Re: T1 and SPAN

conorgeraghty_ironport · ‎04-27-2009

If my P1 and T1 ports are in full duplex mode and both ports are on the same LAN (VLAN) as my PIX (inside interface) to Internet - Why do I need to SPAN one cisco port to another if all 3 interfaces (P1, T1 & PIX) see all inbound/outbound traffic?
If SPAN is mandatory, what interface do a SPAN to the T1 port?

conorgeraghty_ironport · ‎04-27-2009

Of course - traffic bound for the PIX won't been seen by T1 because it's MAC address is different - THAT'S why I need to SPAN - DOH! :roll:

I am migrating networks onto my S160 so I assume I will need to SPAN the P1 port on the Ironport and NOT the inside port of my PIX :oops:

jdohrman · ‎04-27-2009

I am migrating networks onto my S160 so I assume I will need to SPAN the P1 port on the Ironport and NOT the inside port of my PIX  :oops:

L4TM is capable of stopping phone-home malware traffic using any port or protocol (configurable) that the proxy would not see normally and can thus help protect you from a wide variety of threads that are beyond the scope of a proxy.

I'd recommend spanning the PIX interface (if that sees all outbound traffic) rather then the P1 as P1 might only see HTTP/HTTPS/... traffic that is already scanned by the security features on the proxy.

Best,
Jakob

jowolfer · ‎04-27-2009

Conorgeraghty,

I'm having a difficult time following the details in your posts. I'm not sure why you would ever need to "double span" interfaces.

You will want the bi-directional span to happen where the WSA T1 will see all traffic (with original Client IPs intact - pre-NAT).

You should be able to span the PIX inside interface and not need further spans, unless you have a separate network that you also need to monitor.

Please be aware that TCP RSTs will be sent out the P1 interface, so if you do monitor multiple networks, you will need the appropriate routes in order to reach the second network.