This is the setup, I hope anyone interested in reading this can follow:
I have a DMZ switch that holds all the DMZ interfaces for two PIX firewalls (four on each PIX), along with the outside interfaces of those PIX firewalls and the edge router interface. The DMZ switch has an interface in the inside network "switch" VLAN, everything else in this switch is in VLAN1.
There is an inside router that connects to this switch via a GBIC connector. The inside router is a 7206 and it's inside interface is connected to the the DMZ switch.
There is a core 6509 switch that also connects to the DMZ switch via the other GBIC connector. This is a trunk link up to the DMZ switch, the trunk carries all VLANs.
Each device is in it's own VLAN, so the router interface has only the core switch SVI as the only thing it the router vlan with it.
The router gets to the SVI on the core switch through the DMZ switch.
The core switch is the default gateway for all VLANs.
Number one, it seems to me that this is not a very good setup going through the DMZ switch like this, as a passthtough from the core switch to the router.
I made a change to remove a VLAN from a configured SPAN session that is on the core 6509 switch and it shut down the port from the DMZ switch to the 7206 router, and hosed up the OSPF process in the PIX firewall in the DMZ switch.
The SPAN session is mirroring ALL vlans to a port for the IDS to monitor. I removed the existing SPAN session, removed on VLAN and reconfigured it back exactly as it was, minus the one VLAN.
I guess my questions are:
Is it dangerous (unstable) to mirror all ports (user traffic, routers, switches) to a single port like this for IDS purposes?
I know it was an STP issue, but I can't really find what exactly happened
Does it seem to you guys like this needs to be redesigned for a better and safer logical layout?
Not sure what the issue was but the following is right out of cisco docs.
?Destination ports never participate in any spanning tree instance. Local SPAN includes BPDUs in the monitored traffic, so any BPDUs seen on the destination port are from the source port. RSPAN does not support BPDU monitoring.
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.