[Snort-users] Span/Snoop ports...

Snort Snort at ...13151...
Mon Mar 21 10:31:27 EST 2005

Your particular cisco switch does not have span port capabilities, by
the release notes (of course you already knew that)





Table 4 Features Not Supported on the Catalyst 2948G-L3 and the Catalyst
4908G-L3 Switch Routers 

 Features Not Supported  

Layer 2 source MAC address filtering with standard Access Control List

User Datagram Protocol (UDP) turbo flooding 

Port-based snooping (SPAN) 


The 2948G-L3 is end of life, and more than likely superseded by the



The new switches comes with either SMI or EMI, EMI gives more
functionally like BPG routing, rate limiting, QOS, high availablity etc
etc. The 2950 only comes in EMI. The SMI 


The next model up for yours is the 2950, which handles SPAN ports and
RSPAN (remote port span), but it does not manage L3 vlans, only
participates in them.



the next switch that handles L3 is the 3550




You could however, setup a Linux server as gateway for your internal LAN
and point all your desktops and servers to it, and make it's default
gateway the L3 switch, so, you pretty much insert your self in the
network and then sniff that traffic. But that pretty much will only
sniff broadcast and traffic between networks... you could also, get a
good Dell powerconnect hub, uplink it to the cisco and connect all your
devices to it and sniff on that....



Michael Brown


From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Marc
Posted At: Friday, March 18, 2005 8:31 AM
Posted To: Snort
Conversation: Span/Snoop ports...
Subject: [Snort-users] Span/Snoop ports...

Hey Guys,

I just deployed a Snort box to one of our data centers...and I ran into
a bit of a snafu.  We have a 2948G-L3 switch and want to snort on it.
The problem is that a L3 switch doesn't suppprt a snoop port...Has
anyone found a way around this?



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050321/0158f79b/attachment.html>

More information about the Snort-users mailing list