Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SPAN and Websense Enterprise

Status
Not open for further replies.
jduawa

jduawa

MIS
Jun 11, 2002
73
US
I have a websense enterprise server with 2 NICs
x.x.x.100 and x.x.x.99
a Cisco pix 506e plugged into port 1 of a cisco 3550 switch.
the x.x.x.100 address is plugged into port 0/5 of the switch and the x.x.x.99 nic is used for "normal" lan traffic
i need to get SPAn going so i can rerstrict/monitor protocols using websense
so i assume all i would need to do is on the switch enter the following
monitor session 1 source interface fa0/1
monitor session 1 destination interface fa0/5
write that to memory and i should see packets on the x.x.x.100 NIC.
Does that sound right or am i missing a step...I tried it yesterday but saw no traffic
Thanks
 
Sort by date Sort by votes
Basically your destination port should be some kind of network probe/analysis tool so you can see the traffic going to your server. Also your your source port should be the server port you actually want to monitor - in your example, you've specified a firewall as a source port which would mean you would see all traffic destined for that device and not the server.

Also turn on bi-directional span so you see traffic in both directions, e.g. monitor session 1 source interface fa0/5 both

HTH



 
Upvote 0 Downvote
websense is integrated with the pix...so the pix knows about the websense server. The NIC i want to SPAN to is on the same box as websense. Should the NIC that plugs into the SPAN port have an assigned IP to it (i have x.x.x.100 ) assigned to it now, or should it be left as unassigned..thanks
 
Upvote 0 Downvote
Hi.

Just to clarify: The device/network analyser that is monitoring (the destination port) shouldn't be given an IP address on that NIC.

The port you want to monitor (the source port) will have an IP address and continue to be used as normal by the users.

You can however give an IP address to another NIC on the network analyser, connect it as you would any normal switched connection in case you need to be able to remotely access/administer it.

HTH
 
Upvote 0 Downvote
The NIC that is on the SPAN port is getting an IP assigned to it by DHCP...I assume that is going to be a problem...Sorry for the ignorance...
 
Upvote 0 Downvote
For best results, I'd remove any IP address (dynamic or static) from your SPAN/destination port. Network analysers generate a lot of data for analysis so the last thing you want is to see additional background IP traffic being sent to your analyser's monitor port directly.

I would recommend assigning no IP address to this NIC and, as I mentioned before, assign an IP address to the other NIC if you require the ability to remotely connect to the server.

You can use Ethereal if you want a good (and free) network analyser to capture the network traffic going to websense. The link is below:

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Lccarter
  • Locked
  • Question
Cisco CUCM Provisioning and Order Management System
Replies
1
Views
136
Lccarter
Lccarter
acabezas2014
  • Locked
  • Question
Need to create QoS for SNMP and Radius traffic on Cisco 4948 Switches
Replies
0
Views
74
acabezas2014
acabezas2014
mrdom
  • Locked
  • Question
RV325: Accessing LAN and WAN resources using the same hostname ...
Replies
0
Views
71
mrdom
mrdom
dmourghen
  • Locked
  • Question
PBR issue and Access-list
Replies
0
Views
85
dmourghen
dmourghen
jeepinbob
  • Locked
  • Question
WS-C2960X-24TS-LL and QOS
Replies
0
Views
60
jeepinbob
jeepinbob

Part and Inventory Search

Sponsor

Back
Top