cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8475
Views
0
Helpful
5
Replies

Span ports - multiple sources to single destination port on 3750s

paul.matthews
Level 5
Level 5

Guys, I am looking at a requirement to monitor two ports to a single destination port.

The two ports are on different 3750s, so RSPAN would be needed, but one of the ports is on the same switch as the destination port, and I have a nagging thoought that may not be allowed.

So switch 1, source innterface f1/0/1

switch switch 2, source int f1/0/1 target F1/0/4.

On switch one I can go:

vlan123

remote-vlan

mon sess 1 source int f1/0/1

mon sess 1 des rem vlan 123

Switch 2 is this allowed?:

vlan123

remote-vlan

mon sess 1 source int f1/0/1

mon sess 1 des rem vlan 123

mon sess 2 des int f1/0/4

Thanks,

Paul.

5 Replies 5

Antonio Knox
Level 7
Level 7

There is no need to add vlan 123 to Switch 2 if VTP is running.  The RSPAN vlan is handled just like any other vlan and will be learned by client switches in the same VTP domain.  Use a 2nd monitor session to deliver the RSPAN vlan traffic to your Sniffer.  So, your config should look more like this:

Switch 1:

vlan123

remote-vlan

mon sess 1 source int f1/0/1

mon sess 1 des rem vlan 123

Switch 2:

mon sess 1 source int f1/0/1

mon sess 1 des rem vlan 123

mon sess 2 source rem vlan 123

mon sess 2 dest int fa1/0/4

Please rate if helpful.

Thanks for the suggestion - it was only after submitting and looking a little later I realised the omission I had mad. My concern is more on a 3750, can I span a local port into an rspan VLAN, *and* pull the rspan VLAN out to a destination on the same switch?

Yes, you will be able to accomplish this with no problem on a 3750.

Please rate helpful posts.

Again, thanks fr tat. Looking at the details, I was expecting the source ports to be access ports, b

ut it now appears they are trunks. Is there any issue with spanning a trunk port over

rspan?

You can do this, but I HIGHLY RECOMMEND that you implement vlan filters to it.  If you're monitoring a trunk port to a RSPAN vlan, that RSPAN vlan will pretty much be monitoring itself, which creates a virtual monitoring loop and will eventually hault your switch.  Read up here:

Vlan filtering

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configuration/guide/swspan.html#wp1200141

Configuring Vlan Filtering 3750

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configuration/guide/swspan.html#wp1210225

Please rate if helpful.

Review Cisco Networking for a $25 gift card