01-29-2004 01:04 PM - edited 03-09-2019 06:16 AM
We currently have the IDSM2 blade in one of our 6509s. Port 7 is set as a security acl capture port. This works great. We would like to use port 8 to capture traffic from the other 6509 (balance the load). We thought about doing an RSpan, but wouldn't the RSpanned traffic duplicate itself on port 7 due to the security acl capture port?
What is a better way to do this? Any ideas would be helpful.
Solved! Go to Solution.
01-29-2004 04:16 PM
In the other switch (no IDSM2 installed) setup an RSPAN Source session to copy the packets to the RSPAN vlan.
Be sure that RSPAN vlan is configured as an RSPAN vlan on both switches, and that a trunk port will carry the RSPAN vlan between the 2 switches.
In the switch with the IDSM2 setup port 8 as an RSPAN destination.
You won't have any RSPAN Sources in this switch.
This way port 8 gets the RSPAN packets coming from the other switch.
As long as the packets traverse ONLY one of the 2 switches, then port 7 will monitor the switch where the IDSM2 resides, and port 8 will be monitoring (through RSPAN) the other switch, and you won't be duplicating packets.
Something to keep in mind if you have port 7 monitoring vlan 10 in switch A, and you setup port 8 to monitor vlan 10 in switch B through RSPAN.
You may be tempted to say that those vlan 10 packets being sent to port 8 for the RSPAN would also be seen by port 7, but that would not be correct.
This is because those vlan 10 packets in switch B are actually be copied to the special RSPAN vlan that port 8 is monitoring. Switch A sees the packets as ONLY being on the special RSPAN vlan and does not know the original vlan for the packets. This also means, however, that when alarms come from the traffic being monitored by port 8 that the alarms will all list the RSPAN vlan as the vlan for the alarm.
Something else to keep in mind. When setting this up, you need to realize that ports 7 and 8 are trunk ports for ALL vlans in the switch by default.
I recommend taking port 7 and using the "clear trunk" command remove the RSPAN vlan from port 7 (especially since it is not an RSPAN destination anyway). And for port 8 use the "clear trunk" command to remove ALL the vlans except the RSPAN vlan.
01-29-2004 04:16 PM
In the other switch (no IDSM2 installed) setup an RSPAN Source session to copy the packets to the RSPAN vlan.
Be sure that RSPAN vlan is configured as an RSPAN vlan on both switches, and that a trunk port will carry the RSPAN vlan between the 2 switches.
In the switch with the IDSM2 setup port 8 as an RSPAN destination.
You won't have any RSPAN Sources in this switch.
This way port 8 gets the RSPAN packets coming from the other switch.
As long as the packets traverse ONLY one of the 2 switches, then port 7 will monitor the switch where the IDSM2 resides, and port 8 will be monitoring (through RSPAN) the other switch, and you won't be duplicating packets.
Something to keep in mind if you have port 7 monitoring vlan 10 in switch A, and you setup port 8 to monitor vlan 10 in switch B through RSPAN.
You may be tempted to say that those vlan 10 packets being sent to port 8 for the RSPAN would also be seen by port 7, but that would not be correct.
This is because those vlan 10 packets in switch B are actually be copied to the special RSPAN vlan that port 8 is monitoring. Switch A sees the packets as ONLY being on the special RSPAN vlan and does not know the original vlan for the packets. This also means, however, that when alarms come from the traffic being monitored by port 8 that the alarms will all list the RSPAN vlan as the vlan for the alarm.
Something else to keep in mind. When setting this up, you need to realize that ports 7 and 8 are trunk ports for ALL vlans in the switch by default.
I recommend taking port 7 and using the "clear trunk" command remove the RSPAN vlan from port 7 (especially since it is not an RSPAN destination anyway). And for port 8 use the "clear trunk" command to remove ALL the vlans except the RSPAN vlan.
01-29-2004 04:34 PM
Great info! I did do this initially, but didn't make the 'trunk' changes you suggested at the bottom of the message. That looks like it will work.
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide