RSPAN Using Cisco Catalyst 3560G as Source and 3750G as Destination Switches
Goal: Mirror all voice traffic for recording.
Voice VLAN to monitor: 100 (on the 3560)
RSPAN VLAN to create: 500 (on all involved switches)
Dedicated destination port and switch: Gi1/0/3 (on the 3750)
See attached, current configuration
As a test, Wireshark is running on a laptop connnected to the destination port. The destination port is itself configured for VLAN 100, the same VLAN as that being monitored. According to documentation, destination ports configured within a monitored VLAN are merely excluded from monitoring, so I assume this setup is acceptable.
Not that it can generally get anywhere as a designated RSPAN destination, but the capture laptop is configured with a valid IP on the 100 VLAN.
Both switches are interconnected with all VLANs allowed on uplink trunks, but I am not receiving packets with Wireshark beyond broadcasts by the local machine.
Specific Config Questions:
1. Are my monitoring sessions properly configured?
2. Is my destination port and capture device properly configured?
3. Any suggestions?
Other questions:
1. Is port security a problem for egress monitoring on source switches or just the destination port? In other words, am I going to have to remove port security from all voice switchports in order to get this to work?
3. Any gotcha advice with respect to bandwidth, RAM, CPU utilization?
I've read Cisco's documentation on RSPAN, but cannot seem to get clear on answers to the above questions. Thanks for any help!
Voice VLAN to monitor: 100 (on the 3560)
RSPAN VLAN to create: 500 (on all involved switches)
Dedicated destination port and switch: Gi1/0/3 (on the 3750)
See attached, current configuration
As a test, Wireshark is running on a laptop connnected to the destination port. The destination port is itself configured for VLAN 100, the same VLAN as that being monitored. According to documentation, destination ports configured within a monitored VLAN are merely excluded from monitoring, so I assume this setup is acceptable.
Not that it can generally get anywhere as a designated RSPAN destination, but the capture laptop is configured with a valid IP on the 100 VLAN.
Both switches are interconnected with all VLANs allowed on uplink trunks, but I am not receiving packets with Wireshark beyond broadcasts by the local machine.
Specific Config Questions:
1. Are my monitoring sessions properly configured?
2. Is my destination port and capture device properly configured?
3. Any suggestions?
Other questions:
1. Is port security a problem for egress monitoring on source switches or just the destination port? In other words, am I going to have to remove port security from all voice switchports in order to get this to work?
3. Any gotcha advice with respect to bandwidth, RAM, CPU utilization?
I've read Cisco's documentation on RSPAN, but cannot seem to get clear on answers to the above questions. Thanks for any help!
************************************************
Example 3750 destination switch and port
************************************************
3750(config)#vlan 500
3750(config-vlan)#remote-span
3750(config-vlan)#end
3750(config)#monitor session 1 source remote vlan 100
3750(config)#monitor session 1 destination interface Gi1/0/3 both
3750(config)#int Gi1/0/3
3750(config-if)#switchport access vlan 100
3750(config-if)#do wri mem
************************************************
Example 3560 source switch to monitor
************************************************
3560(config)#vlan 500
3560(config-vlan)#remote-span
3560(config-vlan)#end
3560(config)#monitor session 1 source vlan 100
3560(config)#monitor session 1 destination remote vlan 500
3560(config)#end
3560(config)#do wri mem
ASKER
Thanks for the response. Unfortunately, that's an unrecognized command on my 3750. This test system is running the IP services image of IOS version 12.2(25) SEE2.
ASKER
I figured it out. I hosed the source VLAN on the destination port/switch. I edited the configuration as noted, and it is working now.
I can still award points, though, for answers to the rest of my questions, especially that pertaining to port security. If it turns out I cannot use port security at the source ports, I am going to need to remove a lot of configurations before putting this into production.
So how about it: Will port security on source ports (whether monitored as ports or VLANs) cause a problem in this RSPAN configuration?
I can still award points, though, for answers to the rest of my questions, especially that pertaining to port security. If it turns out I cannot use port security at the source ports, I am going to need to remove a lot of configurations before putting this into production.
So how about it: Will port security on source ports (whether monitored as ports or VLANs) cause a problem in this RSPAN configuration?
************************************************
Instead of this line...
************************************************
3750(config)#monitor session 1 source remote vlan 100
************************************************
The destination switch config should read...
************************************************
3750(config)#monitor session 1 source remote vlan 500
ASKER
Cisco documentation states, "For SPAN sessions, do not enable port security on ports with monitored egress when ingress forwarding is enabled on the destination port. For RSPAN source sessions, do not enable port security on any ports with monitored egress."
To me, the context is not clear regarding whether this refers only to port-based, vlan-based, or both types monitoring, and I don't want to remove port security from fifty ports unnecessarily.
Other references to RSPAN and port security seem isolated to the scope of the destination port. For instance, among Cisco's line item descriptions of a 'destination port' is specific mention that "it cannot be a secure port." No such description exists for source ports.
To me, the context is not clear regarding whether this refers only to port-based, vlan-based, or both types monitoring, and I don't want to remove port security from fifty ports unnecessarily.
Other references to RSPAN and port security seem isolated to the scope of the destination port. For instance, among Cisco's line item descriptions of a 'destination port' is specific mention that "it cannot be a secure port." No such description exists for source ports.
The limitation I believe is on port monitoring and the destination port. You see port security looks at mac addresses of packets being sent to the port and since you are gettting all the packets coming through. port-security will think that you have multiple devices plugged into that port and disable the port.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
monitor session 1 source vlan 100 both
monitor session 1 destination remote vlan 500 reflector-port interface Gi1/0/3