Websense unable to get normal packets except HTTPS

Question

Hi, We have 6248 Power Connect switches the ones configured as core switch up links to two internet links, we need to monitor traffic on this link. We installed Websense and have the port mirrored on the switch to the interface doing the monitoring on the Websense. The two up link ports are added to the mirror session. While running wireshark we can get all the packets listed, but Websense does not get any on the tool. we found that all non-https traffic has a VLAN tag and the return packet does not have any VLAN tag. but the port is UNTAGGED but assigned to a VLAN. Connections are listed below   UPlink 1  -- Port 1/g48 UPlink 2  -- Port 2/g48 Mirror port -- Port 1/g15 VLAN ID of all the three ports are 177   Please find relevant configs below   vlan databasevlan 10,177,180,182-183,186,189-190,1000vlan routing 177 1vlan routing 180 2vlan routing 182 3vlan routing 186 4vlan routing 189 5vlan routing 190 6vlan association subnet 10.193.182.0 255.255.255.0 182vlan association subnet 10.193.183.0 255.255.255.0 183vlan association subnet 10.193.184.0 255.255.252.0 186vlan association subnet 10.193.189.0 255.255.255.0 189vlan association subnet 10.193.190.0 255.255.254.0 190exitstackmember 1 2member 2 2exit..monitor session 1 destination interface 1/g15monitor session 1 source interface 1/g48monitor session 1 source interface 2/g48monitor session 1 mode Let us know if any other settings need to be done. Thanks in Advance Laju

bh1633 · Answer

The settings look correct.

So wireshark can see packets on port 1/g15 but websense cannot? Are these on the same machine? If so, then websense is not configured correctly.

If you have more information please post, along with the configuration of ports 1/g48 and 2/g48.

lajuxavier · Answer

Please find the interface details

console#show interfaces switchport ethernet 2/g48

Port: 2/g48
VLAN Membership mode:Access Mode
Operating parameters:
PVID: 177
Ingress Filtering: Enabled
Acceptable Frame Type: Untagged
Default Priority: 0
GVRP status:Disabled
Protected:Disabled
Port 2/g48 is member in:
VLAN    Name                              Egress rule   Type
----    --------------------------------- -----------   --------
177                                       Untagged      Static

Static configuration:
PVID: 177
Ingress Filtering: Enabled
Acceptable Frame Type: Untagged

Port 2/g48 is statically configured to:
VLAN    Name                              Egress rule
----    --------------------------------- -----------
177                                       Untagged

Forbidden VLANS:
VLAN    Name
----    ---------------------------------

console#show interfaces switchport ethernet 1/g48
Port: 1/g48
VLAN Membership mode:Access Mode
Operating parameters:
PVID: 177
Ingress Filtering: Enabled
Acceptable Frame Type: Untagged
Default Priority: 0
GVRP status:Disabled
Protected:Disabled
Port 1/g48 is member in:
VLAN    Name                              Egress rule   Type
----    --------------------------------- -----------   --------
177                                       Untagged      Static

Static configuration:
PVID: 177
Ingress Filtering: Enabled
Acceptable Frame Type: Untagged
Port 1/g48 is statically configured to:
VLAN    Name                              Egress rule
----    --------------------------------- -----------
177                                       Untagged

Forbidden VLANS:
VLAN Name
---- ---------------------------------

bh1633 · Answer

Configuration looks correct. Websense may be either configured incorrectly or having a problem with the tagged and untagged packets. You should contact websense on this.

This switch port monitoring feature works where all monitored egress traffic appears on the monitor destination port as tagged. Ingress traffic appears as untagged or tagged (depending on the whether the ingress traffic is tagged or not) on the monitor destination port. So in your case, since the switch is receiving untagged traffic on the ingress port (i.e. it is set to an access port), the traffic appears on the destination monitor port as untagged.

If websense needs all traffic as tagged, you should change your uplink ports to send/receive tagged traffic (use trunk or general mode). If websense needs all traffic as untagged, checkout the followoing link for configuring the interface on your pc/server to preserve/remove tags.

http://wiki.wireshark.org/CaptureSetup/VLAN#head-81781716144f2855ab0aff2f8b752e95f2562efb

Networking General

Was this post helpful?