Re: Ingress option when configuring SPAN/RSPAN

From: Ben (bmunyao@gmail.com)
Date: Wed Jul 11 2007 - 12:21:27 ART

• Next message: sam s: "RE: IEWB v4, lab3, task4.9"
• Previous message: Ivan: "Re: How is default-information command under router eigrp used?"
• Maybe in reply to: Filyurin, Yan: "Ingress option when configuring SPAN/RSPAN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Yan
SPAN is typically used for facilitating IDS deployments in a switched
network. A key feature of many IDS solutions is the ability to send a TCP
reset to a rogue network host, after identifying a traffic stream consistent
with a network attack.

For the SPAN destination port to accept and forward the TCP reset packet, it
needs to support the ingress option. I believe that's why they have it as an
option on the "mon sess 1 destination" command. I have not tried it in a lab
though. Perhaps someone else who has can comment.

HTH

Ben

On 7/10/07, Filyurin, Yan <yan.filyurin@eds.com> wrote:
>
> Hello Group Study. I was wondering if you could help me understand or
> point me to another thread that explains and it deals with SPAN and
> RSPAN configuration. All seems well understood except the ingress
> option that can be configured when configuring span destination.
> From what I understand destination port becomes a pure egress port that
> sends captured traffic to network analyzer, but in certain cases either
> when the analyzer is using that interface both for management and
> monitoring or it is an IDS that needs to react to what it seems traffic
> has to come back from it. And I am not sure I understand all the
> options. So I was wondering if someone could help me understand them.
>
> For example it is possible to configure dotq vlan vlan_id, which would
> imply that traffic from the analyzer would arrive with 802.1q tag and
> that vlan_id would be part of the tag. In case of untagged vlan vlan_id
> that traffic would come untagged and the switch would treat as it would
> be traffic on the access port. And then there is also ISL option where
> it would arrive ISL encapsulated. Yet how come you can't specify ISL
> vlan in that case? Besides that, am I understanding the other options
> correctly?
>
> Thank you
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: sam s: "RE: IEWB v4, lab3, task4.9"
• Previous message: Ivan: "Re: How is default-information command under router eigrp used?"
• Maybe in reply to: Filyurin, Yan: "Ingress option when configuring SPAN/RSPAN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:40 ART