All the ports in the source VLAN on this one switch become source ports.
This includes both your standard Access ports for that VLan, as well as traffic on that Vlan that is being sent in/out of Trunk ports carrying that Vlan.
Let's say you have machine A in vlan 10 connected to switch 1.
Switch 1 s connected to switch 2 with a trunk port carrying multiple vlans including 10.
Machines B and C are connected to switch 2 in vlan 10.
I do a Span of "rx" traffic for vlan 10 within switch 1.
If machine A talks to machine B (or machine C)
Then the packets from A will be received in vlan 10 on switch 1 and will be spanned (they will then be sent through the trunk to switch 2 an machine B).
The packets from machine B (or C) back to A will come in on vlan 10 in switch 2 (no span yet), and then sent through the trunk into switch 1. When they come in the trunk they are now received on vlan 10 in switch 1 so they will be spanned (they will then be sent to machine A.)
But for packets from machine B to C, all of the packets go into and back out of switch 2, so they will never be seen by the Span in switch 1.
So what are your options:
1) Use 2 sensors, one monitoring switch 1 span traffic, and the other monitoring switch 2 span traffic.
2) Instead of using a local Span, you can use RSpan (Remote Span) if your switches support it.
With Rspan it is like designating a Span in switch 1 and an additonal Span in switch 2. Instead of having a single destination port for each rspan, the rspan actually has a destination vlan. This destination vlan is a special vlan that carries the span traffic. You then setup the sensor port as a member/destination for this rspan vlan. The switches can then transmit "rspan" traffic on this rspan vlan between the switches so a single sensor can monitor both. The trunk between the switches must trunk this special rspan for this to all work.
The only limit that I know of is bandwidth and drop packet tolerance. I have had as many as 96 source ports configured before I discovered vlan sourcing then i saw how many dropped packets becuase of over taxing the ids. solution more sensors
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...