As you are capturing them on the vlan and not the interface they will not have the header.
Now if you were actually capturing on the port then it would include the header. Which would mean that you would have to use VLAN Groups on the IPS for the port. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Monday, April 12, 2010 8:57 AM To: [email protected] Subject: [OSL | CCIE_Security] RSPAN with trunk and IPS Hi all Please share your thoughts: I have tried pushing various vlans as source into the remote vlan but never tried a dot1q traffic to remote vlan. Has anyone tried it? The above config pushea trunk traffic to remote vlan 999. With rspan and the following config, vlan 1 and 2 will be pushed into remote 999 and and on remote switch, vlan 1 and 2 will be tagged as vlan 999 not 1 and 2 on f1/0/2 sw1 monitor session 1 source vlan 1,2 monitor session 1 destination remote vlan 999 sw 2 monitor session 1 source vlan 999 monitor session 1 destination interface f1/0/2 encapsulation dot1q With following config, will the traffic be sent to the remote vlan as dot1q tagged traffic or individual vlans are sent? How will it be seen on the remote switch sw2? sw 1 interface f0/1 switch mode trunk monitor session 1 source f0/1 monitor session 1 destination remote vlan 999 sw 2 monitor session 1 source vlan 999 monitor session 1 destination interface f1/0/2 encapsulation dot1q With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
