Understand that the serial interfaces in the user's configuration do not have vlans assigned to them. However, the switch will internally assign them a "hidden" vlan, and the IP address assigned to the serial interface is actually assigned to the "hidden" vlan.
The IDSM-2 needs to monitor this "hidden" vlan. But since you don't know what vlan number is used you have to tell the IDSM-2 to watch All vlans to ensure it monitors the one the switch decided to use.
So the IDSM-2 needs to monitor the "hidden" vlan assigned to the serial interface.
It must ALSO however, monitor any vlan to which that traffic may be routed TO.
If traffic comes in the serial interface on the "hidden" vlan and gets routed to vlan 20 for example. Then the IDSM-2 must monitor the "hidden" vlan as well as vlan 20.
Even though the VACL is only applied to the serial interface (actually applied to the "hidden" vlan), the IDSM-2 still has to have vlan 20 in it's allowed-vlan list for the capture port.
So setting "allowed-vlan" to 1-4094 ensures you monitor whichever vlan the switch chooses for the "hidden" vlan as well as ensuring that the IDSM-2 also monitors any vlan to which the traffic may be routed to.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...