VSPAN or RSPAN

Unanswered Question
Jul 31st, 2007

hi guys,

i have a number of interface to monitor with my ids, problem is i only have one port in my ids and i would like to monitor ports in the traffic coming from the private wan and traffic from the internet on both switches. any idea how this scenario? will vspan/rspan/span will work on this? attached is the simple network diagram.

thanks

alex

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
michal.grzelak Tue, 07/31/2007 - 23:10

Hi,

Basicly You would need span+rspan. You can use SPAN to monitor traffic on the same switch (from Private WAN+one link from Internet) and RSPAN to forward traffic from the other switch (from second link to Internet).

Configuration depends on switches classed You have. I will give an example of span+rspan that I am using on Cat6500.

I have put port numbers in Your drawing, so it would be more clear:

Switch A:

vlan 100

name sniffer

remote-span

exit

monitor session 2 source int gi 1/1

monitor session 2 source int gi 1/3

monitor session 2 source remote vlan 100

monitor session 2 destination int gi 1/4

---------

Switch B:

vlan 100

name sniffer

remote-span

exit

monitor session 2 source int gi 1/2

monitor session 2 destination remote vlan 100

---------

Make sure that Vlan100 is allowed on trunk between those switches.

If You have any questions regarding my post, please let me know.

Regards:

Michal

michael.spence Mon, 08/06/2007 - 09:49

I am trying to monitor a switchport that is in a 3750, which is remote to our location. The remote is connected via fiber to a 6509. My question is this, Is int gig1/4 the trunk port to the 6509? By the same token is int gig 1/2 on Switch B the trunk to Switch A? Knowing this would be most helpful. Thank you.

Actions

This Discussion