T1 and SPAN

Unanswered Question
Apr 27th, 2009

If my P1 and T1 ports are in full duplex mode and both ports are on the same LAN (VLAN) as my PIX (inside interface) to Internet - Why do I need to SPAN one cisco port to another if all 3 interfaces (P1, T1 & PIX) see all inbound/outbound traffic?
If SPAN is mandatory, what interface do a SPAN to the T1 port?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
conorgeraghty_i... Mon, 04/27/2009 - 12:51

Of course - traffic bound for the PIX won't been seen by T1 because it's MAC address is different - THAT'S why I need to SPAN - DOH! :roll:

I am migrating networks onto my S160 so I assume I will need to SPAN the P1 port on the Ironport and NOT the inside port of my PIX :oops:

jdohrman Mon, 04/27/2009 - 16:58

I am migrating networks onto my S160 so I assume I will need to SPAN the P1 port on the Ironport and NOT the inside port of my PIX  :oops:


L4TM is capable of stopping phone-home malware traffic using any port or protocol (configurable) that the proxy would not see normally and can thus help protect you from a wide variety of threads that are beyond the scope of a proxy.

I'd recommend spanning the PIX interface (if that sees all outbound traffic) rather then the P1 as P1 might only see HTTP/HTTPS/... traffic that is already scanned by the security features on the proxy.

Best,
Jakob
jowolfer Mon, 04/27/2009 - 16:58

Conorgeraghty,

I'm having a difficult time following the details in your posts. I'm not sure why you would ever need to "double span" interfaces.

You will want the bi-directional span to happen where the WSA T1 will see all traffic (with original Client IPs intact - pre-NAT).

You should be able to span the PIX inside interface and not need further spans, unless you have a separate network that you also need to monitor.

Please be aware that TCP RSTs will be sent out the P1 interface, so if you do monitor multiple networks, you will need the appropriate routes in order to reach the second network.

Actions

This Discussion