[Snort-users] Snort on span port

SN ORT snort_on_acid at ...131...
Mon Aug 16 06:32:18 EDT 2004


Wow. That's exactly what I said. I think he got it
already. Oh but wait, what happened to the "problem"
with the 5500 spanning?


My quote:
> Ok, so if I remember correctly, ---NO I DID NOT
REMEMEBER CORRECTLY-- root-bridges are
> like
> only for vlan trunking protocol and elections and
> what-not of switches that will act as root bridges.
> All they do is keep track of vlans. ** Not sure what
> this
> has to do with port spanning/monitoring.**  Your
> engineers should be spannig at the physical layer
> and
> not the vlan layer. ** They should be spanning the
> physical ports that the vlans are trunked on and
> connected to each other.**  Nevermind the gibberish
> about
> Cisco switches not keeping up with
> spanning...hogwash!
> You assign vlans and trucks to ports, all the
> engineers need to worry about are physically
> spannning
> those ports to your ports.
> 
> IOW, let's say my trunk port is port one on one of
> the
> switches. The port is either part of the backbone or
> at least connects to the other switches. Now let's
> say
> your IDS is connected to port two. All the engineer
> has to do is get on the switch, go to port 2 and
> type
> in "port monitor fa0/1" Then you'd be set!


> Message: 3
> Date: Sat, 14 Aug 2004 13:35:13 -0700
> From: Charles Heselton <charles.heselton at ...11827...>
> Reply-To: Charles Heselton
> <charles.heselton at ...11827...>
> To: snort-users at lists.sourceforge.net
> Subject: Fwd: [Snort-users] Snort on span port
> 
> A solution presented by one of my network engineers.
> 
> 
> ---------- Forwarded message ----------
> From: Lohr, Corey R <corey.lohr at ...12268...>
> Date: Thu, 12 Aug 2004 23:54:40 -0700
> Subject: RE: [Snort-users] Snort on span port
> To: "Garrett, Joshua" <joshua.garrett at ...12268...>,
> "Sheldon, Mike
> E." <mike.sheldon at ...12268...>, Charles Heselton
> <charles.heselton at ...11827...>, "O'Sullivan, Richard"
> <richard.o'sullivan at ...12268...>
> 
> 
> Josh and Mike are right and it has nothing to do
> with root bridge
> selection (tha. The 0.2 Mbps of traffic is switching
> overhead (bpdu,
> hello frames/packets, dot1q/isl frames, and pagp if
> channeling is
> configured). The following would fix the problem:
>  
> +++++         +++++  
> + sw1+ -----+ sw2+
> +++++         +++++
>      |                   |
>      |                   |
> +++++          +++++       ++++++
> + sw3+ -----+ sw4+-----+sniffer+
> +++++          +++++       ++++++
>  
> Setup an rspan on sw1, sw2 and sw3 with source
> port(s) and vlan(s) to
> destination switchport x on sw4.
>  
> Then configure sw4 with a regular span including all
> the source
> switchports and vlan(s) coming from sw1, sw2 and sw3
> to destination
> switchport y on sw4.
>  
> VACLs are used for filter granularity once all span
> requirements have
> been configured to cut down on layer 2 overhead.
>  
> -C
> 
> 
>  

<snip>

Haw haw!

Marc


		
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail




More information about the Snort-users mailing list