[Snort-users] Snort on span port

Charles Heselton charles.heselton at ...11827...
Wed Aug 11 00:02:00 EDT 2004

----- Original Message -----
From: Ilango S Allikuzhi <ilangoallikuzhi at ...12241...>
Date: Thu, 5 Aug 2004 11:23:00 -0400
Subject: [Snort-users] Snort on span port
To: "snort-users at lists.sourceforge.net" <snort-users at lists.sourceforge.net>

We are deploying SourceFire (snort network sensor) appliances to
capture traffic on a VLAN that spans 4 Cisco Catalyst 5500 switches
(Cat OS), connected on a trunk. I looked at the data, connecting to
the span port of each of the switches; these span ports are supposed
to be well configured by competent engineers and are in use for a long
time for network sniffing through NAI distributed network sniffer. I
am connecting the snort appliance in parallel with NAI sniffer using a
100 MB/s hub. I see less than 0.2 MB/s traffic on 3 of these switches
while I see over 2 MB/s sustained traffic when connected to the span
port of one of the switches. So i decided to connect the IDS to the
span port of this switch. I initially thought that I would see the
same traffic on all 4 switches as they are trunked and after this
exercise, I realized the entire traffic of the VLAN can be sniffed
only on one of the switch's span port. A network engineers clarified
that ONLY the root bridge on the VLAN would see all the traffic and
the root bridge could change after a re-election when the current root
goes down.

The question is how do I ensure that I always capture the entire VLAN
traffic, irrespective of which switch is the "root bridge".  Should I
have IDS sensors on the span port of all the switches in this kind of
scenario?  Is there any better solution?  I keep hearing of Cisco
terminology VACL to configure the port on which IDS sits? Is it better
than using span port ??  I would appreciate if some one shares their
experience dealing with this kind of situation.


I work in an environment where all of our network traffic is captured
through Cisco Switch Spanning, and I have never experienced a problem
related to whichever switch might be the "root bridge" for the VLAN.

However, I am not a network engineer by any means, I am an IDS
engineer.  So you may want to take what I say with a grain of salt. 
In my experience, "userland" VLANS are spanned to a "monitoring" trunk
VLAN on an alternate switch port.  The IDS either sits on that port,
or (depending upon the capabilities of the switch) that port is then
SPAN'd/RSPAN'd to another switch, which then locally SPANs the traffic
to the IDS promiscuous interface. This whole configuration depends on
your architecture, the capability of your switch infrastructure, and
can vary accordingly.

Somethings to consider are 1) how much traffic SHOULD be traversing
the VLANS that you are monitoring on the one that is seeing less
bandwidth?  Is that typical or atypical?  2)  How many VLANS are you
dealing with?  3)  What type of traffic do you actually see on the
port with less bandwidth?  It's really difficult to speak
intelligently about your situation without knowing more about your
architecture.  If you would like to email me off-list to provide more
detail about your infrastructure, I might be able to help more.

Basically, I don't know anything about VACL's, but we've been able to
accomplish most of the visibility that we need through the mixture of
local SPAN sessions and RPSAN sessions (remote).  You should be able
to do the same (depending on the capabilities of your switches).

Charlie Heselton
Network Security Engineer

More information about the Snort-users mailing list