Hi community,

What I am trying to do.

I have a test environment with 4 vmnics used.

On cisco I created a RSPAN vlan 819 an trunked that rspan vlan up to the Cisco embedded VM switches.

Due to my limited amount of connections I added my RSPAN vlan to an active interface that contains server vlans.

Current configuration : 141 bytes
interface GigabitEthernet0/1
description testVM

switchport trunk allowed vlan 508,524,819
switchport mode trunk
speed 1000

With vSphere client I created a VM portgroup "RSPAN VLAN 819" with promiscuous mode accepted and added the portgroup as a secondinterface to my existing test server.

I do not have a dedicated physical interface to put a monitoring session in place on Cisco that uses the RSPAN VLAN as source and uses an physical interface as destination, would impact my other traffic on the physical interface.

Trying to capture the traffic in VLAN819 with Wireshark, I do see the interface but no reasoneable traffic.

Any help is much appreciated.

0 Kudos
1 Reply

We're on basically the same path here.  On the switch (3750's in my case), here are the steps I went through.

1) Define an RSPAN VLAN

2) Use monitor session to identify a source port for the mirror (in my case I wanted to look at everything on a separate VLAN)

3) Specify the RSPAN VLAN as the remote destination using monitor session

Then in VMWare,

4) Create a port group using the same VLAN number as the RSPAN vlan

5) Ensure the port group used a physical connection to a port in TRUNK mode (without a native vlan qualifier) on the switch

6) Assign an interface to that port group in a VM running Windows and Wireshark

I was seeing all sorts of broadcast traffic from the VLAN rather than everything on the VLAN I wanted to monitor. Also saw three or four copies of just about every packet.  Had to shut off Ethernet checksum validation as well.  It definitely behaved oddly.

When I specified a single port as the source it worked a little better although I still saw all sorts of traffic I didn't expect to see, perhaps because it was a trunking port for a WAP.  I'm still hoping to get this working as desired - it would be great to analyze anything on the network in Wireshark without a physical machine.

0 Kudos