IDS deployment with redundant configuration

Unanswered Question
Mar 19th, 2009

Hello,

I have the following setup and i would like to be sure that the reasoning & configuration is correct:

2 aggregation switches A & B are connected via a trunk and are redundant. we have 1 IDS that is going to be connected only to switch A. we would like to monitor the incoming traffic. Thus I am planning to configure RSPAN as the attached configuration.

correct me if it's wrong.

thank you

Jean

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Yudong Wu Thu, 03/19/2009 - 15:37

One thing you missed is "monitor session 3 destination remote vlan 300 reflector-port Fa x/y" where Fa x/y is any unused port.

I did not use your way to configure RSPAN. Therefore, I can not comment.

I did use the following config to do RSPAN and I know it works. vlan 900 is rspan vlan.

switch-1

monitor session 1 source vlan 20 rx

monitor session 1 destination remote vlan 900 reflector-port Fa0/3

switch-2 (IDS connected to Fa0/1)

monitor session 1 source vlan 10 , 900 rx

monitor session 1 destination interface Fa0/1

jeansamarani Sat, 03/21/2009 - 02:04

Hi,

i didn't understand where to put this command and for what ?

can you please elaborate?

thank you.

Jean

Giuseppe Larosa Sat, 03/21/2009 - 06:33

Hello Jean,

for sure you don't need to put in the remote span vlan the destination port.

And you don't need to configure a second session with destination rspan on switchA.

This is not requested and not done usually.

Depending on the switch platform and model remote span may require to use a physical port as a "mirror" this port is not usable and takes part in the remote span solution.

This is the meaning of reflector port

I try to guess you have C3750 switches.

Have a look at the config guide

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/swspan.html#wp1073772

I don't see the need for the reflection port but this can be also IOS dependent.

Hope to help

Giuseppe

Yudong Wu Sat, 03/21/2009 - 11:04

Hi Jean,

Giuseppe has pointed to the reason. Thanks Giuseppe.

I configured RSPAN on 3550. It looks like differenct from 3750. So you don't need "reflector-port".

Actions

This Discussion