[Snort-users] Span/Snoop ports...

Snort Snort at ...13151...
Mon Mar 21 10:31:27 EST 2005


Your particular cisco switch does not have span port capabilities, by
the release notes (of course you already knew that)

http://www.cisco.com/univercd/cc/td/doc/product/l3sw/4908g_l3/ios_12/rel
_nts/78_7194.htm#wp17049

 

http://www.cisco.com/univercd/cc/td/doc/product/l3sw/4908g_l3/ios_12/rel
_nts/78_7194.htm#wp57935

 

Table 4 Features Not Supported on the Catalyst 2948G-L3 and the Catalyst
4908G-L3 Switch Routers 

 Features Not Supported  


Layer 2 source MAC address filtering with standard Access Control List
(ACL) 

User Datagram Protocol (UDP) turbo flooding 

Port-based snooping (SPAN) 

 

The 2948G-L3 is end of life, and more than likely superseded by the
2950. 

http://www.cisco.com/en/US/products/hw/switches/ps708/prod_eol_notice091
86a008032d4ff.html

 

The new switches comes with either SMI or EMI, EMI gives more
functionally like BPG routing, rate limiting, QOS, high availablity etc
etc. The 2950 only comes in EMI. The SMI 

 

The next model up for yours is the 2950, which handles SPAN ports and
RSPAN (remote port span), but it does not manage L3 vlans, only
participates in them.

http://www.cisco.com/en/US/products/hw/switches/ps628/products_data_shee
t09186a00801cfb64.html

 

the next switch that handles L3 is the 3550

http://www.cisco.com/en/US/products/hw/switches/ps646/products_data_shee
t09186a00800913d7.html

 

 

You could however, setup a Linux server as gateway for your internal LAN
and point all your desktops and servers to it, and make it's default
gateway the L3 switch, so, you pretty much insert your self in the
network and then sniff that traffic. But that pretty much will only
sniff broadcast and traffic between networks... you could also, get a
good Dell powerconnect hub, uplink it to the cisco and connect all your
devices to it and sniff on that....

 

Thanks,

Michael Brown

  _____  

From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Marc
Hering
Posted At: Friday, March 18, 2005 8:31 AM
Posted To: Snort
Conversation: Span/Snoop ports...
Subject: [Snort-users] Span/Snoop ports...
  

Hey Guys,

I just deployed a Snort box to one of our data centers...and I ran into
a bit of a snafu.  We have a 2948G-L3 switch and want to snort on it.
The problem is that a L3 switch doesn't suppprt a snoop port...Has
anyone found a way around this?

 

Thanks!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050321/0158f79b/attachment.html>


More information about the Snort-users mailing list