[Snort-users] Snort on span port

Ilango S Allikuzhi IlangoAllikuzhi at ...12241...
Mon Aug 9 06:24:08 EDT 2004

We are deploying SourceFire (snort network sensor) appliances to capture 
traffic on a VLAN that spans 4 Cisco Catalyst 5500 switches (Cat OS), 
connected on a trunk. I looked at the data, connecting to the span port of 
each of the switches; these span ports are supposed to be well configured 
by competent engineers and are in use for a long time for network sniffing 
through NAI distributed network sniffer. I am connecting the snort 
appliance in parallel with NAI sniffer using a 100 MB/s hub. I see less 
than 0.2 MB/s traffic on 3 of these switches while I see over 2 MB/s 
sustained traffic when connected to the span port of one of the switches. 
So i decided to connect the IDS to the span port of this switch. I 
initially thought that I would see the same traffic on all 4 switches as 
they are trunked and after this exercise, I realized the entire traffic of 
the VLAN can be sniffed only on one of the switch's span port. A network 
engineers clarified that ONLY the root bridge on the VLAN would see all 
the traffic and the root bridge could change after a re-election when the 
current root goes down. 

The question is how do I ensure that I always capture the entire VLAN 
traffic, irrespective of which switch is the "root bridge".  Should I have 
IDS sensors on the span port of all the switches in this kind of scenario? 
 Is there any better solution?  I keep hearing of Cisco terminology VACL 
to configure the port on which IDS sits? Is it better than using span port 
??  I would appreciate if some one shares their experience dealing with 
this kind of situation.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040809/3b4190fe/attachment.html>

More information about the Snort-users mailing list