[Snort-users] Kernel complaint about MAC being seen on multip le interfaces
tsevy at ...1701...
Thu Apr 5 07:52:39 EDT 2001
Can you elaborate on an FEC driver? If I have four Catalyst 3500XL series
switches on a lan segment. I thought I could only accomplish complete
coverage by Snort with a NIC to each switch, then using Port Mirroring so
that these NICs would see all the traffic each switch is passing. Wouldn't
FEC only work within a single switch?
I did find a solution that involved a modification to if_ether.c so that it
doesn't send out those messages. I implemented it yesterday and it seems to
be working just fine. I don't know that this is the best solution, but it
was the only suggestion I had at the time and so I went with it.
From: Doug White [mailto:dwhite at ...1486...]
Sent: Wednesday, April 04, 2001 11:36 PM
To: Tom Sevy
Cc: Snort-Users eMail List (E-mail)
Subject: Re: [Snort-users] Kernel complaint about MAC being seen on
On Wed, 4 Apr 2001, Tom Sevy wrote:
> Syslog is showing that a given MAC is being seen by three NICs. This MAC
> belongs to an Alteon Web Switch. It is the hard IP/MAC and not the
> IP/MAC. Is it safe to ignore this? Of is there anything that can be
> configured in the kernel to ignore this scenario?
This is probably because you have all the NICs plugged into the same VLAN,
which is a no-no. If you want to trunk span ports, you might try to find
the 'fec' driver, which does Fast Etherchannel.
Doug White | FreeBSD: The Power to Serve
dwhite at ...1486... | www.FreeBSD.org
More information about the Snort-users