From: Tarun Pahuja (pahujat@gmail.com)
Date: Mon May 28 2007 - 14:21:46 ART
Sebastan,
This document seems to be a little bit old,But, it would
clarrify all your doubts about SPAN and tagging.
http://www.cisco.com/warp/public/473/41.html
Thanks,
Tarun Pahuja
CCIE#7707(R&S,Security,SP,Voice,Storage),CCSI
On 5/28/07, Petr Lapukhov <petr@internetworkexpert.com> wrote:
>
> Hi Sebastan,
>
> Basically, SPAN destination port is designed to be UNIDIRECTIONAL - that
> is,
> only do egress
> forwarding of captured data frames. Optionally, you may want the switch to
> send captured frames
> with their original VLAN numbers, encapsulating them either with ISL or
> dot1.q (whatever your sniffer
> wants).
>
> As a special case, you may want SPAN destination port to accept and
> forward
> data frames ingress
> from sniffer. This may be required if you want to configure IDS on a
> stick,
> or you may need to accept
> TCP resets from monitroing interfaces.
>
> In this case, if you send your frames untagged, they are assigned to the
> ingress VLAN number
> specified. If you send them tagged, the original header is used for that
> purpose.
>
> --
> Petr Lapukhov, CCIE #16379 (R&S/Security)
> petr@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
>
> 2007/5/28, sebastan bach <sebastan.bach@gmail.com>:
> >
> > the documentation specifies that by default the destination span port
> > doesn;t forward any data.
> >
> > i want to know is that when the source port is a trunk port does the
> > switch
> > copies the frames with the vlan tagging or after removing the vlan
> > tagging.
> >
> > say i have connected a sniffer on the destination port.
> > my doubt is abt the documentations which says
> >
> > Specify ingress to enable forwarding for ingress
> > traffic on the SPAN destination port when using ISL encapsulation
> >
> > does this mean that i can use the ingress command on the span
> destination
> > port when isl is enabled as the encapsulation on trunk ports.
> >
> > cause out here they have specified
> >
> > This example shows how to configure the destination port for ingress
> > traffic
> > on VLAN 5 by using a
> > security device that does not support IEEE 802.1Q encapsulation.
> > Switch(config)# monitor session 1 destination interface fastethernet0/5
> > ingress vlan 5
> >
> > cause the destination port will be a access-port generally then why
> would
> > we
> > need the device on that port to send tagged traffic.
> >
> > here the security device they are talking abt is what exactly are they
> > referring too.???
> >
> > can someone pls clear my doubt on this.
> >
> > i am really confused abt this one.
> >
> > regards
> >
> > sebastan
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Jun 01 2007 - 06:55:22 ART