Quick Installation Guide
Single Appliance
Version 8.1
12
monitoring a link connecting two routers. This option cannot respond to Address
Resolution Protocol (ARP) requests, which limits the ability of the Appliance to detect
scans aimed at the IP addresses included in the monitored subnet. This limitation
does not apply when traffic between two routers is being monitored.
B. Switch Setting Notes
VLAN (802.1Q) Tags
Monitoring a Single VLAN: If the monitored traffic is from a single VLAN,
then traffic does not need 802.1Q VLAN tags.
Monitoring Multiple VLANs: If the monitored traffic is from two or more
VLANs, then both the monitored and response ports must have 802.1Q VLAN
tagging enabled. Monitoring multiple VLANs is recommended as it provides
the best overall coverage while minimizing the number of mirroring ports.
If the switch cannot use an 802.1Q VLAN tag on the mirroring port, then do
one of the following:
−
Mirror only a single VLAN
−
Mirror a single, untagged uplink port
−
Use the IP layer response option
If the switch can only mirror one port, then mirror a single uplink port. This
may be tagged. In general, if the switch strips the 802.1Q VLAN tags, you
must use the IP layer response option.
Additional Guidelines
In the following cases you should mirror just one interface (that does allow
transmit/receive):
−
If the switch cannot mirror both transmitted and received traffic
−
If the switch cannot mirror all the switch traffic
−
If the switch cannot mirror all the traffic over a VLAN
Verify that you do not overload the mirroring port.
Some switches (e.g. Cisco 6509) may require that the current port
configuration be completely deleted before entering a new configuration. Not
deleting old port information often causes the switch to strip 802.1Q tags.
