SPAN port over Layer 3

ronshuster · ‎03-17-2009

Anyone has an idea how to configure Layer3 spanning?

We have a small site with access to the Internet but want to use Websense which is currently in a different site. So spanning the traffic that is destined to the Internet to go through Websense is the plan.

Any idea?

Giuseppe Larosa · ‎03-17-2009

Hello Ron,

you should use the internet access of the small site just to build a GRE tunnel to the main site:

on the main site traffic can be sent to the Websense.

Return traffic if permitted is then sent back to the

The GRE tunnel can be protected with IPsec for privacy.

We do so IPSEC+GRE over internet and the remote sites to go to the internet via the main site.

Hope to help

Giuseppe

ronshuster · ‎03-18-2009

Yes I understand, but as far as I know there is no need to introduce additional GRE tunnels, but rather SPAN to an IP address (layer3).

Giuseppe Larosa · ‎03-18-2009

Hello Ron,

inside an intranet if the switches are 6500 you can take advantage of ERSPAN that builds a GRE tunnel between the two 6500.

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/span.html

not being on the forwarding path the websense can only log web activity.

Hope to help

Giuseppe