Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Layer 3 Switched Network and IDS

I am looking at moving from a L2 switched network to a L3 switched network at my access layer. In this design my access layer can consist of 3560, 3750, or 4500 switches with layer 3 links to my distribution or my core.

My issue is that in the L2 access model it is easy to monitor all traffic as the root is of the core switch.

When I move to a L3 access model is there a way to monitor all the traffic at the acccess switches without deploying IDS to each access closet?

Current requirements are to monitor user traffic as close the access port as possible.

Also are there any issues if I montor the L3 links between the access and distribution via IDS with L3 routing and loadbalancing in place?

Thanks in advance.


Re: Layer 3 Switched Network and IDS

This comes up quite often and its a bit of a tricky one. We all know that a neatly structured Layer-3 network is much easier to maintain and troubleshoot, however SPAN and IDS require a Layer-2 path to the port you want to monitor. In a nice Layer-3 network you can't just attach your IDS to the core and then SPAN a port like you could with a flat network where the core terminates all the Layer-3 VLANs and the uplinks from the access-layer are purely layer-2.

If its a permanent thing - i.e. your IDS is monitoring a specific link then I would dedicate an IDS for this and position it where the switch/port is you want to monitor. If its a dynamic thing where you want to monitor different ports at different times then there are a couple of options.

One is ERSPAN, however this is only supported on the higher-end switches (6500's only I think?). Another option is RSPAN with either dedicated Layer-2 links from your access-layer to either a dedicated monitoring switch or your core where you can position the IDS. Or instead of using Layer-3 links from the Access-Layer to the Distribution/Core make these trunks with two VLANs - the routed Layer-3 VLAN and the RSPAN VLAN.

I know the trunk option sounds like a backwards step as you have eliminated the need for trunks between the access layer and the distribution, however the other option is dedicated Layer-2 links for RSPAN but this can get expensive.

It would make sense if ERSPAN was added to the lower-end switches but I have no idea if this is on the roadmap or not?

As for monitoring the Layer-3 links this will work but if you have Equal-Cost paths then you might only see half the traffic due to asymetric routing.



CreatePlease to create content