NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Re-creating an RSPAN VLAN on an M4100-50G switch
Hello everyone,
I would like assitance in re-creating an RSPAN VLAN on an M4100-50G switch.
Background information:
We have a firewall that we are monitoring network traffic on. On a previous setup, the firewall was connected to a Cisco SG300-10 10Gigabit managed swtich. The purpose of this switch was to port-mirror the traffic so that we could monitor the network. Initially, the mirrored port was plugged into one server only, a server running Ntop-NG. We then wanted to take the same traffic and have it monitored by two more servers; one being an raw packet capture server, OpenFPC and the other an IDS/IPS server running software called Scirius by Stamus Networks. At first, we thought of using a 100Mbit hub to duplicate the network traffic coming from the mirrored switchport on the Cisco unit, but we did not have any in our stash of old equipment.
I then stumbled upon an old article on the web, http://blog.ine.com/2008/02/05/turning-switch-into-hub/. It focused on Cisco gear and stated that it may be possible to use a network switch and make it act like a hub by using the RSPAN VLAN feature, if supported, and setting ports to use that same RSPAN VLAN as the native VLAN. We do not have any enterprise Cisco gear, however, we do have Netgear managed switches that are very comparable. I tried to setup four ports on a Netgear M4300-52G-PoE+ to mimic what was stated in the article and to my surprise, it worked! I created a VLAN 500, enabled it as an RSPAN VLAN, and set ports 0/45 - 0/48 to be tagged ports as well as set the PVID to be VLAN 500. The mirrored port from the Cisco switch was then plugged into port 0/47 on the Netgear switch and all three network monitor server were plugged in to the other switch ports. All servers could now see the same network traffic! Yay!
Now, trying to do some server room clean up, we have swapped the Cisco SG-300 switch to a CyberData 3-port USB Gigabit port mirroring switch (an active network tap) and moved the server connections to a Netgear M4100-50G network switch located in the same rack as the servers. I am trying to duplicate the RSPAN VLAN setup as was on the Netgear M4300 switch; same VLAN ID of 500, RSPAN enabled, and using the same ports 0/45 - 0/48, however, I am not able to get it to work. No network traffic seems to be duplicated as before.
Is there something different that I may have missed in setting up this other switch?
Any help would be greatly appreciated! Thank you!
25 Replies
Replies have been turned off for this discussion
Hi jg75996,
Welcome to the community!
For RSPAN feature, there is three switch role, working as 'source Switch', 'intermediate Switch' and 'destination Switch'. And there is different configuration for different role switch.
So what is the role for M4100 and M4300?
Below is the example for RSPAN configuration:
RSPAN
Mirroring is very useful to monitor traffic to/from the port by copying the traffic to the probe port for analysis. But usually mirroring is limited to be working on one switch, RSPAN(remote switched port analyzer) extends it by enabling RSPAN. The mirrored packets are carried over all of participating switches.
The Figure above illustrates an example RSPAN. The switch 1 is the source switch 1, switch 2 and switch 3 are intermediate switch. The switch4 is the destination switch.
The ports connected towards the destination switch (switch 4) must be configured with tagging (with the vlan id as RSPAN VLAN). These ports are configured with the RSPAN VLAN participation as well. Only one RSPAN VLAN is supported.
On the source switch 1, the traffic received/transmitted on source ports (1/0/1) is tagged with the RSPAN VLAN and transmitted on the configured reflector port. The reflector port(1/0/2) is the physical interface that carries the mirrored traffic towards the destination switch (switch 4).
The intermediate switch (switch 2 and switch3) forwards the incoming tagged traffic towards the destination switch (switch4). RSPAN VLAN should be created on the intermediate switch; the ports connected towards Source and Destination switch should have the RSPAN VLAN participation. RSPAN VLAN egress tagging should be enabled on interface on intermediate switch connected towards Destination switch.
The destination switch (switch4) accepts all the tagged (with RSPAN VLAN) packets and mirrors them on the destination port (to which the traffic analyzer is connected).
The original tag is retained at the destination switch, the mirrored traffic is seen with double tagging (inner tag is the original VLAN ID and the outer tag is RSPAN VLAN ID).
