Unanswered Question
Jul 31st, 2007
User Badges:

hi guys,

i have a number of interface to monitor with my ids, problem is i only have one port in my ids and i would like to monitor ports in the traffic coming from the private wan and traffic from the internet on both switches. any idea how this scenario? will vspan/rspan/span will work on this? attached is the simple network diagram.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
michal.grzelak Tue, 07/31/2007 - 23:10
User Badges:


Basicly You would need span+rspan. You can use SPAN to monitor traffic on the same switch (from Private WAN+one link from Internet) and RSPAN to forward traffic from the other switch (from second link to Internet).

Configuration depends on switches classed You have. I will give an example of span+rspan that I am using on Cat6500.

I have put port numbers in Your drawing, so it would be more clear:

Switch A:

vlan 100

name sniffer



monitor session 2 source int gi 1/1

monitor session 2 source int gi 1/3

monitor session 2 source remote vlan 100

monitor session 2 destination int gi 1/4


Switch B:

vlan 100

name sniffer



monitor session 2 source int gi 1/2

monitor session 2 destination remote vlan 100


Make sure that Vlan100 is allowed on trunk between those switches.

If You have any questions regarding my post, please let me know.



michael.spence Mon, 08/06/2007 - 09:49
User Badges:

I am trying to monitor a switchport that is in a 3750, which is remote to our location. The remote is connected via fiber to a 6509. My question is this, Is int gig1/4 the trunk port to the 6509? By the same token is int gig 1/2 on Switch B the trunk to Switch A? Knowing this would be most helpful. Thank you.


This Discussion