VSPAN or RSPAN

alex.tulio · ‎07-31-2007

hi guys,

i have a number of interface to monitor with my ids, problem is i only have one port in my ids and i would like to monitor ports in the traffic coming from the private wan and traffic from the internet on both switches. any idea how this scenario? will vspan/rspan/span will work on this? attached is the simple network diagram.

thanks

alex

michal.grzelak · ‎07-31-2007

Hi,

Basicly You would need span+rspan. You can use SPAN to monitor traffic on the same switch (from Private WAN+one link from Internet) and RSPAN to forward traffic from the other switch (from second link to Internet).

Configuration depends on switches classed You have. I will give an example of span+rspan that I am using on Cat6500.

I have put port numbers in Your drawing, so it would be more clear:

Switch A:

vlan 100

name sniffer

remote-span

exit

monitor session 2 source int gi 1/1

monitor session 2 source int gi 1/3

monitor session 2 source remote vlan 100

monitor session 2 destination int gi 1/4

---------

Switch B:

vlan 100

name sniffer

remote-span

exit

monitor session 2 source int gi 1/2

monitor session 2 destination remote vlan 100

---------

Make sure that Vlan100 is allowed on trunk between those switches.

If You have any questions regarding my post, please let me know.

Regards:

Michal

michal.grzelak · ‎07-31-2007

Forgot to attach drawing :)

michael.spence · ‎08-06-2007

I am trying to monitor a switchport that is in a 3750, which is remote to our location. The remote is connected via fiber to a 6509. My question is this, Is int gig1/4 the trunk port to the 6509? By the same token is int gig 1/2 on Switch B the trunk to Switch A? Knowing this would be most helpful. Thank you.