Re: L4 Traffic Mon

AndrewR_ironport · ‎09-18-2008

Does the traffic monitor support Cisco ports in spanned mode? We're trying to get it set up here, but not getting a lot of traffic picked up..

angfeglandagan · ‎09-18-2008

Hi,

There are two ways of doing L4 monitoring..

Simplex - single interface for both in and out - interface is T1

Duplex - 2 interfaces involved T1 - in and T2 - out..

Normally a mirror port is configured where the t1 and t2 were connected..

to mirror and sniff traffic in and out of the network... or firewall...

kira

jowolfer · ‎09-18-2008

Kira,

You have the correct idea, but your terms are switched:

Duplex tap = both directions of traffic on a single interface.
Simplex tap = using T1 for outbound and T2 for inbound traffic.

An example of the Cisco syntax for duplex L4TM is:

In and out traffic from fa1/1:
(config)# monitor session 1 source interface fa1/1 both

Spanned to the WSA T1 interface:
(config)# monitor session 1 destination interface fa1/39

jowolfer · ‎09-18-2008

Another small tidbit:

In duplex tap mode, the WSA can actually accept two bi-directional spans: One sent to T1, the other sent to T2.

Undocumented feature :wink:

jowolfer · ‎09-18-2008

Andrew,

Another thought came up. I wanted to make sure that you are aware the the L4TM will only log bad traffic. So you won't see all the traffic in the trafmon logs, like you would in the access logs.

If you are trying to verify that the L4TM is working, I recommend telnetting from your client to www DOT ieplugin DOT com.

Please do NOT go there with your browser - it is a malware propagation site.

If the span is working properly, the WSA should see this traffic and log it in the trafmon logs.

AndrewR_ironport · ‎09-19-2008

Thanks for the info! I'll try and give it another go today, if not next week..