[Snort-users] Cisco Catalyst - SNORT

shannong shannong at ...8823...
Tue Jun 24 05:21:28 EDT 2003


When mirroring traffic for many ports (or VLANs) under high loads such
as 600-1000Mbps, the catalyst can incur a CPU load even though the docs
say it shouldn't. I don't know if it's only when doing ports from more
than one module, ports from more than one VLAN, or FE ports to GE ports,
or simply a load factor, but the "problem" definitely exists.  You can
use capture ACLs instead of span ports on 6500s.  Do you have NativeIOS
or CatOS?

You can allow for spanning traffic on a port while also accepting
network traffic from it as a host.  As previously mentioned, it is
better to have a separate NIC for this.
-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of twig les
Sent: Monday, June 23, 2003 11:38 AM
To: Tinsley Paul; 'Falvo, Jose Luis - (Arg)';
'Snort-users at lists.sourceforge.net'
Subject: RE: [Snort-users] Cisco Catalyst - SNORT

We're mirroring a gig port via fiber on a 6509 and have been for
almost 2 years.  I've never noticed any performance difference
at all.  Caveat - We prolly only hit about 80-100 Mbs.

--- Tinsley Paul <Paul.Tinsley at ...9244...> wrote:
> I recently asked this question of Cisco in reference to vlan
> mirroring to a
> gig fiber port on a 6509 and they said there should be no
> performance
> degredation as it's all done "in hardware."
> 
> -----Original Message-----
> From: Falvo, Jose Luis - (Arg) [mailto:Jose.Falvo at ...3247...]
> Sent: Monday, June 23, 2003 10:15 AM
> To: 'javier at ...7920...'
> Cc: 'Snort-users at lists.sourceforge.net'; Rochas, Esteban -
> (Ext Arg)
> Subject: RE: [Snort-users] Cisco Catalyst - SNORT
> 
> 
> Thanks Javier,
> Could will be any performance problem configuring SPAN port in
> a switch with
> high traffic ?
> Regards,
> jose
> 
> 
> -----Mensaje original-----
> De: Javier Liendo [mailto:javier at ...7920...]
> Enviado el: Lunes, 23 de Junio de 2003 11:56 a.m.
> Para: Falvo, Jose Luis - (Arg);
> 'Snort-users at lists.sourceforge.net'
> Asunto: Re: [Snort-users] Cisco Catalyst - SNORT
> 
> 
> hello jose
> 
> you'll have to configure the switch port where you are
> plugging the snort device as a "span" port...
> 
> pls take a look at the following link to see how you
> can configure it on a 6000 series catalyst switch...
> 
>
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/12_1e/swconf
ig/s
> pan.htm
> 
> also in my experience, if you configure a switch port
> as span then you can not pass any management traffic
> through that port so you will have to add another
> network card and plug it to another switch port if you
> want to manage this device remotely...
> 
> saludos
> 
> javier
> 
> 
> --- "Falvo, Jose Luis - (Arg)" <Jose.Falvo at ...3247...>
> wrote:
> > Hi All,
> > I'm probing Snort in our network. Snort was
> > installed and its run correctly.
> > Our problem is that snort only listen packet unicast
> > to snort IP or any
> > broadcast packet of VLAN where its was connected. 
> > Questions is:
> > 
> > In a Cisco Catalyst 8540 or Calalyst 6509, which is
> > configuration port for
> > SNORT listen all packet of the VLAN?
> > 
> > Regards and thanks,
> > 
> > 
> > Jose Luis Falvo
> > Dpto. Ingeniería 
> > AT&T Latin America
> > Tel. (54 11) 5288-0182 
> >  Olga Cosentini  1031 - Cap Fed
> >                                                   
> > Buenos Aires - Argentina
> > 
> > Este mensaje es confidencial. El mismo contiene
> > información reservada 
> > y que no puede ser difundida. Si usted ha recibido
> > este e-mail 
> > por error, por favor avísenos inmediatamente vía
> > e-mail y tenga la 
> > amabilidad de eliminarlo de su sistema; no deberá
> > copiar el mensaje 
> > ni divulgar su contenido a ninguna persona. Muchas
> > gracias.
> >  
> > This message is confidential. It contains
> > information that is privileged and
> > legally exempt from disclosure. If you have received
> > this e-mail by mistake,
> > 
> > please let us know immediately by e-mail and delete
> > it from your system; 
> > you should also not copy the message nor disclose
> > its contents to anyone. 
> > Thank You.
> > 
> > 
> > 
> >
> -------------------------------------------------------
> > This SF.Net email is sponsored by: INetU
> > Attention Web Developers & Consultants: Become An
> > INetU Hosting Partner.
> > Refer Dedicated Servers. We Manage Them. You Get 10%
> > Monthly Commission!
> > INetU Dedicated Managed Hosting
> > http://www.inetu.net/partner/index.php
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or
> > unsubscribe:
> >
> https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> >
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> Este mensaje es confidencial. El mismo contiene información
> reservada 
> y que no puede ser difundida. Si usted ha recibido este e-mail
> 
> por error, por favor avísenos inmediatamente vía e-mail y
> tenga la 
> amabilidad de eliminarlo de su sistema; no deberá copiar el
> mensaje 
> ni divulgar su contenido a ninguna persona. Muchas gracias.
>  
> This message is confidential. It contains information that is
> privileged and
> legally exempt from disclosure. If you have received this
> e-mail by mistake,
> 
> please let us know immediately by e-mail and delete it from
> your system; 
> you should also not copy the message nor disclose its contents
> to anyone. 
> Thank You.
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: INetU
> Attention Web Developers & Consultants: Become An INetU
> Hosting Partner.
> Refer Dedicated Servers. We Manage Them. You Get 10% Monthly
> Commission!
> INetU Dedicated Managed Hosting
> http://www.inetu.net/partner/index.php
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: INetU
> Attention Web Developers & Consultants: Become An INetU
> Hosting Partner.
> Refer Dedicated Servers. We Manage Them. You Get 10% Monthly
> Commission!
> INetU Dedicated Managed Hosting
> http://www.inetu.net/partner/index.php
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
Emo is what happens when the glee club goes punk.       
-----------------------------------------------------------

__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com


-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users







More information about the Snort-users mailing list