• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

Remote span question!

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.
gangaskan

gangaskan

Member
Joined
Dec 18, 2003
Location
Lorain, ohio
hi guys, i hope someone can shed some light on this i'm still a little confused.


i need to setup a remote span (and the associated vlan) for our network.

we're pulling traffic to machine x on switch x that is pulling voice data down to record phone conversations. (this is a police recorder that needs to be recording for 911 among dispatchers calls and other police department phones)

local span only creates a monitor pool for that one switch am i correct? i need to pool up to 3-4 switches, however, i dont know how to go about this.


we have a machine up in our server room that listens on our core switch and throw's the data down to a recorder in a secure location. we had made some upgrades that eliminates, or thats the hope, to eliminate that machine that sits here.

do i just need to setup a remote span via the 2 switches? i'm a little confused on the whole topic, and any cisco doc i find is very well... confusing to me on this topic. (4507 going to 3560 switches)

i will be monitoring a whole vlan that is going to carry the voice network. do you think i can get away with remote spanning the 4507 and ingress traffic to that port for the server? or will i need to hit all switches that have phones to record?


any insight would help :) if i need to claify some i will try to draw a diagram or something.
 
diagram will be good. when i have setup voice recording (we support hedge fund investors so they need to record calls so people dont go back on agreements lol)

ayway, when i have done it, the voice people just say to us, "set this port up to span to this port"
the phones are avaya, but if they are anything like cisco, then the phones only contact the call manager device to get the destination. once the connection is made, the traffic goes to the destination directly so im not sure how the voice recording works!

i will email our voice people and get some info if i can :)

post a diagram!
 
here it is!

Code: 
packet shaper switch
       |
Core 4507 (this switch has our Call manager attached) 
          |              |              |           
      switch a    Switch b        Switch c  
         |              |              | 
      phone         Phones          Phones
      Recorder
       Phones

there are more switches, but i'm concerned with what is currently has phones that need recording (only 3 or 4 switches at the most)

like i said, we're only interested in our voice vlan, that is all (in our case, 10)


i tried setting up a remote span, and failed i have no idea if i'm doing any of it right, i did create the vlan for it and made it active along with the remote-span portion

i got it setup the best i could, however, this in turn knocked some of our equipment off from communicating ha! i just reverted back to our old configs for the time being so that they can be worked on. keep in mind, the recorder is on a different switch than our call manager.

edit: here are my commands

Code: 
recorder switch:
vlan 60
session active
remote-span
monitor session 2 destination interface Gi0/44 ingress untagged vlan 60
monitor session 2 source remote vlan 60

Core switch:
vlan 60 
remote-span
session active
monitor session 2 source vlan 10 rx
monitor session 2 destination remote vlan 60



it also said on this IOS run down somewhere i read that the trunks need to have switchport nonegotiate i tried this and i have no clue if i need it or not.

more edit:

i looked at http://pandaeatsbamboo.blogspot.com/2008/03/configuring-remote-span.html

if i understand it right i need to do this
Code: 
recorder switch: 
SW1(config)# vlan 60
SW1(config-vlan)# remote-span
SW1(config)# monitor session 1 source remote vlan 60
SW1(config)# monitor session 1 destination interface gi0/44

core switch:  (with call mgr) 
SW2(config)# monitor session 1 source vlan 10
SW2(config)# monitor session 1 destination remote vlan 60

what do you think?
 
Last edited:
gangaskan said:
here it is!

Code: 
packet shaper switch
       |
Core 4507 (this switch has our Call manager attached) 
          |              |              |           
      switch a    Switch b        Switch c  
         |              |              | 
      phone         Phones          Phones
      Recorder
       Phones

there are more switches, but i'm concerned with what is currently has phones that need recording (only 3 or 4 switches at the most)

like i said, we're only interested in our voice vlan, that is all (in our case, 10)


i tried setting up a remote span, and failed i have no idea if i'm doing any of it right, i did create the vlan for it and made it active along with the remote-span portion

i got it setup the best i could, however, this in turn knocked some of our equipment off from communicating ha! i just reverted back to our old configs for the time being so that they can be worked on. keep in mind, the recorder is on a different switch than our call manager.

edit: here are my commands

Code: 
recorder switch:
vlan 60
session active
remote-span
monitor session 2 destination interface Gi0/44 ingress untagged vlan 60
monitor session 2 source remote vlan 60

Core switch:
vlan 60 
remote-span
session active
monitor session 2 source vlan 10 rx
monitor session 2 destination remote vlan 60



it also said on this IOS run down somewhere i read that the trunks need to have switchport nonegotiate i tried this and i have no clue if i need it or not.

