03-02-2017 04:29 AM - edited 03-08-2019 09:34 AM
I have setup a remote RSPAN session to monitor all traffic to and from a specific workstations
I created a RSPAN vlan 100 and configured both ports:
on the source switch
monitor session 1 source interface Gix/y/z
monitor session 1 destination remote vlan 100
On the destination switch
monitor session 1 destination interface Gia/b/c
monitor session 1 source remote vlan 100
I had expected that all traffic comming from and going to the workstation connected to the source interface would be copied to the destination interface.
In reality it looks like all traffic from the VLAN to which the source port belongs is captured, so including the traffic between 2 other nodes not designated for the workstation on the source port.
So it looks more like a monitor VLAN instead of monitoring Port.
I'm sure the traffic is not comming from an other monitored interface because when I disable the monitoring on my source interface, I receive no traffic at all on the destination interface.
How do I setup RSPAN to capture only the packets which are send to/from the workstation connected to the source port
I know i can set up a capture filter in wireshark, but that is not what I want.
Jacques
03-02-2017 04:44 AM
Hi
Have you tried with:
monitor session 1 source interface Gix/y/z tx or rx
tx = transmitted info
rx = received info
A source port, also called a monitored port, is a switched or routed port that you monitor for network traffic analysis. In a single local SPAN session or RSPAN source session, you can monitor source port traffic, such as received (Rx), transmitted (Tx), or bidirectional (both). The switch supports any number of source ports (up to the maximum number of available ports on the switch) and any number of source VLANs.
A source port has these characteristics:
It can be any port type, such as EtherChannel, Fast Ethernet, Gigabit Ethernet, and so forth.
It can be monitored in multiple SPAN sessions.
It cannot be a destination port.
Each source port can be configured with a direction (ingress, egress, or both) to monitor. For EtherChannel sources, the monitored direction applies to all physical ports in the group.
Source ports can be in the same or different VLANs.
For VLAN SPAN sources, all active ports in the source VLAN are included as source ports.
VLAN Filtering
When you monitor a trunk port as a source port, all VLANs active on the trunk are monitored by default. You can use VLAN filtering in order to limit SPAN traffic monitoring on trunk source ports to specific VLANs.
VLAN filtering applies only to trunk ports or to voice VLAN ports.
VLAN filtering applies only to port-based sessions and is not allowed in sessions with VLAN sources.
When a VLAN filter list is specified, only those VLANs in the list are monitored on trunk ports or on voice VLAN access ports.
SPAN traffic coming from other port types is not affected by VLAN filtering, which means that all VLANs are allowed on other ports.
VLAN filtering affects only traffic forwarded to the destination SPAN port and does not affect the switching of normal traffic.
You cannot mix source VLANs and filter VLANs within a session. You can have source VLANs or filter VLANs, but not both at the same time.
Reference: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/10570-41.html
Hope it is useful
:-)
03-02-2017 04:54 AM
Thanks for your reply! Yes I did try that....
1. The source port is not a trunk, it is part of a dedicated vlan
2. when I select RX only, I see traffic entering the switch from the workstation, but not the traffic from the switch to the workstation (but this is exactly what I would expect)
3. when I select TX only, I seem to see all traffic on the VLAN, so before the switch applies it's mac address table filter to forward only broadcasts and unicast traffic designated specifically for the workstation connected.
Jacques
03-02-2017 05:03 AM
Now if you set up both
monitor session 1 source interface Gix/y/z both
You should see practically every traffic generated or received on that port.
03-02-2017 05:28 AM
Thanks for you reply but since 'both' is the default, there is no need to add it on the command line
The show monitor command shows that "both" is selected.
The problem is that I see to much traffic, the switch should prevent traffic not designated for the mac address of the workstation to be blocked from being forwarded to the workstation (and probably it does just that) but my monitor session show all traffic on the vlan, not just the traffic to/from the workstation as it appears on the interfaces rj45 connector.
Jacques
03-02-2017 06:13 AM
Presumably Vlan 100 was designated as a specific SPAN Vlan as below?
Switch1(config)#vlan 100 Switch1(config-vlan)#name RSPAN-Vlan Switch1(config-vlan)#remote-span
You can't put hosts into the remote span vlan, it has to be specific for the SPAN traffic.
Assuming you have done this, you should only see traffic to and from the source port. If the source is an access port in a single vlan, you would also see broadcast traffic for that Vlan as the connected host will see all broadcasts but you shouldn't be seeing unicast traffic between two hosts which are not the host connected to the source port.
03-02-2017 06:51 AM
Correct, that is also why I stated in my initial post:
I'm sure the traffic is not coming from an other monitored interface because when I disable the monitoring on my source interface, I receive no traffic at all on the destination interface.
Jacques
03-02-2017 07:03 AM
Yeap, that is correct, the remote vlan is used for that role only not to be used for end users as it was mentioned previously.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide