Re: Monitoring a VLAN vs. an Interface

From: Ben (bmunyao@gmail.com)
Date: Wed Jul 18 2007 - 04:18:46 ART

• Next message: Ben: "Re: EAP == CHAP-with-database-moved-to-RADIUS , right ?"
• Previous message: Ben: "Re: aaa authentication ppp - can this be an extra layer of"
• Maybe in reply to: Andy LaPorte: "Monitoring a VLAN vs. an Interface"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Andy
If the requirement was to monitor traffic on the VLAN, i would go with the
second solution. It takes care of any future interfaces added to the VLAN,
and defines direction (rx) as well.

If the scenario indicates that you monitor the interfaces currently in the
VLAN, then that could indicate that future vlan members do not need to be
monitored. I would however clarify this with the proctor, before using the
first solution (with rx).

HTH
Ben

On 7/18/07, Andy LaPorte <andy@cloud9.net> wrote:
>
> I was just going over a lab that asks to monitor a VLAN to an interface.
> The goal was to monitor the received traffic.
>
>
>
> The setup was 4 switches where 2-3 of the switches had ports assigned to
> the
> VLAN that was to be monitored.
>
>
>
> The solution was to setup remote spanning where the source was the
> interfaces and the destination was a new VLAN for the purpose of rspan.
>
>
>
> I'm a bit confused on when you would set the source as the interfaces
> verse
> when can set the source as the VLAN.
>
>
>
> Maybe an example would help with my question:
>
>
>
> S1
>
> Interface FA0/1 - VLAN 10
>
>
>
> S2
>
> Interface FA0/1 - VLAN 10
>
>
>
> S4
>
> (no ports in VLAN 10)
>
> Interface FA0/1 - Monitor Destination
>
>
>
>
>
> The solution was:
>
>
>
> S1
>
> VLAN 666 (this was the VTP server so it went to all switches)
>
> Name IDS
>
> Remote-span
>
> Monitor session 1 source interface FA0/1
>
> Monitor session 1 destination remote vlan 666
>
>
>
> S2
>
> Monitor session 1 source interface FA0/1
>
> Monitor session 1 destination remote vlan 666
>
>
>
> S4
>
> Monitor session 1 source remote vlan 666
>
> Monitor session 1 destination interface FA0/1
>
>
>
> What I'm trying to figure out is what is the difference from the above
> solution and this one:
>
>
>
> S1
>
> VLAN 666
>
> Name IDS
>
> Remote-span
>
> Monitor session 1 source vlan 10 rx
>
> Monitor session 1 destination remote vlan 666
>
>
>
> S2
>
> Monitor session 1 source vlan 10 rx
>
> Monitor session 1 destination remote vlan 666
>
>
>
> S4
>
> Monitor session 1 source remote vlan 666
>
> Monitor session 1 destination interface FA0/1
>
>
>
> Now I understand when monitoring the Interface it monitors both tx and rx
> but the request was only for received traffic. Any help would be great in
> understanding this concept as I'm a bit confused even after going over the
> doc's a few times.
>
>
>
> Andy
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Ben: "Re: EAP == CHAP-with-database-moved-to-RADIUS , right ?"
• Previous message: Ben: "Re: aaa authentication ppp - can this be an extra layer of"
• Maybe in reply to: Andy LaPorte: "Monitoring a VLAN vs. an Interface"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:41 ART