RE: RSPAN & IDS

From: Thunai Selvam \(thunai\) (thunai@cisco.com)
Date: Mon Aug 07 2006 - 01:42:21 ART

• Next message: Scott Morris: "RE: Pre lab 9 ipexpert work book ver.8 R & S"
• Previous message: Scott Morris: "RE: R&S Lab Difficulty"
• Maybe in reply to: Thunai Selvam \(thunai\): "RSPAN & IDS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

    Hi all
     i am not able to get this working on IDS..I almost spent a Day on
this ... Any help

r1------(Vlan114)-----Cat1---Trunk(dot1Q all vlans) ----
Cat2----(vlan114 ) ---r4

r2----(vlan100)-----cat1------Trunk(dot1Q all vlans) ----
Cat2----(vlan114 ) ---r4

Cat1 has two lan with two routes ( R1 vlan114 and R2 vlan100)

Cat2 has one vlan with One router ( r4 on Vlan 114 )

Cat2 Config

cat1#show run | be monitor
monitor session 1 source vlan 114 rx
monitor session 2 destination remote vlan 500 reflector-port Fa0/13
end

Cat1 Config

Cat1#show run | be monitor
monitor session 1 source vlan 100 , 114 rx
monitor session 1 destination remote vlan 500 reflector-port Fa0/13
monitor session 2 destination interface Fa0/17
monitor session 2 source remote vlan 500
end

Cat1 inter fa 0/17 ( Sensing interface of Sensor connected )

I can see the traffic from R2 ( Vlan 114 on Cat2 ) on the sensor ,
However i could not get any triffic on Vlan 114 and Vlan 100 seen on the
IDS sensor is there any thing i am missing

I have tried the followings stuff

1.I have swapped the session ID's of Cat1 Config

2. Tried restarting the sensor

3. Tried restarting the cat1 and Cat2

NO LUCK>...

Can some one looking in to the config and suggest any things missing or
What is the right way of doing it.

Regds
Thunai

________________________________

From: Yakov Shtoots [mailto:yakovz@gmail.com]
Sent: Saturday, August 05, 2006 11:11 PM
To: Thunai Selvam (thunai)
Subject: Re: RSPAN & IDS

on cat 1
change session 1 to be sourced with , remote vlan 500 and destionation
should be the port connected to sensin port on the ids
and change session 2 to be sourced with vlan 114 and destinatin is
remote vlan 500

On 8/5/06, Thunai Selvam (thunai) <thunai@cisco.com> wrote:

        Hi all
          I have following scenario

        R4- (vlan 114)----(cat1)---Trunk-(dot1q all vlans
        )---(cat2)-----(vlan114)-----R1
        &
        R2 --- (vlan 100)---(cat1)--Trunk (dot1q all
vlan)---(cat2)----(vlan
        114)---R1

        (Both r4 and r2 are connected to Cat1 with vlan 114 and Vlan100
        respectively )

        Senor Sensing interface on Cat1 Fa 0/18

        Cat1
        config t
        vlan 500
        remote-span

        monitor sess 1 source vlan 114 , 100 rx
        monitor sess 1 dest remote vlan 500 reflector fa 0/13
        monitor ses 2 source remote vlan 500
        monitor ses 2 dest inter fa 0/18

        Cat 2

        monitor ses 1 source vlan 114 rx
        monitor ses 1 dest remo vlan 500 reflect fa 0/13

        I am able to see the traffic from r1 ( vlan114 ) , however i am
not able
        to see the traffic to R4 and R2 Routers on the IEV. is there
any thing
        wrong in this config

        Let me know your inputs.

        Regds
        Thunai

--
Yakov Shtoots,
CCNP, CCSP/INFOSEC.
Mobile:  + 972-54-2110107
E-mail: yakovz@yakovz.net

• Next message: Scott Morris: "RE: Pre lab 9 ipexpert work book ver.8 R & S"
• Previous message: Scott Morris: "RE: R&S Lab Difficulty"
• Maybe in reply to: Thunai Selvam \(thunai\): "RSPAN & IDS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:56 ART