Hi Tyson I am able to monitor local trunk ports without issues. But the issue is when I try to SPAN trunk port from other switch using remote vlans
I will try the ways that you have mentioned. I wanted to add a point for your question of "Do you have the IPS port setup as a promiscuous VLAN Group port." If we don't have vlan groups configured, then the vlan number in the event generated will be "0" or the default vlan that you have defined for that interface which is monitoring . With vlan groups the sensor can identify the dot1q tag and the event generated will have the vlan number that was present in the tag. Please let me know, if I am missing something. With regards Kings On Tue, Apr 27, 2010 at 8:58 PM, Tyson Scott <[email protected]> wrote: > For SW1 > > monitor session 2 destination interface Fa0/15 encapsulation replicate > > > > Do you have the IPS port setup as a promiscuous VLAN Group port. That is > how it would need to be to capture the dot1q headers. You will also need an > alternate TCP reset interface. > > > > The VoD shows this in example except the trunk traffic is local > > > > You should probably also increase the system mtu to 1508 to account for the > additional VLAN header unless you make VLAN 999 the native vlan on your > trunks. > > > > I am not 100% sure but I believe the above should work. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Tuesday, April 27, 2010 5:49 AM > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] RSPAN with trunk > > > > Hi all > > > > I have two switches connected as following: > > > > *sw1 * > > > > f0/15 - connected to G0/0 of Sensor > > f0/22 - trunk to sw2 > > > > monitor session 2 destination interface Fa0/15 encapsulation dot1q > monitor session 2 source remote vlan 999 > > > > *sw2* > > > > f1/0/21 - trunk to sw 1 > > > > monitor session 1 source interface Fa1/0/21 > monitor session 1 destination remote vlan 999 > > > > > > I am trying capture trunk traffic on sw2, send it through RSPAN 999 to sw1 > and then to sensor connected to sw1's port f0/22. > > > > But it doesn't work. Has anyone tried capturing trunk and sending through > RSPAN. > > > > > > > > With regards > > Kings >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
