11-29-2007 01:20 PM - edited 03-05-2019 07:43 PM
We are deploying several (6) IDS sensors to monitor traffic on various VLANs on the core router/switch 3750Gs. I can only do two SPAN monitor sessions. Is there a workaround with SPAN or RSPAN so I can mirror/capture traffic for the many IDS sensors? Thanks.
11-29-2007 01:53 PM
Physical taps can help. Google 'network tap' for mfg's.
HTH and please rate.
11-29-2007 01:59 PM
Yes, I thought about physical taps for the router links. But as for the many VLANs that live on the core router, I won't be able to tap in. Anyway around it?
11-29-2007 02:05 PM
I would think that their higher-end products you would be able to trunk multiple VLANS to a single TAP. We span multiple source VLANs to a single destination port for IDS.
CORE1#sh mon
Session 1
---------
Type : Local Session
Source VLANs :
Both : 26,30,104,300,603
Destination Ports : Gi7/1
11-29-2007 03:00 PM
The 3750Gs can do multiple source and multiple destinations, but only 2 sessions. Thus I can only do a source-destination pair session only twice. I may just have to SPAN many VLANs and ports, and then have the IDS sensors filter out the unwanted traffic as needed. I'm trying to see if RSPAN can overcome this limitation. Keep the ideas flowing. Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide