[Snort-users] How To Mirror/Monitor T1 and VPN Traffic w/Cisco Routers?

Matt Kettler mkettler at ...4108...
Mon Oct 4 11:31:15 EDT 2004

At 11:09 AM 10/4/2004, McCash, John wrote:
>         Is there a way to have a router span or mirror traffic to
>another interface the same way that a switch can? Or can it somehow
>directly copy the datastream to somewhere else on the LAN?

AFAIK the cisco IOS routers do not have any ability to do this.

Unlike a switch, where copying a packet to multiple ports is a matter of 
normal behavior, a router doesn't have the hardware to support this 
multi-copy behavior. It's also much easier to do mulit-destination when all 
your ports are the same kind of hardware and don't require different 
link-layer controls.

If your model does support it, it will likely be configured with the same 
span commands as in their switches (monitor session). It may also be 
restricted to doing this between like types of interfaces. I'd be highly 
surprised (and impressed) if cisco IOS supported mirroring traffic from a 
T1 to an ethernet card. 

