From: Ryan Vakili (ryan@camous.com)
Date: Tue Aug 15 2006 - 01:02:40 ART
if you don't use the ingress keyword the port is just in listening mode and
TCP reset packets cann not be sent through that port (from IDS)
Guys correct me if I am wrong
Cheers
Ryan
----- Original Message -----
From: "Stefan Grey" <examplebrain@hotmail.com>
To: <cisco018@gmail.com>; <calikali2006@gmail.com>
Cc: <secondie@gmail.com>; <ccielab@groupstudy.com>;
<security@groupstudy.com>
Sent: Tuesday, August 15, 2006 5:16 AM
Subject: Re: SPAN question
> Guys,
> could you please explain me why this ingress word is needed??? I read the
> explanation in the doc but can't imagine any live situation where this may
> be needed?? Could you please tell where this may be needed?? Some
> situation??
> Thanks.
>
>>From: Zero <cisco018@gmail.com>
>>Reply-To: Zero <cisco018@gmail.com>
>>To: Kal Han <calikali2006@gmail.com>
>>CC: secondie <secondie@gmail.com>, Cisco certification
>><ccielab@groupstudy.com>, Cisco certification
>><security@groupstudy.com>
>>Subject: Re: SPAN question
>>Date: Mon, 14 Aug 2006 10:40:51 -0700
>>
>>The different between
>>
>>1) monitor .... ingress vlan 20
>>2) monitor .... dot1q ingress vlan 20
>>is 1) PC send frame without 802.1Q tag , SW add tag 20 then forward.
>>2) PC send frame with 802.1Q tab 20 , then SW forward.
>>
>>So you issue is when you use 'dot1q ingress vlan' but you PC(or router)
>>send frame without 802.1Q tag , SW just drop this frame.
>>
>>Z.
>>
>>
>>Kal Han wrote:
>> > It depends on the host on which your sniffer is running.
>> > If you are using Windows PC, I know it works fine with the Intel Pro
>> > NIC card with their (Intel) drivers.
>> > I remember, one person at work had the same problem.
>> > This problem could be because of a driver issue or the
>> > NIC itself. Some drivers REMOVE dot1q tags.
>> > Try to see if there are any driver updates availabe for your NIC card.
>> >
>> > Thanks
>> > Kal
>> >
>> >
>> > On 7/31/06, secondie <secondie@gmail.com> wrote:
>> >
>> >> Setup
>> >>
>> >> I have switch1 and 2 connected via port 1with Q trunk configured (all
>> >> vlans allowed)
>> >> Switch 1 has router R1 connected to port 20.
>> >> Switch 2 has router R2 connected to port 20.
>> >>
>> >> Every thing is on VLAN 20 and both routers can ping each other.
>> >>
>> >> R1 -- SW1 -- fa0/1 -- trunk -- fa0/1 -- SW2 ---R2
>> >>
>> >>
>> >> I am trying to config span source as port 1 on sw1, destination on sw
>> >> 1
>> >> is port 48
>> >>
>> >> when I configure
>> >>
>> >> monitor sess 1 source int fa 0/1
>> >> monitor sess 1 dest int fa 0/48
>> >>
>> >> or
>> >>
>> >> monitor session 1 source interface Fa0/1
>> >> monitor session 1 destination interface Fa0/48 ingress vlan 20
>> >>
>> >> I can see ping on sniffer
>> >>
>> >> but when I configure
>> >>
>> >> monitor sess 1 source int fa 0/1
>> >> monitor sess 1 dest int fa 0/48 encap dot1q
>> >>
>> >> or
>> >>
>> >> monitor sess 1 source int fa 0/1
>> >> monitor sess 1 dest int fa 0/48 encap dot1q ingress vlan 20
>> >>
>> >> FAILS ...... I see nothing on sniffer.
>> >>
>> >> Any one see problem with this ?
>> >>
>> >> How can I see dot1q tags on the traffic? Any scenarios?
>> >>
>> >> TIA
>> >> -secondie
>>
>>_______________________________________________________________________
>>Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html
>
> _________________________________________________________________
> Customise your home page with RSS feeds at MSN Ireland! http://ie.msn.com/
This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:57 ART