GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: SPAN question posted 08/15/2006
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


if you don't use the ingress keyword the port is just in listening mode and TCP reset packets cann not be sent through that port (from IDS)

Guys correct me if I am wrong

Cheers
Ryan
----- Original Message ----- From: "Stefan Grey" <examplebrain@xxxxxxxxxxx>
To: <cisco018@xxxxxxxxx>; <calikali2006@xxxxxxxxx>
Cc: <secondie@xxxxxxxxx>; <ccielab@xxxxxxxxxxxxxx>; <security@xxxxxxxxxxxxxx>
Sent: Tuesday, August 15, 2006 5:16 AM
Subject: Re: SPAN question



Guys,
could you please explain me why this ingress word is needed??? I read the explanation in the doc but can't imagine any live situation where this may be needed?? Could you please tell where this may be needed?? Some situation??
Thanks.


From: Zero <cisco018@xxxxxxxxx>
Reply-To: Zero <cisco018@xxxxxxxxx>
To: Kal Han <calikali2006@xxxxxxxxx>
CC: secondie <secondie@xxxxxxxxx>, Cisco certification <ccielab@xxxxxxxxxxxxxx>, Cisco certification <security@xxxxxxxxxxxxxx>
Subject: Re: SPAN question
Date: Mon, 14 Aug 2006 10:40:51 -0700


The different between

1) monitor .... ingress vlan 20
2) monitor .... dot1q ingress vlan 20
is 1) PC send frame without 802.1Q tag , SW add tag 20 then forward.
2) PC send frame with 802.1Q tab 20 , then SW forward.

So you issue is when you use 'dot1q ingress vlan' but you PC(or router)
send frame without 802.1Q tag , SW just drop this frame.

Z.


Kal Han wrote:
> It depends on the host on which your sniffer is running.
> If you are using Windows PC, I know it works fine with the Intel Pro
> NIC card with their (Intel) drivers.
> I remember, one person at work had the same problem.
> This problem could be because of a driver issue or the
> NIC itself. Some drivers REMOVE dot1q tags.
> Try to see if there are any driver updates availabe for your NIC card.
>
> Thanks
> Kal
>
>
> On 7/31/06, secondie <secondie@xxxxxxxxx> wrote:
>
>> Setup
>>
>> I have switch1 and 2 connected via port 1with Q trunk configured (all
>> vlans allowed)
>> Switch 1 has router R1 connected to port 20.
>> Switch 2 has router R2 connected to port 20.
>>
>> Every thing is on VLAN 20 and both routers can ping each other.
>>
>> R1 -- SW1 -- fa0/1 -- trunk -- fa0/1 -- SW2 ---R2
>>
>>
>> I am trying to config span source as port 1 on sw1, destination on sw >> 1
>> is port 48
>>
>> when I configure
>>
>> monitor sess 1 source int fa 0/1
>> monitor sess 1 dest int fa 0/48
>>
>> or
>>
>> monitor session 1 source interface Fa0/1
>> monitor session 1 destination interface Fa0/48 ingress vlan 20
>>
>> I can see ping on sniffer
>>
>> but when I configure
>>
>> monitor sess 1 source int fa 0/1
>> monitor sess 1 dest int fa 0/48 encap dot1q
>>
>> or
>>
>> monitor sess 1 source int fa 0/1
>> monitor sess 1 dest int fa 0/48 encap dot1q ingress vlan 20
>>
>> FAILS ...... I see nothing on sniffer.
>>
>> Any one see problem with this ?
>>
>> How can I see dot1q tags on the traffic? Any scenarios?
>>
>> TIA
>> -secondie


_______________________________________________________________________
Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html

_________________________________________________________________ Customise your home page with RSS feeds at MSN Ireland! http://ie.msn.com/