From: Dennis J. Hartmann (dennisjhartmann@hotmail.com)
Date: Mon Nov 21 2005 - 18:51:33 GMT-3
I believe what you're saying is that capture ports are promiscuous
and they capture everything irregardless. If that's the case, why is there
an option to set the encapsulation on the destination interface? And what
does the ingress option do????????????
CAT1(config)#monitor session 1 destination interface fast 0/23 ?
encapsulation Set encapsulation for destination interface
ingress Enable ingress traffic forwarding
<cr>
Does the sniffer only have the capability to inspect the layer 2
trunk headers if the destination interface is set with an encapsulation of
ISL or Dot1Q? I read the documentation, but I fear it's in a language I
don't currently comprehend....
This example shows how to configure the destination port for ingress traffic
on VLAN 5 by using a security device that supports 802.1Q encapsulation:
Switch(config)# monitor session 1 destination interface fastethernet0/5
encapsulation
dot1q ingress vlan 5
This example shows how to disable ingress traffic forwarding on the
destination port:
Switch(config)# monitor session 1 destination interface fastethernet0/5
encapsulation
dot1q
CAT1(config)#monitor session 1 destination interface fast 0/23 ingress ?
vlan Set default VLAN for untagged ingress traffic
CAT1(config)#monitor session 1 destination interface fast 0/23 ingress vlan
?
<1-4094> Default VLAN for untagged ingress traffic
CAT1(config)#$sion 1 destination interface fast 0/23 ingress vlan 3 ?
<cr>
CAT1(config)#$sion 1 destination interface fast 0/23 ingress vlan 3
Sincerely,
Dennis Hartmann
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Big
guy
Sent: Sunday, November 20, 2005 1:59 PM
To: Tim; 'Cisco certification'; security@groupstudy.com
Subject: SV: Span and Rspan and IDS
I can give you an very easy understand answer to this.. When you enter in
the monitor session 1 destination port f0/3, you will efectivly shut this
port down for all other traffic that is sent trough that port. No other
traffic will be alowed here... So if port are dynamic or not have really no
effect...
-----Opprinnelig melding-----
Fra: nobody@groupstudy.com [mailto:nobody@groupstudy.com]Pa vegne av Tim
Sendt: 20. november 2005 18:50
Til: 'Cisco certification'; security@groupstudy.com
Emne: Span and Rspan and IDS
Hi guys,
This is a new issue for me.
I'm learning how to configure different types of Cisco switches to capture
traffic to send to an Intrusion Detection System.
I know how to configure span and rspan (for the most part) but never thought
about this before.
After I've configured span or rspan and designated the destination port for
the mirrored traffic, do I need to configure the destination port in a
certain way?
For example, assume I have an IDS connected to port fa0/3 on a Cat switch -
and I haven't changed the default config of port fa0/3
and I have configure span to monitor traffic on vlan 20 and send it to port
fa0/3
and assuming the span config is correct, I'm wondering the following:
(The issue I'm trying to get at is that on some Cat switches, ports are, by
default, in vlan 1 and configured to trunk.)
In this example, since the span dest port is a trunk by default, will
traffic from all vlans be sent out this port instead of just traffic from
vlan 20 as intended?
If someone had already configured port fa0/3 as an access mode port in vlan
3 but I didn't know that, will this span config still work ie take traffic
from vlan 20 and mirror it to a port vlan 3? Or, put another way, will the
span config take precedence over the port config?
Does the required configuration of the dest port depend on what type of
switch I'm using?
I'm finding this all very confusing. I know, for example, that it's OK to
mirror traffic from multiple vlan's and multiple ports that are in different
vlans to a destination port. So, it seems to me it shouldn't matter if the
destination is an access port or trunk port and it shouldn't matter what
vlan the destination port is in.
But, from what I'm reading, this isn't clear and it seems like the
destination port must be configured as trunk.
I'm hoping someone would like to comment on this.
TIA, Tim
This archive was generated by hypermail 2.1.4 : Thu Dec 01 2005 - 09:12:07 GMT-3