How exactly are you collecting data from 1 port when you have spanned 13 x
100Mbps connections? How can a 100Mbps port view all the data from 13? you must
be dropping packets like crazy.
"Verne Baxter" <[EMAIL PROTECTED]> on 20/03/2003 21:41:07
To: "Donnie Green" <[EMAIL PROTECTED]>, "Paul Van Gurp"
<[EMAIL PROTECTED]>, [EMAIL PROTECTED]
cc: (bcc: Simon Griffin/IS/Spectrum/AXA SUN LIFE)
Subject: RE: [ISSForum] SPAN port for IDS monitoring - Cisco switches
Must have missed an equipment description. I currently have, for instance,
one monitor port in a CAT4003. Via that monitor port I have setup a span
that 'spans' two blades, three VLANS and a total of 13 ports. No problem.
i.e. set span 2/2-10, 2/13, 2/18,3/21-22 2/48
Verne
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
Donnie Green
Sent: Thursday, March 20, 2003 11:20 AM
To: Paul Van Gurp; [EMAIL PROTECTED]
Subject: Re: [ISSForum] SPAN port for IDS monitoring - Cisco switches
Your network guys are right. You can span multiple ports-if they are in
the same VLAN-on a single switch, but you cannot span multiple individual
ports. And your have to be careful that the total traffic you are
monitoring-if spanning a VLAN-does not saturate the bandwidth of the port.
For example if you are monitoring a VLAN with 3 servers on it, which is
communicating at 50mbps each, your 100mb span port will start to drop a lot
of packets.
In a segmented environment there are few things you can do besides what you
mentioned. It is easier to monitor network activity when security (i.e.,
intrusion detection, fw, etc.) is part of the initial design and
implementation... Sorry I couldn't be more helpful.
At 09:22 AM 3/20/2003 -0500, you wrote:
>Hi all.
>
>I am not a network specialist by any means so please be gentle. I am
>currently attempting to deploy network sensors throughout our
>infrastructure. Since we have a switched environment, I have 2 options
>(that I am aware of):
>
>* use the SPAN port of a switch for a network IDS
>* use network taps.
>
>Many of our switches have several internal interfaces that I would like to
>monitor...i.e. one switch will be used for traffic destined for 8
>different networks. I would like to be able to plug an IDS into the SPAN
>port of the switch and get the networking people to configure the SPAN
>port to accept traffic from port 1, 3, and 8 for example because those are
>critical network segments. This would allow my IDS to monitor all 3 of
>those ports at the same time. The network guys say this is not possible
>and I can only span one port on the switch to the SPAN port. This means
>using the SPAN port is out of the question for our environment. I went to
>the Cisco site and it seems that the switches are capable of doing what I
>want, so I am confused.
>
>Question 1: Who is right...i.e. can a SPAN port monitor traffic over
>multiple incoming/outgoing ports on a single switch? If not then why not?
>Question 2: If the network guys are right then why is the SPAN port a
>widely used method of deploying network IDS?
>Question 3: If the network guys are right, what other options are open to
>me...I mentioned taps but don't I run into the same issues...1 tap for 1
>network segment and so in my example above, I would require 8 taps for the
>switch with 8 ports.
>
>Thanks in advance.
>
>Paul
>
>
>
>_______________________________________________
>ISSForum mailing list
>[EMAIL PROTECTED]
>
>TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
>https://atla-mm1.iss.net/mailman/listinfo
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
The contents and any attachments of this electronic mail message are
confidential and intended only for the named addressees.
Dissemination, forwarding, publication or other use of the message
or attachments by any unauthorised person is strictly prohibited.
Unless stated to the contrary, any opinions expressed in this message
are personal and may not be attributed to AXA Technology Services UK Ltd or
any member of the AXA Group of Companies.
Internet e-mails are not necessarily secure. The AXA Group does not
accept responsibility for changes made to this message after it was
sent.
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
