Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

port SPAN on a Catalyst 2970 for Websense

We have a Websense server connected to a Catalyst 2970, and also a PIX 515 through which outbound http traffice passes for users to surf the web.

The problem is, when I enter the "monitor session 1 destination" command on the interface the Websense server is connected to, we can no longer reach the server.

We had this working on a 2950, but it would occasionally lock up, so we are trying a 2970.

One difference I noticed in the output of "show monitor session 1 detail" is that the Ingress Encapsulation is NATIVE on the 2950, and it shows UNTAGGED on the 2970.

Not sure if that is relevant, and I see now way to manually set that to NATIVE.

Any thoughts?

4 REPLIES
Hall of Fame Super Silver

Re: port SPAN on a Catalyst 2970 for Websense

Hello Gordon,

if you are trying to manage the server using the same port that is destination of the traffic this can be a problem.

you need to add an option to enable incoming traffic on the destination port

Enter ingress with keywords to enable forwarding of incoming traffic on the destination port and to specify the encapsulation type:

•dot1q vlan vlan-id-Accept incoming packets with IEEE 802.1Q encapsulation with the specified VLAN as the default VLAN.

•untagged vlan vlan-id or vlan vlan-id-Accept incoming packets with untagged encapsulation type with the specified VLAN as the default VLAN.

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst2975/software/release/12.2_46_ex/configuration/guide/swspan.html#wp1260596

so if you want to accept untagged frames from the destination port use ingress untagged.

Hope to help

Giuseppe

New Member

Re: port SPAN on a Catalyst 2970 for Websense

I tried:

switch# monitor session 1 destination interface gig 0/23 ingress vlan 41

vlan 41 being the vlan that the websense and the firewall are both on.

this also kills our ability to reach the websense server.

Hall of Fame Super Silver

Re: port SPAN on a Catalyst 2970 for Websense

HelloGordon ,

Have you also tried ingress untagged vlan 41 ?

Hope to help

Giuseppe

New Member

Re: port SPAN on a Catalyst 2970 for Websense

Guiueseppe,

I have tried untagged, dot1q, and plain vlan 41.

This worked on the 2950, but doesn't work on the 2970, which is at a newer IOS version.

The only difference I can see between the two switch configs is the Ingress encapsulation.

258
Views
0
Helpful
4
Replies