CLI: enable RSPAN on the switch
- On the source switch(switch1) the below parameters are configured:
- Source ports (i.e. the traffic on this port is mirrored)
- RSPAN VLAN (as destination)
- Reflector port
- Tx/Rx
(Netgear Switch) #vlan database
(Netgear Switch) (Vlan)#vlan 5
(Netgear Switch) (Vlan)#exit
(Netgear Switch) #config
(Netgear Switch) (Config)#vlan 5
(Netgear Switch) (Config)(Vlan 5)#remote-span
(Netgear Switch) (Config)(Vlan 5)#exit
(Netgear Switch) (Config)#monitor session 1 mode
(Netgear Switch) (Config)#monitor session 1 source interface 1/0/1
(Netgear Switch) (Config)#monitor session 1 destination remote vlan 5 reflector-port 1/0/2
(Netgear Switch) (Config)#exit
(Netgear Switch) #show monitor session 1
Session Admin Probe Src Mirrored Ref. Src Dst Type IP MAC
ID Mode Port VLAN Port Port RVLAN RVLAN ACL ACL
------- ------- ------ ---- -------- ------ ----- ----- ----- ------- -------
1 Enable 1/0/1 1/0/2 5 Rx,Tx
2. On the intermediate switch(switch2 or switch3) the below parameters are configured:
- Add the ports to vlan with tagging
(Netgear Switch) #vlan database
(Netgear Switch) (Vlan)#vlan 5
(Netgear Switch) (Vlan)#exit
(Netgear Switch) #config
(Netgear Switch) (Config)#interface 1/0/23
(Netgear Switch) (Interface 1/0/23)#vlan participation include 5
(Netgear Switch) (Interface 1/0/23)#vlan tagging 5
(Netgear Switch) (Interface 1/0/23)#exit
(Netgear Switch) (Config)#interface 1/0/24
(Netgear Switch) (Interface 1/0/24)#vlan participation include 5
(Netgear Switch) (Interface 1/0/24)#vlan tagging 5
(Netgear Switch) (Interface 1/0/24)#exit
3. On the destination switch (switch4) the below parameters are configured:
- RSPAN VLAN (as source)
- Probe port
(Netgear Switch) #vlan database
(Netgear Switch) (Vlan)#vlan 5
(Netgear Switch) (Vlan)#exit
(Netgear Switch) #config
(Netgear Switch) (Config)#vlan 5
(Netgear Switch) (Config)(Vlan 5)#remote-span
(Netgear Switch) (Config)(Vlan 5)#exit
(Netgear Switch) (Config)#interface 1/0/3
(Netgear Switch) (Interface 1/0/3)#vlan participation include 5
(Netgear Switch) (Interface 1/0/3)#vlan tagging 5
(Netgear Switch) (Interface 1/0/3)#exit
(Netgear Switch) (Config)#monitor session 1 mode
(Netgear Switch) (Config)#monitor session 1 source remote vlan 5
(Netgear Switch) (Config)#monitor session 1 destination interface 1/0/4
(Netgear Switch) #show monitor session 1
Session Admin Probe Src Mirrored Ref. Src Dst Type IP MAC
ID Mode Port VLAN Port Port RVLAN RVLAN ACL ACL
------- ------- ------ ---- -------- ------ ----- ----- ----- ------- -------
1 Enable 1/0/4 5
Hope it helps!
Regards,
EricZ
NETGEAR employee
Hello EricZ,
Thank you for the information on how RSPAN is utilized in a three switch role.
The switch models that I have mentioned have the following roles:
For the M4300-52G-PoE+, there are 7 switches configured in a stack and they are housed in a standalone rack. They act as our core switch, with connections going to workstations, VoIP phones, NAS boxes, routers and other network appliances.
The M4100-50G is our "server" switch and is located in a server rack that is on the other side of the network room. This switch is uplinked to the M4300 switchstack via a trunk line.
Hi jg75996,
Thanks for your immediately response. Now we clear your two switch working role.
Could you kindly answer more questions as below:
1. In your network topology, which switch is working as source switch for RSPAN? Which port traffic you want to mirror?
2. In your network topology, which switch is working as destination switch for RSPAN? Which port you want to receive the mirror traffic?
And if these two problem is clear, we can check the configuration further more.
Thanks.
Regards,
EricZ
NETGEAR employee
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
