From: soon ccie (soonccie@yahoo.com)
Date: Thu Feb 20 2003 - 07:02:58 GMT-3
Dear all,
I have two questions re SPAN destionation port security, that is how to control
access to SPAN destionation port ie. allow only device of mac 1111.2222.3333
and ip 1.1.1.1 to be plugged into the destionation port?
Q1 ** Is vlan maps applicable w/ considering the following on destionation
port?
A destination port, does not participate in spanning tree while the SPAN
session is active. It does not participate in any of the Layer 2 protocols
(STP, VTP, CDP, DTP, PagP).
If ingress traffic forwarding is enabled for a network security device, the
destination port forwards traffic at Layer 2.
No address learning occurs on the destination port.
Q2** Port security or 802.1X applicable considering the following on
destionation port?
A secure port cannot be a SPAN destination port.
For SPAN sessions, do not enable port security on ports that are egress
monitored when ingress forwarding is enabled on the destination port.
802.1X: You can enable 802.1X on a port that is a SPAN destination or
reflector port; however, 802.1X is disabled until the port is removed as a SPAN
destination or reflector port. You can enable 802.1X on a SPAN source port.
For SPAN sessions, do not enable 802.1X on ports that are egress monitored
when ingress forwarding is enabled on the destination port.
Has anyone implemented a soluntion in this regard?
TIA
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:29 GMT-3