RE: SV: Span and Rspan and IDS

From: Tim (ccie2be@nyc.rr.com)
Date: Sun Nov 20 2005 - 16:55:32 GMT-3

• Next message: Mohammad Zahid Saeed: "Cathy School Information"
• Previous message: tao huang: "remote lab 3$/hour"
• Maybe in reply to: Big guy: "SV: Span and Rspan and IDS"
• Next in thread: James Ventre: "Re: SV: Span and Rspan and IDS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

James,

You're absolutely right.

A span port has to allow inbound traffic if the tcp reset function of IDS is
to work (with one exception - if the XL card is used because it uses a
separate port for tcp resets).

But, can you tell me anything about how the span destination port needs to
(or should) be configured?

If it's configured as a trunk port, will it get traffic from all vlan's
unless the allowed vlans are explicitly configured? Or, will it only get
the traffic from the vlans specified as source vlans?

Can the destination port be configured as an access port, assigned to a vlan
and still work as expected?

I think the switch port should be configured as a trunk port because I think
the IDS monitoring port is a trunk port but I don't know if that can be
changed.

I've checked multiple sources - the Earl Carter book, the Syngress book, the
Doc-CD, the GS archives, the Exam Cram 2 book, and Cisco's web site - all to
no avail.

I'm not even sure if the answer to these questions is consistent for the
various switches - maybe it works one way for the 6500 and a different way
for the 3500XL - I don't know but I hope to find out before I take the test.

So, if you can offer some guidance, I'd really appreciate that.

Tim

-----Original Message-----
From: James Ventre [mailto:messageboard@ventrefamily.com]
Sent: Sunday, November 20, 2005 2:03 PM
To: Big guy
Cc: Tim; 'Cisco certification'
Subject: Re: SV: Span and Rspan and IDS

Keep in mind that SPAN ports *can* be configured to allow inbound
packets - so the switchport configuration could matter.
(not a best practice)

James

Big guy wrote:
> I can give you an very easy understand answer to this.. When you enter in
> the monitor session 1 destination port f0/3, you will efectivly shut this
> port down for all other traffic that is sent trough that port. No other
> traffic will be alowed here... So if port are dynamic or not have really
no
> effect...

• Next message: Mohammad Zahid Saeed: "Cathy School Information"
• Previous message: tao huang: "remote lab 3$/hour"
• Maybe in reply to: Big guy: "SV: Span and Rspan and IDS"
• Next in thread: James Ventre: "Re: SV: Span and Rspan and IDS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Dec 01 2005 - 09:12:07 GMT-3