Re: SPAN/RSPAN question

Hi Alexei,
Unfortunately you can only specify one vlan four a source when you use the
remote flag (monitor session source remote vlan 150).

I got it working, I'm not sure why it didn't before (I wiped my config).

SW1#sh run | i monitor session
monitor session 1 destination interface Gi1/0/48
monitor session 1 source remote vlan 999
monitor session 2 source interface Gi1/0/1
monitor session 2 destination remote vlan 999
SW1#sh monitor session all
Session 1
---------
Type : Remote Destination Session
Source RSPAN VLAN : 999
Destination Ports : Gi1/0/48
    Encapsulation : Native
          Ingress : Disabled

Session 2
---------
Type : Remote Source Session
Source Ports :
    Both : Gi1/0/1
Dest RSPAN VLAN : 999

SW1#
SW2#sh run | i monitor
monitor session 1 source interface Gi1/0/1
monitor session 1 destination remote vlan 999
SW2#sh monitor session all
Session 1
---------
Type : Remote Source Session
Source Ports :
    Both : Gi1/0/1
Dest RSPAN VLAN : 999

SW2#

leigh

> Hi guys,
>
> I think instead of physical interfaces you may have to source from certain
> VLANs
>
> SW1:
> monitor session 1 source vlan 150 , XYZ <- 150 is a traffic from your
> seconday ASA via RSPAN, XYZ is VLAN where your primary ASA interface is.
>
> monitor session 1 dest int fa0/10 <- your monitoring station
>
>
> SW2:
> monitor session 1 source vlan XYZ <- VLAN where you secondary ASA
> interface
> is (here you could use a physical interface as well)
>
> monitor session 1 destination remote vlan 150 <- goes across to SW1
>
> Make sure you have VLAN 150
> remote-span
>
> on each switch.
>
> HTH
> A.
>
> On 29 June 2012 09:46, <leigh_at_leighfinch.net> wrote:
>
>> Hi Marc,
>> You are right. I just labed this up and it does not work... Unless
>> someone
>> has a better idea all I can think of is running 1 destination port for
>> local span, and 1 destination port for the rspan.
>>
>> I would like to know if there is a better solution.
>>
>> leigh
>>
>> > That won't work. To quote your previous quote:
>> >
>> > "an RSPAN source session cannot have a local
>> > destination port, an RSPAN destination session cannot have a local
>> > source port"
>> >
>> > On Thu, Jun 28, 2012 at 5:10 PM, Leigh Finch <leigh_at_leighfinch.net>
>> wrote:
>> >
>> >> Sorry, just woke up.
>> >>
>> >> Even better set switch 1 to dump to rspan as well.
>> >>
>> >> SW1:
>> >>
>> >> monitor session 1 source interface Fa0/19
>> >> monitor session 1 destination remote vlan 150
>> >> monitor session 2 source remote vlan 150
>> >> monitor session 2 dest int fa0/10
>> >>
>> >> SW2:
>> >>
>> >> monitor session 1 source interface Fa0/19
>> >> monitor session 1 destination remote vlan 150
>> >>
>> >>
>> >> Should do the trick.
>> >>
>> >> leigh
>> >>
>> >>
>> >> On 29/06/12 7:35 AM, Leigh Finch wrote:
>> >>
>> >>> Hi Johnny,
>> >>> From the DOC CD:
>> >>>
>> >>> http://www.cisco.com/en/US/**docs/switches/lan/**
>> >>> catalyst3560/software/release/**12.2_44_se/configuration/**
>> >>> guide/swspan.html#wp1210541<
>> http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swspan.html#wp1210541
>> >
>> >>>
>> >>> " The switch does not support a combination of local SPAN and RSPAN
>> in
>> >>> a
>> >>> single session. That is, an RSPAN source session cannot have a local
>> >>> destination port, an RSPAN destination session cannot have a local
>> >>> source port, and an RSPAN destination session and an RSPAN source
>> >>> session that are using the same RSPAN VLAN cannot run on the same
>> >>> switch.
>> >>> "
>> >>>
>> >>> On destination ports,
>> >>>
>> >>> " It can participate in only one SPAN session at a time (a
>> destination
>> >>> port in one SPAN session cannot be a destination port for a second
>> SPAN
>> >>> session). "
>> >>>
>> >>> I would be looking at running another port up from you switch to