what do these trunks talk to? switchport nonegotiate removes negotiation dynamic trunk protocol frames for a trunk, therefore, if the other end is set to nonegotiate but is set to switchport mode trunk dynamic auto, then the trunk will not form.
to make sure everything is predictable, both ends should have:
switchport mode trunk
switchport nonegotiate
switchport trunk allowed vlan x x x x
this will turn on trunking unconditionally, and wont send out dtp frames. also, it only allows the vlans over the link that you need, to prevent un necessary bandwidth usage due to broadcasting

more edit:

i looked at http://pandaeatsbamboo.blogspot.com/2008/03/configuring-remote-span.html

if i understand it right i need to do this
Code: 
recorder switch: 
SW1(config)# vlan 60
SW1(config-vlan)# remote-span
SW1(config)# monitor session 1 source remote vlan 60
SW1(config)# monitor session 1 destination interface gi0/44

core switch:  (with call mgr) 
SW2(config)# monitor session 1 source vlan 10
SW2(config)# monitor session 1 destination remote vlan 60

what do you think?
Click to expand...

the above config looks like its spanning vlan 10 onto vlan 60,

i think you need to put this code in

Code: 
monitor session 1 source vlan 10 both
monitor session 1 destination interface Gi0/44

i mean, our config for our recording is this:

Code: 
monitor session 1 source interface Gi0/30 , Gi0/32
monitor session 1 destination interface Gi0/34

interface GigabitEthernet0/30
 description Voice Equipment
 switchport access vlan 50
 switchport mode access
 spanning-tree portfast

interface GigabitEthernet0/32
 description Voice Equipment PBX
 switchport access vlan 50
 switchport mode access
 spanning-tree portfast

interface GigabitEthernet0/34
 switchport access vlan 50
 switchport mode access
 switchport nonegotiate
 no cdp enable
 spanning-tree portfast

Ex-3560g-2#sh monitor session 1
Session 1
---------
Type : Local Session
Source Ports :
Both : Gi0/30,Gi0/32
Destination Ports : Gi0/34
Encapsulation : Native
Ingress : Disabled

but if you want to see ALL vlan 10 traffic on a port, then the
monitor session 1 source vlan 10 both
tells the source is vlan 10, and traffic direction is rx and tx

i cant be certain though,
 
with our monitor we just need send traffic (aka rx) that may be my issue, we're getting fragments of stuff in small <10 second peices.

what i need to do PPE again is to throw vlan 10 traffic into vlan 60 then the server on the other switch needs to listen for packet information.
 
gangaskan said:
with our monitor we just need send traffic (aka rx) that may be my issue, we're getting fragments of stuff in small <10 second peices.

what i need to do PPE again is to throw vlan 10 traffic into vlan 60 then the server on the other switch needs to listen for packet information.
Click to expand...

well, im not 100% sure how the traffic is spanned, and what the other vlan does with that traffic.

if it puts it onto the other vlan, does the switch ignore mac addresses and flood it everywhere on that vlan??
if not, then does it look at mac addresses to determine where it goes?

if you look at my setup (which my colleague did) the recorder is in the voice vlan, but he spanned two ports of one switch - there are 4 switches in total, and the voice tech said he was recording each. so i would be worried and surprised if it doesnt work, but the two ports that he spanned are also on the voice vlan - unless these are the IP turrets --

ah, may be this is just the IP turrets - that would make sense.

ok,
im not sure what to suggest, because i seriously dont think that you can span accross switches, unless you may be do something like

switch1:
Code: 
monitor session 1 source vlan 10 rx
monitor session 1 destination int gi0/1

connect interface gi0/1 to (for example) int gi0/2 on switch 2
then;
switch 2:
Code: 
monitor session 1 source vlan 10 rx
monitor session 1 source int gi0/2rx
monitor session 1 destination int gi0/3
[code]

then connect int gi0/3 to gi0/4 of switch 3 and then,
switch 3:
[code]
monitor session 1 source vlan 10 rx
monitor session 1 source int gi0/3 rx
monitor session 1 destination int gi0/4

and then plug the recorder into port 4 of switch 3...

this is how i understand it, but im just guessing. but i gather that your cumilating the traffic from each switch as the traffic passes through.

to be honest, i dont know.
but when you find out please tell me! :p
 
i asked my colleage and he came up with roundabout the same results i did above. he is a senior in this.

tell me how you get on
 
bumping this


everything seems to be somewhat ok, however, i think we're encountering DTMF problems


what happens is we want a call to have *68 pressed when a call needs to be saved

the DTMF reports **6688 from the skinny packets, the call manager is trunked on the core switch that bridges out to each switch.


do i not need to monitor on this swtich, would remote-span on vlan 60 work sufficent? i think this is where we are encountering dupe skinny.


whats weird is none of the voice calls are being duplicated.
 
