https://community.cisco.com/t5/network-security/ids-and-dot1q/m-p/401517#M96313 <HTML><HEAD></HEAD><BODY><P>hello</P><P></P><P>i dont think there is any requirement of trunks when using ids sniffing port.. it only uses spanning/remote spanning for capturing packets.. it is not going to forward any data traffic/vlan traffic , which negates the use of a trunk.. you can have one sniffing interface for each vlan or mirror all vlan traffic onto an interface..</P><P></P><P>HTH</P><P>Raj</P></BODY></HTML> Mon, 02 May 2005 08:26:20 GMT sachinraja 2005-05-02T08:26:20Z https://community.cisco.com/t5/network-security/ids-and-dot1q/m-p/401516#M96312 <P>Does IDS understand Dot1q? If it does, is there any configuration needed on IDS when it's sniffing multiple vlans? Does the interface on the switch which connects to the sniffing port of the IDS need to have Dot1q trunking configured?</P><P></P><P>Thanks</P> Sun, 10 Mar 2019 09:26:00 GMT https://community.cisco.com/t5/network-security/ids-and-dot1q/m-p/401516#M96312 bgrove2913 2019-03-10T09:26:00Z https://community.cisco.com/t5/network-security/ids-and-dot1q/m-p/401517#M96313 <HTML><HEAD></HEAD><BODY><P>hello</P><P></P><P>i dont think there is any requirement of trunks when using ids sniffing port.. it only uses spanning/remote spanning for capturing packets.. it is not going to forward any data traffic/vlan traffic , which negates the use of a trunk.. you can have one sniffing interface for each vlan or mirror all vlan traffic onto an interface..</P><P></P><P>HTH</P><P>Raj</P></BODY></HTML> Mon, 02 May 2005 08:26:20 GMT https://community.cisco.com/t5/network-security/ids-and-dot1q/m-p/401517#M96313 sachinraja 2005-05-02T08:26:20Z https://community.cisco.com/t5/network-security/ids-and-dot1q/m-p/401518#M96314 <HTML><HEAD></HEAD><BODY><P>The sensor is able to interpret 802.1q trunk headers to tell what vlan the packet came in on, and will report the vlan number in the alert.</P><P>This feature of the sensor is always on, and no commands are needed.</P><P></P><P>It is the switch port that would need to be configured as an 802.1q trunk port in order to send trunk packets to the sensor.</P><P></P><P>For promiscuous mode, making the switch port a trunk port is not enough. In addition the switch would need to be configured to send traffic to the sensor using span (or VACL Capture if it is a Cat 6500).</P><P>The span command may contain additional parameters in order to send the spanned packets with trunk headers.</P><P>You will need to read your switch's manuals to determine what commands are needed on your switch.</P><P></P><P>For inline mode, the easiest scenario is to setup your 2 switches (or a switch and a router or firewall etc..) to be connected to each other through an 802.1q trunk port.</P><P>Once everything is running fine, then place your sensor between the 2 switches in the middle of that 802.1q trunk port.</P><P>The sensor will analyze the packets and pass them on without modification. The vlan header of the packets would be passed through without modification, and the underlying IP packet would be fully analyzed. </P></BODY></HTML> Mon, 02 May 2005 15:44:55 GMT https://community.cisco.com/t5/network-security/ids-and-dot1q/m-p/401518#M96314 marcabal 2005-05-02T15:44:55Z