Re: Why RSPAN does not work in this situation?

riderfaiz · ‎02-18-2021

HI everyone,

Hope you are all doing well. I have one scenario here...

##########################################

Core switch (with VTP Domain server) -- Switch 1 -- switch 2

+

Sniffer

##########################################

Switch 1 has existing SPAN setup so the traffic (those are voice traffic from VOIP phone) from Switch 1 be mirrored to the sniffer (our server) which is also connected on switch1. This settings has been running in the past 10 years.

Now we have a new building and try to expand the network. So we add switch 2 in the new building. We also want the traffic n be able to be mirrored to the sniffer server back connectedon switch 1. Therefore we try to implement RSPAN so we expect all traffic from all devices on both switch1 and switch2 can be mirrored to the server. However, the tech support said we could only the mirror traffic from the device on switch 2 to the server. But he said the traffic from the device on switch 1 cannot.

May I ask if this is feasible? If not true, If so what is the configuration settings? Or what is other possible solutions? Our two switches are in VTP domain..so the support told me the reserved vlan will have to be created on the core switch, which is the VTP domain server.

Thank you for your help in advance.

Bobson

balaji.bandi · ‎02-18-2021

Just thinking - If the sniffer has 2 interfaces you can connect both to Switch 1, so 2 can have 2 sources and 2 destinations, is this works for you?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

riderfaiz · ‎02-18-2021

Hi thank you for your prompt response. I really appreciate it. It may not work... the server has only two porst...one is the lan and another one is the port collecting that traffic.
Based on the scenario, do you think switch 1 won't be able to mirror the traffic even with rspan?

Thank yoU!

balaji.bandi · ‎02-18-2021

Not sure about your config but general guidelines here below link : ( that is the reason I have suggested 2 interfaces in the Server ) - that is durable, if you keen to have sniffed the traffic as part of compliance, getting a new interface, not a big task I see here.

https://community.cisco.com/t5/networking-documents/the-limitations-of-span-and-rspan-on-the-cisco-catalyst-2950/ta-p/3124141

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

riderfaiz · ‎02-18-2021

Hi Balaji,

Thank you again! What I am trying now is to add another switch to the old building, so there will be three switches in this case, two in the old building (which one is already there),and is the new building. On the 2nd new switch in the old building I will move all devices to the new switch and leave the sniffer on the same old switch. This way it should work and be able to make all devices mirror the traffic.
I will copy the config in a moment.
Thank you again for your response.

Bobson

balaji.bandi · ‎02-18-2021

yes, i was about to suggest that also one of the approaches, you can also move the sniff point to exit network, so you can able to capture all device information. since we are not sure how your network (i only thinking this option is feasible to you ?)

In this sense - all the VLAN are stretched to all switches and connected.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help