I believe you span config s still wrong. Last time you posted your config it appeared you spanned one vlan onto another. This is incorrect. I posted the correct way to do it earlier.
Post your configs and when I get home I will look again ;)
 
ppe1700 said:
I believe you span config s still wrong. Last time you posted your config it appeared you spanned one vlan onto another. This is incorrect. I posted the correct way to do it earlier.
Post your configs and when I get home I will look again ;)
Click to expand...

thats exactly what i need to do though PPE :p i need to span voice vlan to a remote vlan
 
ppe1700 said:
but i dont think you can do that as it will flood everywhere. thats why you might be getting double of every packet!
Click to expand...

what are you talking about everywhere? it only monitors vlan 10 and dumps that information on the switch to vlan 60 (remote-span)

its going through 3 switches, so i highly doubt its over flooding the vlan :)


i'll try making the "source" the switchport of the call manager, and see if that helps any, i just need RX nothing else
 
gangaskan said:
what are you talking about everywhere? it only monitors vlan 10 and dumps that information on the switch to vlan 60 (remote-span)

its going through 3 switches, so i highly doubt its over flooding the vlan :)


i'll try making the "source" the switchport of the call manager, and see if that helps any, i just need RX nothing else
Click to expand...

its been a while since i last thought about this in depth. any chance you can post up a network diagram? and try and include vlans and ports that connect to the different bits n pieces?

i just have this in my mind that you want to keep the physical ports unique for spanning until you get to the recording server, then span the ports through to that. i dont think you can rely on spanning the voice onto the data vlan and then have the server monitor just the data vlan this way. also, the whole purpose of a data vlan is to keep the two seperate otherwise you might as well just have a flat network. :)
 
gangaskan said:
i'll get you a CNA diagram when i get a moment :) been slammed at work
Click to expand...

same! someone has drilled through a load of cables (construction works for the olympic games) and half of london has been without internet and phones since sometime early this morning. its just our phones that are down for us.
 
ppe1700 said:
same! someone has drilled through a load of cables (construction works for the olympic games) and half of london has been without internet and phones since sometime early this morning. its just our phones that are down for us.
Click to expand...

fun! hah :) here is the diagram, hope it makes sense


diagram.jpg



if it needs re sized i'll do it
 
hi,
i had a chat with my ccnp mate at work and he explained what needs doing..
i'll list what cisco says you should do in their documentation, and may be you can take what i put and make it fit your network?

1)
create a unique RSPAN vlan (i will pick 99). create this on the switches that connect to the phones, and the switch that connects to the recording server, and all switches that interconnect in between.
its advisable you prune this vlan from any trunks that do not need it otherwise you will get unecessary traffic going down trunk ports.

2)
clear any existing monitor sessions
Code: 
no monitor session (session num)

3)
specify the RSPAN session and the source port or ports (ive made the config to select ports fa0/10 - 12
Code: 
monitor session (session num) source interface fa0/10 , fa0/11 , fa0/12 both

4)
next you have to specify the session, destination vlan and pick an unused port called a reflector port that is physically not connected to anything. once you put this command in, whatever is connected to this port will not have network access.
Code: 
 monitor session 1 destination remote-vlan 99 reflector-port fa0/51

The Destination:
5)
specify the rspan session and the source rspan vlan
Code: 
monitor session 1 source remote vlan 99

6)
specify the session and the destination interface for the recorder. if the port connecting to the server is a trunk port then specify encapsulation here, but its most probably not so i'll leave that out
Code: 
 monitor session 1 destination interface gi0/44

apparently that should be it.
if you want to have a read up from the cisco website then here is a link:

hope you sort it. :D
 
lol, thats the exact guide i've been using :p


when i get to work today i'll try it out, taking a half day today, will not be in till the afternoon.


also, do i have to clear ALL sessions?, i have one session already started for 2 things this will get a little confusing btw :p and will be used untill we get the span stuff situated

1. the recorder "gateway" basically a server that throw's all the traffic it sniffs down to the "recorder"
2. the recorder - this was recently modified to have a NIC do the "gateway" portion of the server as well. we complained because the gateway would crash unknowingly and we would have no idea untill someone needed to find a call.

session 1 spans the call manager port, records everything all is happy, however, thats the gateway we dont want.


session 2 is the span for the vlan going to the gateway

our 4507 can run 2 monitor sessions if i recall, every other switch can run one :)
 
if you can run more than one session thendont clear the old session before hand :)
 
the reflector-port command is not available to me, any idea why? :p

is this command unavailable in 12.2? that's what the OS is on the core, i'm not going to upgrade this being its production :p we do have backup configs, however, i just dont feel comfortable doing that big of a update if there is a 12.3 or 12.4 update.


maybe if it was being put in, sure i would
 
You must log in or register to reply here.

Similar threads

Niku-Sama
Get incoming calls and texts on other devices on home wifi
Replies
2
Views
536
don256us
don256us
don256us
Lost internet for a day. I think it was my fault.
Replies
4
Views
698
jiminalex3
J
don256us
Ubiquiti PoE switches are too damned high.
Replies
1
Views
524
Railgun
Railgun
Dorito Bandit
Using Keyboard & Mouse With 2 Desktops
Replies
3
Views
322
Dorito Bandit
Dorito Bandit
WhitehawkEQ
Using V7 client & HFM for remote monitoring.
Replies
3
Views
606
WhitehawkEQ
WhitehawkEQ
Back