Re: SPAN question

From: Stefan Grey (examplebrain@hotmail.com)
Date: Tue Aug 15 2006 - 04:20:57 ART

• Next message: Farrukh Haroon: "Re: DNS Recursion & PIX/ASA"
• Previous message: Duane Dewitt: "RE: VoIP on ATM"
• Maybe in reply to: secondie: "SPAN question"
• Next in thread: Glen Wilson: "RE: SPAN question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This explanation about IDS is very interesting and reasonoble for me. Is
that true??? Coold anybody approve it?? Or even give me a link into
documentation where it is written about IDS resets??

Thank you very much??

>From: "Ryan Vakili" <ryan@camous.com>
>Reply-To: "Ryan Vakili" <ryan@camous.com>
>To: "Stefan Grey" <examplebrain@hotmail.com>, <cisco018@gmail.com>,
><calikali2006@gmail.com>
>CC: <secondie@gmail.com>, <ccielab@groupstudy.com>,
><security@groupstudy.com>
>Subject: Re: SPAN question
>Date: Tue, 15 Aug 2006 14:02:40 +1000
>
>if you don't use the ingress keyword the port is just in listening mode and
>TCP reset packets cann not be sent through that port (from IDS)
>
>Guys correct me if I am wrong
>
>Cheers
>Ryan
>----- Original Message ----- From: "Stefan Grey" <examplebrain@hotmail.com>
>To: <cisco018@gmail.com>; <calikali2006@gmail.com>
>Cc: <secondie@gmail.com>; <ccielab@groupstudy.com>;
><security@groupstudy.com>
>Sent: Tuesday, August 15, 2006 5:16 AM
>Subject: Re: SPAN question
>
>
>>Guys,
>>could you please explain me why this ingress word is needed??? I read the
>>explanation in the doc but can't imagine any live situation where this may
>>be needed?? Could you please tell where this may be needed?? Some
>>situation??
>>Thanks.
>>
>>>From: Zero <cisco018@gmail.com>
>>>Reply-To: Zero <cisco018@gmail.com>
>>>To: Kal Han <calikali2006@gmail.com>
>>>CC: secondie <secondie@gmail.com>, Cisco certification
>>><ccielab@groupstudy.com>, Cisco certification
>>><security@groupstudy.com>
>>>Subject: Re: SPAN question
>>>Date: Mon, 14 Aug 2006 10:40:51 -0700
>>>
>>>The different between
>>>
>>>1) monitor .... ingress vlan 20
>>>2) monitor .... dot1q ingress vlan 20
>>>is 1) PC send frame without 802.1Q tag , SW add tag 20 then forward.
>>>2) PC send frame with 802.1Q tab 20 , then SW forward.
>>>
>>>So you issue is when you use 'dot1q ingress vlan' but you PC(or router)
>>>send frame without 802.1Q tag , SW just drop this frame.
>>>
>>>Z.
>>>
>>>
>>>Kal Han wrote:
>>> > It depends on the host on which your sniffer is running.
>>> > If you are using Windows PC, I know it works fine with the Intel Pro
>>> > NIC card with their (Intel) drivers.
>>> > I remember, one person at work had the same problem.
>>> > This problem could be because of a driver issue or the
>>> > NIC itself. Some drivers REMOVE dot1q tags.
>>> > Try to see if there are any driver updates availabe for your NIC card.
>>> >
>>> > Thanks
>>> > Kal
>>> >
>>> >
>>> > On 7/31/06, secondie <secondie@gmail.com> wrote:
>>> >
>>> >> Setup
>>> >>
>>> >> I have switch1 and 2 connected via port 1with Q trunk configured (all
>>> >> vlans allowed)
>>> >> Switch 1 has router R1 connected to port 20.
>>> >> Switch 2 has router R2 connected to port 20.
>>> >>
>>> >> Every thing is on VLAN 20 and both routers can ping each other.
>>> >>
>>> >> R1 -- SW1 -- fa0/1 -- trunk -- fa0/1 -- SW2 ---R2
>>> >>
>>> >>
>>> >> I am trying to config span source as port 1 on sw1, destination on sw
>>> >> 1
>>> >> is port 48
>>> >>
>>> >> when I configure
>>> >>
>>> >> monitor sess 1 source int fa 0/1
>>> >> monitor sess 1 dest int fa 0/48
>>> >>
>>> >> or
>>> >>
>>> >> monitor session 1 source interface Fa0/1
>>> >> monitor session 1 destination interface Fa0/48 ingress vlan 20
>>> >>
>>> >> I can see ping on sniffer
>>> >>
>>> >> but when I configure
>>> >>
>>> >> monitor sess 1 source int fa 0/1
>>> >> monitor sess 1 dest int fa 0/48 encap dot1q
>>> >>
>>> >> or
>>> >>
>>> >> monitor sess 1 source int fa 0/1
>>> >> monitor sess 1 dest int fa 0/48 encap dot1q ingress vlan 20
>>> >>
>>> >> FAILS ...... I see nothing on sniffer.
>>> >>
>>> >> Any one see problem with this ?
>>> >>
>>> >> How can I see dot1q tags on the traffic? Any scenarios?
>>> >>
>>> >> TIA
>>> >> -secondie
>>>
>>>_______________________________________________________________________
>>>Subscription information may be found at:
>>>http://www.groupstudy.com/list/CCIELab.html
>>
>>_________________________________________________________________
>>Customise your home page with RSS feeds at MSN Ireland! http://ie.msn.com/
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: Farrukh Haroon: "Re: DNS Recursion & PIX/ASA"
• Previous message: Duane Dewitt: "RE: VoIP on ATM"
• Maybe in reply to: secondie: "SPAN question"
• Next in thread: Glen Wilson: "RE: SPAN question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:57 ART