https://community.cisco.com/t5/web-security/l4-traffic-mon/m-p/1117841#M425 <P>Does the traffic monitor support Cisco ports in spanned mode? We're trying to get it set up here, but not getting a lot of traffic picked up..</P> Thu, 18 Sep 2008 17:14:33 GMT AndrewR_ironport 2008-09-18T17:14:33Z https://community.cisco.com/t5/web-security/l4-traffic-mon/m-p/1117841#M425 <P>Does the traffic monitor support Cisco ports in spanned mode? We're trying to get it set up here, but not getting a lot of traffic picked up..</P> Thu, 18 Sep 2008 17:14:33 GMT https://community.cisco.com/t5/web-security/l4-traffic-mon/m-p/1117841#M425 AndrewR_ironport 2008-09-18T17:14:33Z https://community.cisco.com/t5/web-security/l4-traffic-mon/m-p/1117842#M426 <HTML><HEAD></HEAD><BODY><P>Hi, <BR /><BR /> There are two ways of doing L4 monitoring..<BR /><BR /> Simplex - single interface for both in and out - interface is T1 <BR /><BR /> Duplex - 2 interfaces involved T1 - in and T2 - out..<BR /><BR />Normally a mirror port is configured where the t1 and t2 were connected..<BR /><BR />to mirror and sniff traffic in and out of the network... or firewall...<BR /><BR />kira</P></BODY></HTML> Thu, 18 Sep 2008 20:13:09 GMT https://community.cisco.com/t5/web-security/l4-traffic-mon/m-p/1117842#M426 angfeglandagan 2008-09-18T20:13:09Z https://community.cisco.com/t5/web-security/l4-traffic-mon/m-p/1117843#M427 <HTML><HEAD></HEAD><BODY><P>Kira,<BR /><BR />You have the correct idea, but your terms are switched:<BR /><BR />Duplex tap = both directions of traffic on a single interface.<BR />Simplex tap = using T1 for outbound and T2 for inbound traffic. <BR /><BR />An example of the Cisco syntax for duplex L4TM is:<BR /><BR /><I>In and out traffic from fa1/1:</I><BR />(config)# monitor session 1 source interface fa1/1 <B>both</B><BR /><BR /><I>Spanned to the WSA T1 interface:</I><BR />(config)# monitor session 1 destination interface fa1/39</P></BODY></HTML> Thu, 18 Sep 2008 22:31:48 GMT https://community.cisco.com/t5/web-security/l4-traffic-mon/m-p/1117843#M427 jowolfer 2008-09-18T22:31:48Z https://community.cisco.com/t5/web-security/l4-traffic-mon/m-p/1117844#M428 <HTML><HEAD></HEAD><BODY><P>Another small tidbit:<BR /><BR />In duplex tap mode, the WSA can actually accept two bi-directional spans: One sent to T1, the other sent to T2. <BR /><BR />Undocumented feature :wink:</P></BODY></HTML> Thu, 18 Sep 2008 22:33:27 GMT https://community.cisco.com/t5/web-security/l4-traffic-mon/m-p/1117844#M428 jowolfer 2008-09-18T22:33:27Z https://community.cisco.com/t5/web-security/l4-traffic-mon/m-p/1117845#M429 <HTML><HEAD></HEAD><BODY><P>Andrew, <BR /><BR />Another thought came up. I wanted to make sure that you are aware the the L4TM will only log <B>bad</B> traffic. So you won't see all the traffic in the trafmon logs, like you would in the access logs. <BR /><BR />If you are trying to verify that the L4TM is working, I recommend telnetting from your client to www DOT ieplugin DOT com. <BR /><BR /><B>Please do NOT go there with your browser - it is a malware propagation site.</B><BR /><BR />If the span is working properly, the WSA should see this traffic and log it in the trafmon logs.</P></BODY></HTML> Thu, 18 Sep 2008 22:36:30 GMT https://community.cisco.com/t5/web-security/l4-traffic-mon/m-p/1117845#M429 jowolfer 2008-09-18T22:36:30Z https://community.cisco.com/t5/web-security/l4-traffic-mon/m-p/1117846#M430 <HTML><HEAD></HEAD><BODY><P>Thanks for the info! I'll try and give it another go today, if not next week..</P></BODY></HTML> Fri, 19 Sep 2008 19:16:05 GMT https://community.cisco.com/t5/web-security/l4-traffic-mon/m-p/1117846#M430 AndrewR_ironport 2008-09-19T19:16:05Z