>> your
>> >>> capture server for the rspan.
>> >>>
>> >>> leigh
>> >>>
>> >>> On 29/06/12 2:19 AM, Johnny Morris wrote:
>> >>>
>> >>>> Hi All,
>> >>>>
>> >>>> 1 - Monitoring Server
>> >>>> 2 - Cisco 3560 switches
>> >>>> 2 - ASA's in active/standby mode
>> >>>>
>> >>>>
>> >>>> I have one monitoring server configured to capture SPAN traffic
>> >>>> connected
>> >>>> to the primary switch fa0/19. The monitoring destination port is
>> >>>> fa0/10
>> >>>> on
>> >>>> the primary switch. The primary switch is etherchannel to the
>> >>>> secondary
>> >>>> switch via g0/1-2. There inside interface of the Active ASA is
>> >>>> connected
>> >>>> to
>> >>>> fa0/19 Primary switch and Standby on secondary switch fa0/19.
>> >>>>
>> >>>> Currently SPAN is working on the primary device, however in
>> failover
>> >>>> environment I have noticed that RSPAN is not configure to capture
>> the
>> >>>> fa0/19 on the secondary switch. When I labbed this up and
>> configured
>> >>>> an
>> >>>> RSPAN vlan on both switches and added the RSPAN vlan to the MST
>> >>>> instance
>> >>>> I
>> >>>> then configured the following:
>> >>>>
>> >>>> SW1:
>> >>>>
>> >>>> Existing SPAN configs:
>> >>>>
>> >>>> !
>> >>>> monitor session 1 source interface Fa0/19
>> >>>> monitor session 1 destination interface Fa0/10
>> >>>> !
>> >>>>
>> >>>> SW2:
>> >>>>
>> >>>> !
>> >>>>
>> >>>> monitor session 1 source interface Fa0/19
>> >>>>
>> >>>> monitor session 1 destination remote vlan 150
>> >>>> !
>> >>>>
>> >>>> Attempt 1:
>> >>>>
>> >>>> Tried to add the following RSPAN source on SW1:
>> >>>>
>> >>>> monitor session 1 source remote vlan 150
>> >>>>
>> >>>> Received error:
>> >>>>
>> >>>> (config)#monitor session 1 source remote vlan 150
>> >>>> % Cannot add RSPAN VLAN as source for SPAN session 1 as it is not a
>> >>>> RSPAN
>> >>>> Destination session
>> >>>>
>> >>>> Attempt 2:
>> >>>>
>> >>>> tried to add a second monitor session and it also failed:
>> >>>>
>> >>>> Great_Bend-SW1(config)#monitor session 2 source remote vlan 150
>> >>>> Great_Bend-SW1(config)#monitor session 2 dest int fa0/10
>> >>>> % Interface(s) Fa0/10 already configured as monitor destinations in
>> >>>> other
>> >>>> monitor sessions
>> >>>>
>> >>>>
>> >>>>
>> >>>> Is there a way anyone can think of to monitor a local source
>> interface
>> >>>> and
>> >>>> remote vlan using the same destination? Is there an issue as to why
>> it
>> >>>> cannot be done or is this something Cisco should update/allow in an
>> >>>> IOS
>> >>>> code? I don't have an additional NIC on the monitoring server to
>> >>>> monitor
>> >>>> otherwise it would work.
>> >>>>
>> >>>>
>> >>>> Much appreciated !
>> >>>>
>> >>>>
>> >>>> Blogs and organic groups at http://www.ccie.net
>> >>>>
>> >>>> ______________________________**______________________________**
>> >>>> ___________
>> >>>> Subscription information may be found at:
>> >>>> http://www.groupstudy.com/**list/CCIELab.html<
>> http://www.groupstudy.com/list/CCIELab.html>
>> >>>>
>> >>>
>> >>> Blogs and organic groups at http://www.ccie.net
>> >>>
>> >>> ______________________________**______________________________**
>> >>> ___________
>> >>> Subscription information may be found at:
>> >>> http://www.groupstudy.com/**list/CCIELab.html<
>> http://www.groupstudy.com/list/CCIELab.html>
>> >>>
>> >>
>> >>
>> >> Blogs and organic groups at http://www.ccie.net
>> >>
>> >> ______________________________**______________________________**
>> >> ___________
>> >> Subscription information may be found at:
>> http://www.groupstudy.com/**
>> >> list/CCIELab.html <http://www.groupstudy.com/list/CCIELab.html>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >
>> >
>> > --
>> > Marc Abel
>> > CCIE #35470
>> > (Routing and Switching)
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Jun 29 2012 - 11:12:55 ART