Do you know if we are able to decrypt TRUNQ or DOT1Q
traffic in DCRUM? At my customer we have several applications monitored,
however they told me they are not able to see all the traffic due to some of it
being on TRUNQ and DOT1Q, so I was wondering if there is a way to decrypt it to
be able to see it.
I was told already that we might be able to see it since we have layer 2 visibility since 12.3
Solved! Go to Solution.
If I am not wrong the layer 2 visibility was introduced in version 12.4.x
Starting from thenetwork data link layer discovery (L2), navigate up through nodes and locations discovery (L3), to application discovery (L4-L5), and up to specific services with their critical functions (L7), with visibility into application errors that may affect the service delivery.
Check the release note.
Hi @Rodrigo M.
802.1q is not any encryption so there is nothing to decrypt.
It's a way of tagging packets https://en.wikipedia.org/wiki/IEEE_802.1Q
You simply get some more data in each frame. Then it's up to the software whether to see/understand/decode that or not.
Typically, the tag isn't normally forwarded by SPAN unless specifically instructed to and therefor you don't see them. If you use a network tap (much recommended) you will always see the tags.
An AMD capture showed no vlan tagging (802.1Q) information was being passed.
Cisco SPANs - by default - do not pass the vlan tags.
For a Cisco 2950 - To enable and disable tagging of the packets at the SPAN destination port. Issue the monitor session session_number destination interface interface_id encapsulation dot1q command in order to enable encapsulation of the packets at the destination port. If you do not specify the encapsulation keyword, the packets are sent untagged, which is the default in Cisco IOS Software Release 12.1(11)EA1 and later.
For a Cisco 3750 - (Optional) Enter encapsulation replicate to
specify that the destination interface replicates the source interface
encapsulation method. If not selected, the default is to send packets in
native form (untagged).