RE: SV: Span and Rspan and IDS

From: Tim (ccie2be@nyc.rr.com)
Date: Sun Nov 20 2005 - 19:12:39 GMT-3

• Next message: Venkataramanaiah.R: "Re: 3550 QoS Marking"
• Previous message: Larry Letterman \(lletterm\): "RE: Catalyst 3550 EMI IOS"
• Maybe in reply to: Big guy: "SV: Span and Rspan and IDS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

OK, no problem.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
James Ventre
Sent: Sunday, November 20, 2005 3:10 PM
To: Tim
Cc: 'Big guy'; 'Cisco certification'
Subject: Re: SV: Span and Rspan and IDS

>But, can you tell me anything about how the span destination port needs to
(or should) be configured?

Sorry, I can't, with regard to trunking.

For just 1 vlan - use "switchport access vlan x". I've always considered
this to be a sub-optimal solution and have run separate access ports for
packet injection (like websense).

James

Tim wrote:

  James,
  
  You're absolutely right.
  
  A span port has to allow inbound traffic if the tcp reset function of IDS
is
  to work (with one exception - if the XL card is used because it uses a
  separate port for tcp resets).
  
  But, can you tell me anything about how the span destination port needs to
  (or should) be configured?
  
  If it's configured as a trunk port, will it get traffic from all vlan's
  unless the allowed vlans are explicitly configured? Or, will it only get
  the traffic from the vlans specified as source vlans?
  
  Can the destination port be configured as an access port, assigned to a
vlan
  and still work as expected?
  
  I think the switch port should be configured as a trunk port because I
think
  the IDS monitoring port is a trunk port but I don't know if that can be
  changed.
  
  I've checked multiple sources - the Earl Carter book, the Syngress book,
the
  Doc-CD, the GS archives, the Exam Cram 2 book, and Cisco's web site - all
to
  no avail.
  
  I'm not even sure if the answer to these questions is consistent for the
  various switches - maybe it works one way for the 6500 and a different way
  for the 3500XL - I don't know but I hope to find out before I take the
test.
  
  So, if you can offer some guidance, I'd really appreciate that.
  
  Tim

  -----Original Message-----
  From: James Ventre [ mailto:messageboard@ventrefamily.com ]
  Sent: Sunday, November 20, 2005 2:03 PM
  To: Big guy
  Cc: Tim; 'Cisco certification'
  Subject: Re: SV: Span and Rspan and IDS
  
  Keep in mind that SPAN ports *can* be configured to allow inbound
  packets - so the switchport configuration could matter.
  (not a best practice)

  James

  Big guy wrote:

    I can give you an very easy understand answer to this.. When you enter
in
    the monitor session 1 destination port f0/3, you will efectivly shut
this
    port down for all other traffic that is sent trough that port. No other
    traffic will be alowed here... So if port are dynamic or not have really

  no

    effect...

• Next message: Venkataramanaiah.R: "Re: 3550 QoS Marking"
• Previous message: Larry Letterman \(lletterm\): "RE: Catalyst 3550 EMI IOS"
• Maybe in reply to: Big guy: "SV: Span and Rspan and IDS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Dec 01 2005 - 09:12:07 GMT-3