I'm a little uncertain of what vlan number to use, do I simply pick a not used number? The only now existing reference to a vlan in the running-config are these lines:

interface Vlan1

ip address 10.68.12.71 255.255.252.0

no ip route-cache

Thanks! :)

Regards, Jonas

Is it similar to "inpkts" in CatOS version?.

I think we can choose the ingress vlan to the same subnet as the websense.

Dunnu, but I guess I should pick vlan 1 since we only have one subnet :)

Hello,

I tried doing

monitor session 1 destination interface fa 0/17 ingress vlan 1

But it wouldn't accept that, it appears I can't add anything after "0/17" :(

Any ideas? Do I have an old version or why don't I have any option after "monitor session 1 destination interface fa 0/17" ?

Hi,

what about your monitor source interface.

can u post the complete command . i tried in my switch and working fine.

Vj

Hi,

This is what I do to monitor the source:

"monitor session 1 source interface fastEthernet 0/24 both"

adding a questionmark after this gives me the option "" so that seems to be the end of the line.

when I do:

monitor session 1 destination interface fastEthernet 0/17 ?

it also tells me "" so that seem to be it as well

From what I can tell there's no other valid options :(

Model:WS-C2950T-24

Version (stated in running-config): 12.1

If I use the web config and click up the help this information is available:

"Optional for Catalyst 3550 switches: If you checked a trunk port in the table or selected a trunk port from the Egress Source (Monitored) Interface list, you can limit monitoring to certain VLANs by specifying the VLAN IDs in the VLAN Filter field. Separate VLAN IDs with a comma, and use a hyphen to indicate consecutive IDs. For example: 1,3-5"

Is this what we're trying to do? Do you also have a 2950 switch or a 3550?

I have the exact same scenario and I can tell you that the only way it will work is to add a second NIC to the Websense server. Once you have the second NIC installed, then you can setup the monitor session on the 2950 as you tried:

monitor seesion 1 source interface f0/4

monitor session 1 destination interface f0/5

Where port 4 is the port the firewall is connected to and port 5 is the port the second NIC in Websense is connected to.

I have had this working for some time, if you need any help with it, let me know.

Please post what you have. Are you saying that you have to enable routing on your websense server? What is your NIC-1 plugged into? And for what purpose?

Thanks!

I will answer both replies here.

You don't necessarily have to enable routing, just install a second NIC. Since this NIC is connected to the span port, it will have no network connectivity, so you do not need to configure the NIC in windows (other than the driver and maybe speed settings). Most of the config is on the Websense side. Below is the body of the email I received from Websense Tech Support about how to setup that side of it:

***

The configuration you describe would require 2 NICs on the Websense server and can be accomplished as follows:

On the Websense Server, NIC1 is connected to a regular port on the switch. This would be used for the PIX to connect to Websense and for Websense to both respond to the PIX and send logging information to Log Server.

Configure NIC2 to be connected to the spanned port on the switch.

In the Websense Manager, configure the Network Agent (via Server | Settings | Network Agent) to monitor traffic on NIC2 and ignore traffic on NIC1 (highlight NIC1 or NIC2, click Edit Selection, and select Yes or No to monitor traffic as needed.)

Within the same configuration, on the 4th window, there will be an entry at the bottom for which NIC the Network Agent should use to send block information.

- If the spanned port on the switch is bidirectional, then set this to NIC2

- if the spanned port is not bidirectional, or you are not sure, set this to NIC1.

Save the settings and you should be able to filter traffic properly from both the PIX and the Network Agent.

***

As for Windows showing the cable disconnected, this should not happen. It could possibly be a speed / duplex setting wrong that would cause that, but Windows should see it connected and pretty much constantly receiving traffic.

Nice to hear someone with the same scenario :) But we already have 2 NICs and I did try using both actually. The problem was that when I was installing the network agent it would only allow me to select the NIC with a connection since the other NIC, connected to the destination port would show "cable unplugged". Did your NIC that was connected to the destination port also show up as "unplugged" in windows?