[Snort-users] Snort on span port
Ilango S Allikuzhi
IlangoAllikuzhi at ...12241...
Mon Aug 9 06:24:08 EDT 2004
We are deploying SourceFire (snort network sensor) appliances to capture
traffic on a VLAN that spans 4 Cisco Catalyst 5500 switches (Cat OS),
connected on a trunk. I looked at the data, connecting to the span port of
each of the switches; these span ports are supposed to be well configured
by competent engineers and are in use for a long time for network sniffing
through NAI distributed network sniffer. I am connecting the snort
appliance in parallel with NAI sniffer using a 100 MB/s hub. I see less
than 0.2 MB/s traffic on 3 of these switches while I see over 2 MB/s
sustained traffic when connected to the span port of one of the switches.
So i decided to connect the IDS to the span port of this switch. I
initially thought that I would see the same traffic on all 4 switches as
they are trunked and after this exercise, I realized the entire traffic of
the VLAN can be sniffed only on one of the switch's span port. A network
engineers clarified that ONLY the root bridge on the VLAN would see all
the traffic and the root bridge could change after a re-election when the
current root goes down.
The question is how do I ensure that I always capture the entire VLAN
traffic, irrespective of which switch is the "root bridge". Should I have
IDS sensors on the span port of all the switches in this kind of scenario?
Is there any better solution? I keep hearing of Cisco terminology VACL
to configure the port on which IDS sits? Is it better than using span port
?? I would appreciate if some one shares their experience dealing with
this kind of situation.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users