If at least one of the switches is RSPAN capable why not do that? Plug the IDS inot switch1 and do SPAN on it but do an RPAN on switch2 over to switch1 so when failover occurs you still sniff the firewall traffic. Take a look at this link.
I did go through the RSPAN documentation. There are only 2 ethernet interface for my IDS sensor, which means there is only one destination port I can configure on switch1.
I have no problem configuring rspan in switch1, but when I try to configure the second rspan connection to the same destination port, the switch does not accept the command and give me error saying not allow to have the same destination port.
If so happen that u have a working configuration, could u share out the configuration? Thanks.
I am remote at the moment and do not have acces to a config.
If memory serves, on Switch1 do a SPAN that includes the PIX port and one open port, On Switch2 do an RSPAN and plud the port into the open port on Switch1. I think this should do it. Anyone else wanna chinme in?
Just thought about it. YOu might be able to do this w/o RSPAN if you are having rouble with it. Do SPAN on switch1 with the PIX port and include an open port. Do SPAN on switch2 and plug the destination port into the open port on switch1. I think that should work as well.
I'm using Catalsyt 4507 (IOS) with RSPAN features.
The set command can bind to RSPAN vlan and the source port as well.
In IOS, I only can specified rspan vlan alone for the source. If I create another session for the source using physical interface, then it would not accept and says cannot add port as source for session - a rspan destination session.
So you see that you need to create span sessions on each switch with the source being the real ports of vlans and the Destination being the Rspan Vlan.
And then a second span session on the switch with the sensor where the RSPAN itself is the Source and the sensor the Destination.
If you try the above and it does not work, then please paste in the appropriate lines from your switch configuration for the vlans or ports you want to monitor, and the configured span sessions. And then paste in a copy of where you attempt to modify the sessions and receive your error.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...