That is correct. I am just clarifying to make sure you are using vlan groups and that isn't the source of your first problem. To be honest I am not sure about remote spanned sessions carrying the dot1q header. I am just not sure.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: Kingsley Charles [mailto:[email protected]] Sent: Tuesday, April 27, 2010 1:33 PM To: Tyson Scott Cc: [email protected] Subject: Re: [OSL | CCIE_Security] RSPAN with trunk Hi Tyson I am able to monitor local trunk ports without issues. But the issue is when I try to SPAN trunk port from other switch using remote vlans I will try the ways that you have mentioned. I wanted to add a point for your question of "Do you have the IPS port setup as a promiscuous VLAN Group port." If we don't have vlan groups configured, then the vlan number in the event generated will be "0" or the default vlan that you have defined for that interface which is monitoring . With vlan groups the sensor can identify the dot1q tag and the event generated will have the vlan number that was present in the tag. Please let me know, if I am missing something. With regards Kings On Tue, Apr 27, 2010 at 8:58 PM, Tyson Scott <[email protected]> wrote: For SW1 monitor session 2 destination interface Fa0/15 encapsulation replicate Do you have the IPS port setup as a promiscuous VLAN Group port. That is how it would need to be to capture the dot1q headers. You will also need an alternate TCP reset interface. The VoD shows this in example except the trunk traffic is local You should probably also increase the system mtu to 1508 to account for the additional VLAN header unless you make VLAN 999 the native vlan on your trunks. I am not 100% sure but I believe the above should work. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Tuesday, April 27, 2010 5:49 AM To: [email protected] Subject: [OSL | CCIE_Security] RSPAN with trunk Hi all I have two switches connected as following: sw1 f0/15 - connected to G0/0 of Sensor f0/22 - trunk to sw2 monitor session 2 destination interface Fa0/15 encapsulation dot1q monitor session 2 source remote vlan 999 sw2 f1/0/21 - trunk to sw 1 monitor session 1 source interface Fa1/0/21 monitor session 1 destination remote vlan 999 I am trying capture trunk traffic on sw2, send it through RSPAN 999 to sw1 and then to sensor connected to sw1's port f0/22. But it doesn't work. Has anyone tried capturing trunk and sending through RSPAN. With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
