Yeah, this is a typical RSPAN setup if you want to pump a traffic to your
IDS/IPS from several VLANs across 2 or more switches.
I am not sure either what the use-case would be for the source remote vlan
Cheers
A.
On 29 June 2012 12:31, Leigh Finch <leigh_at_leighfinch.net> wrote:
> Hi Alexei,
> You are correct, it does work :) This makes me question what the point of
> source remote vlan is?
>
> leigh
>
> > don't say source remote vlan, just say source vlan
> > give it a test
> >
> > On 29 June 2012 11:12, Leigh Finch <leigh_at_leighfinch.net> wrote:
> >
> >> Hi Alexei,
> >> Unfortunately you can only specify one vlan four a source when you use
> >> the
> >> remote flag (monitor session source remote vlan 150).
> >>
> >> I got it working, I'm not sure why it didn't before (I wiped my config).
> >>
> >> SW1#sh run | i monitor session
> >> monitor session 1 destination interface Gi1/0/48
> >> monitor session 1 source remote vlan 999
> >> monitor session 2 source interface Gi1/0/1
> >> monitor session 2 destination remote vlan 999
> >> SW1#sh monitor session all
> >> Session 1
> >> ---------
> >> Type : Remote Destination Session
> >> Source RSPAN VLAN : 999
> >> Destination Ports : Gi1/0/48
> >> Encapsulation : Native
> >> Ingress : Disabled
> >>
> >>
> >> Session 2
> >> ---------
> >> Type : Remote Source Session
> >> Source Ports :
> >> Both : Gi1/0/1
> >> Dest RSPAN VLAN : 999
> >>
> >>
> >> SW1#
> >> SW2#sh run | i monitor
> >> monitor session 1 source interface Gi1/0/1
> >> monitor session 1 destination remote vlan 999
> >> SW2#sh monitor session all
> >> Session 1
> >> ---------
> >> Type : Remote Source Session
> >> Source Ports :
> >> Both : Gi1/0/1
> >> Dest RSPAN VLAN : 999
> >>
> >>
> >> SW2#
> >>
> >> leigh
> >>
> >> > Hi guys,
> >> >
> >> > I think instead of physical interfaces you may have to source from
> >> certain
> >> > VLANs
> >> >
> >> > SW1:
> >> > monitor session 1 source vlan 150 , XYZ <- 150 is a traffic from your
> >> > seconday ASA via RSPAN, XYZ is VLAN where your primary ASA interface
> >> is.
> >> >
> >> > monitor session 1 dest int fa0/10 <- your monitoring station
> >> >
> >> >
> >> > SW2:
> >> > monitor session 1 source vlan XYZ <- VLAN where you secondary ASA
> >> > interface
> >> > is (here you could use a physical interface as well)
> >> >
> >> > monitor session 1 destination remote vlan 150 <- goes across to SW1
> >> >
> >> > Make sure you have VLAN 150
> >> > remote-span
> >> >
> >> > on each switch.
> >> >
> >> > HTH
> >> > A.
> >> >
> >> > On 29 June 2012 09:46, <leigh_at_leighfinch.net> wrote:
> >> >
> >> >> Hi Marc,
> >> >> You are right. I just labed this up and it does not work... Unless
> >> >> someone
> >> >> has a better idea all I can think of is running 1 destination port
> >> for
> >> >> local span, and 1 destination port for the rspan.
> >> >>
> >> >> I would like to know if there is a better solution.
> >> >>
> >> >> leigh
> >> >>
> >> >> > That won't work. To quote your previous quote:
> >> >> >
> >> >> > "an RSPAN source session cannot have a local
> >> >> > destination port, an RSPAN destination session cannot have a local
> >> >> > source port"
> >> >> >
> >> >> > On Thu, Jun 28, 2012 at 5:10 PM, Leigh Finch <leigh_at_leighfinch.net
> >
> >> >> wrote:
> >> >> >
> >> >> >> Sorry, just woke up.
> >> >> >>
> >> >> >> Even better set switch 1 to dump to rspan as well.
