Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

SPANing multiple ports

currently have a hub for our DMZ and I wanted to VLAN off some severs that have no reason to communicate. But we also need to monitor (IDS) all traffic within the DMZ. How could I achieve this - SPAN multiple ports, trunking, or please suggest any other method and requirements to accomplish. Thanks


Re: SPANing multiple ports

Did you mean switch instead of hub? You don't see multiple VLANs in a DMZ all that often because each VLAN requires its own subnet. The methods I've used on Cisco switches are PVLANs (if your switch supports it), the "protected port" feature, and access lists applied to individual switch ports.

You can, however, generally SPAN multiple VLANs to a single port if you choose to go that route.

New Member

Re: SPANing multiple ports

Thanks for the response. I did mean hub and don't know if this is the best solution to protect my DMZ. It sounds like your suggestion would be much simpler than having 5 VLANs with 5 different subnets. Do you have any sample config's or documentations on PVLANs and "protected port" feature.


Re: SPANing multiple ports

The reason I asked if you meant hub or switch is because the features you mentioned are specific to switches. PVLANs and protected ports are specific to Cisco switches, in fact, though similar features may exist in other implementations.

A good article on securing DMZ's and PVLANs is here: You can find more on configuring this stuff in a given switch's documentation (e.g., protected port information is at for Cat3550's). Note that protected ports are essentially a cut-down version of PVLANs for some of the lower-end members of Cisco's switch product line.

CreatePlease to create content