Allow all vlan's on trunk and mirror, even those not defined


Userlevel 4
We deploy a firewall to inspect traffic at clients sites as part of a security audit. I'd like to setup a trunk port that mirrors all vlan traffic; even those not specifically defined in the switch (SummitX). Cisco has an option to allow all vlan's in a trunk and I don't believe it requires that they all be manually created. In this config, the firewall would receive a copy of all VLAN traffic but it would prevent us from having to get a complete list from the client in advance (many of whom are using someone else and we're doing the audit competitively). In many cases these are small"ish" customers that don't have all of the details about their network. While we can do a lot of up-front leg work, I'm trying to minimize it. Also in most cases, the overall traffic will be under the port speed of the mirror so we're likely okay from a traffic mirroring perspective. Any ideas/thoughts?

2 replies

Userlevel 4
You could mirror an uplink port but you will have to create vlans on your firewall and inspect each of them separately
Userlevel 4
Nick Yakimenko wrote:

You could mirror an uplink port but you will have to create vlans on your firewall and inspect each of them separately

Thanks Nick. That's what I figured. Was hoping someone had an idea for a "shortcut"... Thanks again!

Reply