> >> >> >>
> >> >> >> SW1:
> >> >> >>
> >> >> >> monitor session 1 source interface Fa0/19
> >> >> >> monitor session 1 destination remote vlan 150
> >> >> >> monitor session 2 source remote vlan 150
> >> >> >> monitor session 2 dest int fa0/10
> >> >> >>
> >> >> >> SW2:
> >> >> >>
> >> >> >> monitor session 1 source interface Fa0/19
> >> >> >> monitor session 1 destination remote vlan 150
> >> >> >>
> >> >> >>
> >> >> >> Should do the trick.
> >> >> >>
> >> >> >> leigh
> >> >> >>
> >> >> >>
> >> >> >> On 29/06/12 7:35 AM, Leigh Finch wrote:
> >> >> >>
> >> >> >>> Hi Johnny,
> >> >> >>> From the DOC CD:
> >> >> >>>
> >> >> >>> http://www.cisco.com/en/US/**docs/switches/lan/**
> >> >> >>> catalyst3560/software/release/**12.2_44_se/configuration/**
> >> >> >>> guide/swspan.html#wp1210541<
> >> >>
> >>
> http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swspan.html#wp1210541
> >> >> >
> >> >> >>>
> >> >> >>> " The switch does not support a combination of local SPAN and
> >> RSPAN
> >> >> in
> >> >> >>> a
> >> >> >>> single session. That is, an RSPAN source session cannot have a
> >> local
> >> >> >>> destination port, an RSPAN destination session cannot have a
> >> local
> >> >> >>> source port, and an RSPAN destination session and an RSPAN source
> >> >> >>> session that are using the same RSPAN VLAN cannot run on the same
> >> >> >>> switch.
> >> >> >>> "
> >> >> >>>
> >> >> >>> On destination ports,
> >> >> >>>
> >> >> >>> " It can participate in only one SPAN session at a time (a
> >> >> destination
> >> >> >>> port in one SPAN session cannot be a destination port for a
> >> second
> >> >> SPAN
> >> >> >>> session). "
> >> >> >>>
> >> >> >>> I would be looking at running another port up from you switch to
> >> >> your
> >> >> >>> capture server for the rspan.
> >> >> >>>
> >> >> >>> leigh
> >> >> >>>
> >> >> >>> On 29/06/12 2:19 AM, Johnny Morris wrote:
> >> >> >>>
> >> >> >>>> Hi All,
> >> >> >>>>
> >> >> >>>> 1 - Monitoring Server
> >> >> >>>> 2 - Cisco 3560 switches
> >> >> >>>> 2 - ASA's in active/standby mode
> >> >> >>>>
> >> >> >>>>
> >> >> >>>> I have one monitoring server configured to capture SPAN traffic
> >> >> >>>> connected
> >> >> >>>> to the primary switch fa0/19. The monitoring destination port is
> >> >> >>>> fa0/10
> >> >> >>>> on
> >> >> >>>> the primary switch. The primary switch is etherchannel to the
> >> >> >>>> secondary
> >> >> >>>> switch via g0/1-2. There inside interface of the Active ASA is
> >> >> >>>> connected
> >> >> >>>> to
> >> >> >>>> fa0/19 Primary switch and Standby on secondary switch fa0/19.
> >> >> >>>>
> >> >> >>>> Currently SPAN is working on the primary device, however in
> >> >> failover
> >> >> >>>> environment I have noticed that RSPAN is not configure to
> >> capture
> >> >> the
> >> >> >>>> fa0/19 on the secondary switch. When I labbed this up and
> >> >> configured
> >> >> >>>> an
> >> >> >>>> RSPAN vlan on both switches and added the RSPAN vlan to the MST
> >> >> >>>> instance
> >> >> >>>> I
> >> >> >>>> then configured the following:
> >> >> >>>>
> >> >> >>>> SW1:
> >> >> >>>>
> >> >> >>>> Existing SPAN configs:
> >> >> >>>>
> >> >> >>>> !
> >> >> >>>> monitor session 1 source interface Fa0/19
> >> >> >>>> monitor session 1 destination interface Fa0/10
> >> >> >>>> !
> >> >> >>>>
> >> >> >>>> SW2:
> >> >> >>>>
> >> >> >>>> !
> >> >> >>>>
> >> >> >>>> monitor session 1 source interface Fa0/19
> >> >> >>>>
> >> >> >>>> monitor session 1 destination remote vlan 150
> >> >> >>>> !
> >> >> >>>>
> >> >> >>>> Attempt 1:
> >> >> >>>>
> >> >> >>>> Tried to add the following RSPAN source on SW1:
> >> >> >>>>
> >> >> >>>> monitor session 1 source remote vlan 150
> >> >> >>>>
> >> >> >>>> Received error:
> >> >> >>>>
> >> >> >>>> (config)#monitor session 1 source remote vlan 150
> >> >> >>>> % Cannot add RSPAN VLAN as source for SPAN session 1 as it is
> >> not a
> >> >> >>>> RSPAN
> >> >> >>>> Destination session
> >> >> >>>>
> >> >> >>>> Attempt 2:
> >> >> >>>>
> >> >> >>>> tried to add a second monitor session and it also failed:
> >> >> >>>>
> >> >> >>>> Great_Bend-SW1(config)#monitor session 2 source remote vlan 150
> >> >> >>>> Great_Bend-SW1(config)#monitor session 2 dest int fa0/10
> >> >> >>>> % Interface(s) Fa0/10 already configured as monitor destinations
> >> in
> >> >> >>>> other
> >> >> >>>> monitor sessions
> >> >> >>>>
> >> >> >>>>
> >> >> >>>>
> >> >> >>>> Is there a way anyone can think of to monitor a local source
> >> >> interface
> >> >> >>>> and
> >> >> >>>> remote vlan using the same destination? Is there an issue as to
> >> why
> >> >> it
> >> >> >>>> cannot be done or is this something Cisco should update/allow in
> >> an
> >> >> >>>> IOS
> >> >> >>>> code? I don't have an additional NIC on the monitoring server to
> >> >> >>>> monitor
> >> >> >>>> otherwise it would work.
> >> >> >>>>
> >> >> >>>>
> >> >> >>>> Much appreciated !
> >> >> >>>>
> >> >> >>>>
> >> >> >>>> Blogs and organic groups at http://www.ccie.net
> >> >> >>>>
> >> >> >>>> ______________________________**______________________________**
> >> >> >>>> ___________
> >> >> >>>> Subscription information may be found at:
> >> >> >>>> http://www.groupstudy.com/**list/CCIELab.html<
> >> >> http://www.groupstudy.com/list/CCIELab.html>
> >> >> >>>>
> >> >> >>>
> >> >> >>> Blogs and organic groups at http://www.ccie.net
> >> >> >>>
> >> >> >>> ______________________________**______________________________**
> >> >> >>> ___________
> >> >> >>> Subscription information may be found at:
> >> >> >>> http://www.groupstudy.com/**list/CCIELab.html<
> >> >> http://www.groupstudy.com/list/CCIELab.html>
> >> >> >>>
> >> >> >>
> >> >> >>
> >> >> >> Blogs and organic groups at http://www.ccie.net
> >> >> >>
> >> >> >> ______________________________**______________________________**
> >> >> >> ___________
> >> >> >> Subscription information may be found at:
> >> >> http://www.groupstudy.com/**
> >> >> >> list/CCIELab.html <http://www.groupstudy.com/list/CCIELab.html>
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >
> >> >> >
> >> >> > --
> >> >> > Marc Abel
> >> >> > CCIE #35470
> >> >> > (Routing and Switching)
> >> >> >
> >> >> >
> >> >> > Blogs and organic groups at http://www.ccie.net
> >> >> >
> >> >> >
> >> _______________________________________________________________________
> >> >> > Subscription information may be found at:
> >> >> > http://www.groupstudy.com/list/CCIELab.html
> >> >>
> >> >>
> >> >> Blogs and organic groups at http://www.ccie.net
> >> >>
> >> >>
> _______________________________________________________________________
> >> >> Subscription information may be found at:
> >> >> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Fri Jun 29 2012 - 16:03:38 ART
This archive was generated by hypermail 2.2.0 : Sun Jul 01 2012 - 10:39:53 ART