- A port on a switch is configured as port mirroring (SPAN) for the purpose of analyzing network traffic.
- Due to the characteristics of the switch and its configuration the flow to be analyzed provided by the SPAN port is
802.1q
untagged in one direction and tagged in the other. - The data flow coming from the switch should be merged into a single flow (
802.1q
untagged). It should also not be redirected back to the switch.
- IDS host recieves port mirrored flow on port
ens1f0
: RX tagged flow + TX untagged. - The interface
ens1f0.40
gets only the tagget flow (RX) and untags it. - Bridge
br1
joins all three network flows: RX tagged flow + TX untagged +ens1f0.40
(same RX flow but untagged). - ebtables drop all the
802.1q
tagged frames onbr1
.