SPAN and RSPAN, ISL and TRUNKING

Unanswered Question
Nov 7th, 2007

Hello,

I have some questions regarding the do's and don'ts of SPANNING. If you have for example several switches with one port, say port 48 SPANNED to another switch that collapses all the traffic to be monitored by an IDS or network analyzer.

What would be the best way to do this if you were concerned about multiple VLAN's being on the switches you were SPANNING from?

My idea was to turn each of the SPAN ports into a TRUNK PORTS and also use ISL encapsulation between the switches and the “Aggregate Switch” that everything collapses to. Then, I would have a Monitor Session “Another SPAN taking all of those SPAN's for the other switches to a single port for monitoring.

This was because on each of the switches have TRUNKED 802.1q FIBER PORTS and are capable of receiving any VLAN. Also, although 802.1q is common, for this I was thinking of using ISL because it does not require a Native VLAN. If a port on the switch is changed to a different VLAN (Switch Port Access VLAN XX) and the Monitor “SPAN” is not set for TRUNKING, I don't think we would see that traffic from a different VLAN would we?

RSPAN could be used but there are already physical SPAN's coming from each of the switches to monitor. Is there any down side to using physically cabled SPAN's vs RSPAN?

What is the best practice for monitoring segregated networks that cannot use RSPAN? Physically cabled SPAN's with Monitor Sessions?

Am I thinking of this correctly or have I derailed?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
ivillegas Wed, 11/14/2007 - 10:22

If you have source ports belonging to several different VLANs, or if you are using SPAN on several VLANs on a trunk port, you may want to identify to which VLAN a packet you are receiving on the destination SPAN port belongs. This is possible by enabling trunking on the destination port before configuring it for SPAN. This way, all packets forwarded to the

sniffer will also be tagged with their respective VLAN IDs.

d1701 Tue, 01/15/2008 - 07:31

Is there any related security risk to combining passive internal and external traffic to be analyzed? We have multiple SPAN sessions that psychically collapse to a single switch. We then analyze that data from that point. There is no IP on any of the interfaces that SPAN and these switches are not layer three.

Actions

This Discussion