Currently, I have 2 VLAN's that I'm SPAN'ing using monitor session. I have 2 monitor sessions -- 1 for each VLAN. I have a need now to use a port SPAN for something else, but my 6509 has a limit of 2 monitor sessions.
I need to free up a SPAN so that I can install an IDS. Can I monitor the 2 VLAN's in 1 session as long as traffic bursts don't overwhelm the SPAN port?
IOS Version 12.2(18)SXD7
2 SUP2 Engines 2 GigE 48 Port modules FlexWan Module / Router PFC2 MSFC2Thanks,
Beth
Beth,
It's definitely possible to have multiple VLANs as a source. But like you said, you have to be careful not to oversubscribe or you'll miss some data due to queue drops (or worse, spike the CPU).
HTH, neteng
No need to worry about spiking the CPU, the 6500 doesn't use the CPU to switch packets or to mirror ports. It's more likely that the IDS will get overloaded long before the 6500 starts dropping packets because of an oversubscribed GIG interface.
In the interest of planning ahead - you may need to look into "VACLs". If you ever need a 3rd session...that is a decent solution.
Good point. Thanks Thrill5.
neteng
Thanks, I've seen some stuff on VACL's. So I can use a VACL to capture and filtered traffic? In this case it would need to be all traffic on VLAN1. Could you give me an example of how I could capture VLAN1 traffic and send that the a port where I have the collector/ sniffer?
Beth
Thanks, I've seen some stuff on VACL's. So I can use a VACL to capture and filtered traffic? In this case it would need to be all traffic on VLAN1. Could you give me an example of how I could capture VLAN1 traffic and send that the a port where I have the collector/ sniffer?
Beth
All you need to know and then some!
some!
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.