2/Gi0/16

switch 2
GI0/1 to GI0/8 Vlan 1
Gi0/16 SFP fibre link to switch 1/Gi0/16

It is my understanding that in order to monitor traffic from both switches I would need to use a span session on switch 1 and an RSPAN on switch 2.
If my monitor device is connected to switch 1, will I need to use two ports to connect to it, one for each session. (Gi0/13 & 14)
If yes, could this be avoided using vlan instead of ports or alternatively if the switches were stacked I could just use a SPAN session?

liviu.gheorghe · ‎02-19-2024

Hello @Paul Flint ,

It is my understanding that in order to monitor traffic from both switches I would need to use a span session on switch 1 and an RSPAN on switch 2.

That is correct.

If my monitor device is connected to switch 1, will I need to use two ports to connect to it, one for each session. (Gi0/13 & 14)
If yes, could this be avoided using vlan instead of ports or alternatively if the switches were stacked I could just use a SPAN session?

Yes, you will have to configure 2 monitor sessions, one for the ports in switch 1 and one for the RSPAN, each with their separate destination port in switch 1.

You cannot avoid having two monitoring sessions. You could use vlans as the source for monitoring, but you cannot combine vlans on switch 1 with remote vlan used for RSPAN.

If the switches where stacked, then it would be a single virtual switch and you could have just one monitor session because you wouldn't need the RSPAN.

Hope this helps.

Regards, LG
*** Please Rate All Helpful Responses ***

alptechexpert · ‎02-19-2024

Hi @Paul Flint, hope you're having a good day. To configure SPAN (Switched Port Analyzer) and RSPAN (Remote SPAN) on your Cisco Catalyst 3560 switches to monitor traffic between them, follow these steps:

1. Configure the Source Ports on Switch 1:

interface range GigabitEthernet0/1-8, GigabitEthernet0/9-12
switchport mode access
monitor session 1 source interface range GigabitEthernet0/1-8, GigabitEthernet0/9-12

2. Configure the Destination Port on Switch 1:

interface GigabitEthernet0/16
switchport mode access
monitor session 1 destination interface GigabitEthernet0/16

3. Configure the Source Port on Switch 2:

interface GigabitEthernet0/16
switchport mode access

4. Configure the Destination Port on Switch 2:

interface range GigabitEthernet0/1-8, GigabitEthernet0/9-12
switchport mode access
monitor session 1 source interface GigabitEthernet0/16

5. Configure RSPAN VLAN on Both Switches:

vlan 900
remote-span

6. Configure RSPAN Source and Destination on Switch 1:

monitor session 2 source interface GigabitEthernet0/16
monitor session 2 destination remote vlan 900

7. Configure RSPAN Source and Destination on Switch 2:

monitor session 2 source remote vlan 900
monitor session 2 destination interface GigabitEthernet0/16

This configuration will mirror the traffic from the source ports on both switches to the destination port on switch 1 and then to switch 2, allowing you to monitor all traffic between the switches.

Please note that the exact commands may vary depending on the IOS version running on your switches. Make sure to adjust the configuration accordingly.

Also, if you feel like upgrading your network switch, I recommend you to check out this Network Switch

I hope this comprehensive response resolves your issue. Good luck!