[Snort-users] Re: Snort on span port

Michael J. Pelletier mjpelletier at ...12250...
Thu Aug 12 21:37:01 EDT 2004

> Hey man don't be dis'ing my net engineers!

> J/K.

> Ok, so if I remember correctly, root-bridges are like only for vlan trunking
protocol and elections and what-not of switches that will act as root bridges.

Root Bridges are used for SPANNING TREE!. You can run VLAN trunks with SPANNING
TREE. With SPANNING TREE each bridge will calulate it's distance from the root
bridge to itself. This cost is used to determine the shortest past cost to the
root bridge. Although ROOT BRIDGES are used with SPANNING TREE and VLANS can
use SPANNING TREE ther are not the same.

> All they do is keep track of vlans.

Not true. Root bridges help determine path cost between bridges.

> Not sure what this has to do with port spanning/monitoring. Your engineers
should be spannig at the physical layer and not the vlan layer.

Actually you can do both if your IDS understands VLAN trunking.

> They should be spanning the physical ports that the vlans are trunked on and
connected to each other. Nevermind the gibberish about Cisco switches not
keeping up with spanning...hogwash!

Dude, Sorry but the Cisco 5500 series is known for this. Newer, ie 6500, etc are
much, much better. Ask any Cisco engineer or someone, like me, that has used
them for years. In private the Cisco Engineer will tell you.

> You assign vlans and trucks to ports, all the engineers need to worry about
are physically spannning those ports to your ports.

> IOW, let's say my trunk port is port one on one of the switches. The port is
either part of the backbone or at least connects to the other switches. Now
let's say your IDS is connected to port two. All the engineer has to do is get
on the switch, go to port 2 and type in "port monitor fa0/1" Then you'd be set!



UNIX is a very friendly OS. It is just picky
about who it makes friends with.

This electronic message, including any attachments, is confidential and intended solely for use of the intended recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have received this message in error, please delete it and notify the sender immediately.

More information about the Snort-users mailing list