Solved: SPAN - what traffic is allowed on destination port?

esa_fresa · ‎09-06-2016

I'd just like to check my understanding of a Destination Port in Local SPAN. Let's say our port is connected to an IDS/IPS device. Is this port supposed to be able to forward or receive normal traffic? If the IDS/IPS detects something naughty, how does it send a RST to drop the connection?

What is "ingress traffic forwarding" and do I need to enable it?

Destination Port

•The port does not transmit any traffic except that required for the SPAN session.

•If ingress traffic forwarding is enabled for a network security device, the destination port forwards traffic at Layer 2.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2940/software/release/12-1_19_ea1/configuration/guide/2940scg_1/swspan.html

Any help is appreciated. Thanks!

dmuinoorallo · ‎09-06-2016

Hello,

When ingress is enabled, the SPAN destination port accepts incoming packets, which are potentially tagged that depends on the specified encapsulation mode, and switches them normally. When you configure a SPAN destination port, you can specify whether or not the ingress feature is enabled and what VLAN to use to switch untagged ingress packets. The specification of an ingress VLAN is not required when ISL encapsulation is configured, as all ISL encapsulated packets that have VLAN tags. Although the port is STP forwarding, it does not participate in the STP, so use caution when you configure this feature lest a spanning-tree loop be introduced in the network. When both ingress and a trunk encapsulation are specified on a SPAN destination port, the port goes forwarding in all active VLANs. The configuration of a non-existent VLAN as an ingress VLAN is not allowed.

View solution in original post

dmuinoorallo · ‎09-06-2016

Hello,

When ingress is enabled, the SPAN destination port accepts incoming packets, which are potentially tagged that depends on the specified encapsulation mode, and switches them normally. When you configure a SPAN destination port, you can specify whether or not the ingress feature is enabled and what VLAN to use to switch untagged ingress packets. The specification of an ingress VLAN is not required when ISL encapsulation is configured, as all ISL encapsulated packets that have VLAN tags. Although the port is STP forwarding, it does not participate in the STP, so use caution when you configure this feature lest a spanning-tree loop be introduced in the network. When both ingress and a trunk encapsulation are specified on a SPAN destination port, the port goes forwarding in all active VLANs. The configuration of a non-existent VLAN as an ingress VLAN is not allowed.