In our example we have two Cat switches (SWa and SWb). We have a packet sniffer connected to SWa interface F5/15 and want to monitor all the traffic going in and out of interface F3/1 of SWb.
Steps
1. Both switches must be trunked together.
2. Create an RSPAN VLAN. Preferably on the switch with VTP in server mode. Pick a VLAN ID that it is not being used currently. eg 999. If you do not have VTP, just create the VLAN on both switches.
Router(config)# vlan 999
Router(config-vlan)#remote-span
3. Create an RSPAN source session on SWb. This is the traffic you want to capture. The session number can be any integer that's not being used for other sessions. All traffic (tx and rx by default) from F3/1 now gets copied onto VLAN 999
Router(config)# monitor session 2 source interface f3/1
Router(config)# monitor session 2 destination remote vlan 999
4. Create the RSPAN destination session on SWa.This session need not have the same session ID as the one on SWb.
Router(config)#monitor session 8 source remote vlan 999
Router(config)#monitor session 8 destination interface f5/15
5. And that's it! You can obviously expand to monitor source VLANs, multiple interfaces etc. The source session describe in step 3 works even if it is configured on the same switch as the destination session - but then it's technically not RSPAN!
6. Here's a network management tip. Have your packet sniffer connected permanently to an interface on the switch and set up that interface as the destination session. So whenever the need arises to monitor packets on any interface, vlan etc., all you've got to do is configure the source session. This way you will save loads of unnecessary time trying to figure out which interface your sniffer was plugged into! And, always remember to label the interfaces with the description command.
No comments:
Post a Comment