Enhanced Remote SPAN

Hey all,

Hope your CCIE studies are going well. I know mine are not. I recently moved and am just now setting up my study area, I hope to finish up this MPLS book and crank out the BGP+MPLS composite.

Anyways, in the interim, I have been asked to come up with some sort of remote switch port mirroring. I know all about ERSPAN but I'm not sure exactly which models support it. So far I can only seem to confirm that the 6500 and the new Nexus switches support it.

If that's the case I don't have either of those models, I need some sort of mirroring that works over L3 boundaries, any ideas?

-Burbankmarc

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

vinbuck

I wonder if you could hairpin the traffic to another port and use an L2 mpls xconnect to extend L2 across your L3 core to a port that is near enough to you to plug a device in that has wireshark or tcpdump. Dunno if this will work and it's probably gonna chew up a significant amount of bandwidth.

Do you have the option of deploying a linux box local to the site that you could plug up to the SPAN port? Then you have all kinds of options...

burbankmarc

I can put a linux box in there, and that is something that i've thought about. But this isn't for packet analysis it's for call recording. We have a telstrat idvr that records using a mirror port. So this stuff needs to be pretty enterprise stable.

vinbuck

burbankmarc wrote: »

I can put a linux box in there, and that is something that i've thought about. But this isn't for packet analysis it's for call recording. We have a telstrat idvr that records using a mirror port. So this stuff needs to be pretty enterprise stable.

How much traffic is going to the mirror port?

burbankmarc

probably not a lot, it's only for local calls at that facility, which I don't think they get too many. But what they do get needs to be 100% recorded.