[Snort-users] Please Help me! How configure span port to work with encapsulation trunks

Matt Kettler mkettler at ...4108...
Wed Apr 20 14:17:40 EDT 2005


federico.juarez at ...12650... wrote:

>Please Help Me!
>
>We have a switch Cisco 6500 and have several VLAN and trunks configured. We trie
>to configured port Span to work with IDS Snort, but We can´t see all the
>traficc, Somebody know if that is due to the encapsulation ISL or another
>causes? What can I do? 
>

AFAIK snort will not understand ISL, which is a cisco protocol, not an
industry standard.

Snort can deal with industry-standard 802.1q VLAN tags, but not ISL.

>RSPAN could be another solution? 
>
No, RSPAN won't change what format the packet is in.

Your problem is that the source of your SPAN is a port which is using
ISL. RSPAN will let you span to ports on a different switch, but you
need to change what your SPAN/RSPAN is picking up in the first place.

You're pretty much limited to three options:

1) find a different port to monitor, one which isn't an ISL encapsulated
trunk
2) stop using ISL encapsulation on the port you want monitor and switch
to 802.1q instead (dot1q in cisco terminology)
3) don't use snort.





More information about the Snort-users mailing list