SV: Span and Rspan and IDS

From: Big guy (jenseike@start.no)
Date: Sun Nov 20 2005 - 15:58:57 GMT-3

• Next message: James Ventre: "Re: SV: Span and Rspan and IDS"
• Previous message: Joe Rinehart: "Re: SanJose Lab Hotel and Taxi"
• Next in thread: James Ventre: "Re: SV: Span and Rspan and IDS"
• Maybe reply: James Ventre: "Re: SV: Span and Rspan and IDS"
• Maybe reply: Tim: "RE: SV: Span and Rspan and IDS"
• Maybe reply: James Ventre: "Re: SV: Span and Rspan and IDS"
• Maybe reply: Tim: "RE: SV: Span and Rspan and IDS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I can give you an very easy understand answer to this.. When you enter in
the monitor session 1 destination port f0/3, you will efectivly shut this
port down for all other traffic that is sent trough that port. No other
traffic will be alowed here... So if port are dynamic or not have really no
effect...

-----Opprinnelig melding-----
Fra: nobody@groupstudy.com [mailto:nobody@groupstudy.com]Pa vegne av Tim
Sendt: 20. november 2005 18:50
Til: 'Cisco certification'; security@groupstudy.com
Emne: Span and Rspan and IDS

Hi guys,

This is a new issue for me.

I'm learning how to configure different types of Cisco switches to capture
traffic to send to an Intrusion Detection System.

I know how to configure span and rspan (for the most part) but never thought
about this before.

After I've configured span or rspan and designated the destination port for
the mirrored traffic, do I need to configure the destination port in a
certain way?

For example, assume I have an IDS connected to port fa0/3 on a Cat switch -

and I haven't changed the default config of port fa0/3

and I have configure span to monitor traffic on vlan 20 and send it to port
fa0/3

and assuming the span config is correct, I'm wondering the following:

(The issue I'm trying to get at is that on some Cat switches, ports are, by
default, in vlan 1 and configured to trunk.)

In this example, since the span dest port is a trunk by default, will
traffic from all vlans be sent out this port instead of just traffic from
vlan 20 as intended?

If someone had already configured port fa0/3 as an access mode port in vlan
3 but I didn't know that, will this span config still work ie take traffic
from vlan 20 and mirror it to a port vlan 3? Or, put another way, will the
span config take precedence over the port config?

Does the required configuration of the dest port depend on what type of
switch I'm using?

I'm finding this all very confusing. I know, for example, that it's OK to
mirror traffic from multiple vlan's and multiple ports that are in different
vlans to a destination port. So, it seems to me it shouldn't matter if the
destination is an access port or trunk port and it shouldn't matter what
vlan the destination port is in.

But, from what I'm reading, this isn't clear and it seems like the
destination port must be configured as trunk.

I'm hoping someone would like to comment on this.

TIA, Tim

• Next message: James Ventre: "Re: SV: Span and Rspan and IDS"
• Previous message: Joe Rinehart: "Re: SanJose Lab Hotel and Taxi"
• Next in thread: James Ventre: "Re: SV: Span and Rspan and IDS"
• Maybe reply: James Ventre: "Re: SV: Span and Rspan and IDS"
• Maybe reply: Tim: "RE: SV: Span and Rspan and IDS"
• Maybe reply: James Ventre: "Re: SV: Span and Rspan and IDS"
• Maybe reply: Tim: "RE: SV: Span and Rspan and IDS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Dec 01 2005 - 09:12:07 GMT-3