A9K SPAN

Chenjiannan · ‎06-12-2012

Two DNS Server connected to two ASR9K,g0/0/0/1 and g0/0/0/2,

Q: I want to monitor DNS Server traffic in and out. and Port spanning four ethernet port of two DNS Server to one destination port.

Can I use a switch connected two ASR9K. and I monitor asr9k,g0/0/0/1 and g0/0/0/2 to destination g0/0/0/3.100 at each Asr9k.

now the monitor traffic carry through the switch to the sniffer? or can you give me your advise,thx.

here is the config

asr9k_R1:

monitor-session DNS

destination interface g0/0/0/3.100

interface g0/0/0/1 l2transport

monitor-session DNS

interface g0/0/0/2 l2transport

monitor-session DNS

interface g0/0/0/3.100 l2transport

encapsulation dot1q 100

rewrite ingress tag pop 1

asr9k_R2:

monitor-session DNS

destination interface g0/0/0/3.100

interface g0/0/0/1 l2transport

monitor-session DNS

interface g0/0/0/2 l2transport

monitor-session DNS

interface g0/0/0/3.100 l2transport

encapsulation dot1q 100

rewrite ingress tag pop 1

switch:

int f0/24

des connected to sniffer_server

sw mo acc sw acc vlan 100

int f0/1

des connected to asr9k_r1

sw mode trunk

sw trun en dot1q

int f0/2

des connected to asr9k_r2

sw mode trunk

sw trunk en dot1q

Chenjiannan · ‎06-12-2012

another question:Does the switch need to config the port span ?

Alexei Kiritchenko · ‎06-18-2012

Hello Jiannan,

Yes, you can have a switch for R-SPAN and you configuration with a vlan tag rewrite is correct.

I don’t think we need a span session on that switch. ASR9k mirror all traffic pushing vlan tag 100 and sending it out of g0/0/0/3.100.

The switch would flood it back to the 2^nd ASR9k (the traffic would be dropped there assuming g0/0/0/3.100 is not participating in any L2VPN) and flood it to the sniffer popping VLAN tag 100.

Regards,

/A