Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

SPANing multiple ports

Unanswered Question
Jul 11th, 2003
User Badges:

currently have a hub for our DMZ and I wanted to VLAN off some severs that have no reason to communicate. But we also need to monitor (IDS) all traffic within the DMZ. How could I achieve this - SPAN multiple ports, trunking, or please suggest any other method and requirements to accomplish. Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
t.baranski Sat, 07/12/2003 - 10:55
User Badges:
  • Bronze, 100 points or more

Did you mean switch instead of hub? You don't see multiple VLANs in a DMZ all that often because each VLAN requires its own subnet. The methods I've used on Cisco switches are PVLANs (if your switch supports it), the "protected port" feature, and access lists applied to individual switch ports.

You can, however, generally SPAN multiple VLANs to a single port if you choose to go that route.

A11055 Mon, 07/14/2003 - 11:27
User Badges:

Thanks for the response. I did mean hub and don't know if this is the best solution to protect my DMZ. It sounds like your suggestion would be much simpler than having 5 VLANs with 5 different subnets. Do you have any sample config's or documentations on PVLANs and "protected port" feature.

t.baranski Mon, 07/14/2003 - 17:20
User Badges:
  • Bronze, 100 points or more

The reason I asked if you meant hub or switch is because the features you mentioned are specific to switches. PVLANs and protected ports are specific to Cisco switches, in fact, though similar features may exist in other implementations.

A good article on securing DMZ's and PVLANs is here: http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml. You can find more on configuring this stuff in a given switch's documentation (e.g., protected port information is at http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a008014f36b.html#1029319 for Cat3550's). Note that protected ports are essentially a cut-down version of PVLANs for some of the lower-end members of Cisco's switch product line.


This Discussion