I have some questions regarding the do's and don'ts of SPANNING. If you have for example several switches with one port, say port 48 SPANNED to another switch that collapses all the traffic to be monitored by an IDS or network analyzer.
What would be the best way to do this if you were concerned about multiple VLAN's being on the switches you were SPANNING from?
My idea was to turn each of the SPAN ports into a TRUNK PORTS and also use ISL encapsulation between the switches and the âAggregate Switchâ that everything collapses to. Then, I would have a Monitor Session âAnother SPAN taking all of those SPAN's for the other switches to a single port for monitoring.
This was because on each of the switches have TRUNKED 802.1q FIBER PORTS and are capable of receiving any VLAN. Also, although 802.1q is common, for this I was thinking of using ISL because it does not require a Native VLAN. If a port on the switch is changed to a different VLAN (Switch Port Access VLAN XX) and the Monitor âSPANâ is not set for TRUNKING, I don't think we would see that traffic from a different VLAN would we?
RSPAN could be used but there are already physical SPAN's coming from each of the switches to monitor. Is there any down side to using physically cabled SPAN's vs RSPAN?
What is the best practice for monitoring segregated networks that cannot use RSPAN? Physically cabled SPAN's with Monitor Sessions?
Am I thinking of this correctly or have I derailed?