Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
468
Views
0
Helpful
5
Replies

IDS deployment with redundant configuration

jeansamarani
Level 1
Level 1

‎03-19-2009 04:07 AM - edited ‎03-06-2019 04:41 AM

Hello,

I have the following setup and i would like to be sure that the reasoning & configuration is correct:

2 aggregation switches A & B are connected via a trunk and are redundant. we have 1 IDS that is going to be connected only to switch A. we would like to monitor the incoming traffic. Thus I am planning to configure RSPAN as the attached configuration.

correct me if it's wrong.

thank you

Jean

Labels:
Preview file
2 KB
0 Helpful
5 Replies 5

Yudong Wu
Level 7
Level 7

‎03-19-2009 03:37 PM

One thing you missed is "monitor session 3 destination remote vlan 300 reflector-port Fa x/y" where Fa x/y is any unused port.

I did not use your way to configure RSPAN. Therefore, I can not comment.

I did use the following config to do RSPAN and I know it works. vlan 900 is rspan vlan.

switch-1

monitor session 1 source vlan 20 rx

monitor session 1 destination remote vlan 900 reflector-port Fa0/3

switch-2 (IDS connected to Fa0/1)

monitor session 1 source vlan 10 , 900 rx

monitor session 1 destination interface Fa0/1

0 Helpful

jeansamarani
Level 1
Level 1
In response to Yudong Wu

‎03-21-2009 02:04 AM

Hi,

i didn't understand where to put this command and for what ?

can you please elaborate?

thank you.

Jean

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to jeansamarani

‎03-21-2009 06:33 AM

Hello Jean,

for sure you don't need to put in the remote span vlan the destination port.

And you don't need to configure a second session with destination rspan on switchA.

This is not requested and not done usually.

Depending on the switch platform and model remote span may require to use a physical port as a "mirror" this port is not usable and takes part in the remote span solution.

This is the meaning of reflector port

I try to guess you have C3750 switches.

Have a look at the config guide

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/swspan.html#wp1073772

I don't see the need for the reflection port but this can be also IOS dependent.

Hope to help

Giuseppe

0 Helpful

Yudong Wu
Level 7
Level 7
In response to Giuseppe Larosa

‎03-21-2009 11:04 AM

Hi Jean,

Giuseppe has pointed to the reason. Thanks Giuseppe.

I configured RSPAN on 3550. It looks like differenct from 3750. So you don't need "reflector-port".

0 Helpful

jeansamarani
Level 1
Level 1
In response to Yudong Wu

‎03-21-2009 11:15 AM

thanks Guys !!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card