FW: [Snort-users] Cisco switch configuration for sensor
gr8dane2 at ...163...
gr8dane2 at ...163...
Thu Jan 16 10:50:07 EST 2003
Thanks, Kevin, for clarifying that for me. I turned off the tree-spanning and left on the port monitoring. For some reason I was under the impression that I needed tree-spanning on for it to work (I knew I shoulda taked those Cisco courses).
Also, thank you Twig Les for your responses!
> From: "kevin reynolds" <kevinreynolds2525 at ...125...>
> Date: 2003/01/16 Thu PM 12:24:20 EST
> To: gr8dane2 at ...163..., snort-users at lists.sourceforge.net
> Subject: Re: FW: [Snort-users] Cisco switch configuration for sensor
> If you have enabled spanning tree protocol under the assumption that it will
> allow the sensor to view copies off all traffic between the DSL router and
> the firewall, you are incorrect. STP is used to provide a loop free
> switching path when multiple switches share VLANs. You will need to set up
> a SPAN (switch port analyzer) session directing all traffic observed on
> ports 1x and Bx to port Ax. But you could make the switches life some what
> easier and send all traffic observed on just one of the ports to the IDS
> (just make sure you do it bi-derectionally).
> >-----Original Message-----
> >From: gr8dane2 at ...163... [mailto:gr8dane2 at ...163...]
> >Sent: Thursday, January 16, 2003 11:32 AM
> >To: snort-users at lists.sourceforge.net
> >Subject: [Snort-users] Cisco switch configuration for sensor
> >Ok, I checked the Cisco sites and believe I have this setup properly. I
> >just wanted to run it past the Snort gurus for confirmation before I hook
> >up. I am using a Cisco 1900 series switch that has 12 10baseT ports
> >(1x-12x) and 2 100baseTX ports (Ax and Bx). I have a DSL router that is
> >10baseT (plugged into port 1x), snort sensor with a 10/100 NIC (port Ax)
> >a firewall with 10/100 NIC (port Bx). I have enabled the Spanning-Tree
> >protocal. I have setup port Ax to monitor 1x and Bx. Then I disabled the
> >web interface, of course. I am using the modified patch cable that will
> >only allow inbound traffic on the sensor, a cross-over cable on the router,
> >and a regular patch cable for the firewall. The sensor has a public NIC
> >with no bindings and a private NIC with local TCP/IP settings that connects
> >back to the LAN behind the firewall, so it can report to MySQL server.
> >Anyone see anything wrong with this before I hook it up? As always, keep
> >the great work! You all are very helpful.
> >Dane Howard
> >This SF.NET email is sponsored by: Thawte.com
> >Understand how to protect your customers personal information by
> >SSL on your Apache Web Server. Click here to get our FREE Thawte Apache
> >Guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0029en
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >Snort-users list archive:
> Help STOP SPAM: Try the new MSN 8 and get 2 months FREE*
More information about the Snort-users