Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only

From: Roland Dobbins <rdobbins () cisco com>
Date: Mon, 10 Apr 2006 15:03:42 -0700

On Apr 10, 2006, at 4:04 AM, Stef wrote:


Thanks to all who answered - basically the suggestions revolved around
the same type of solution I assumed originally to be needed
(span/mirror/monitor ports, one at a time, to a probe machine -
whether done via a script on the switch, itself, or controlled
remotely). The above solution is different (saving tons of work), and
it is in fact something I have tried in the past, but never been able
to get to work properly [the entire traffic]. I am thankful for the
reminder, as I could give it another shot.
I've found tcpdump -e to be useful, too - didn't think of that, good suggestion. Doing it the other way at the console isn't a lot of work (*not* one port at a time - one blade at a time via port-ranges for the SPAN source, then narrowing down the port ranges), it's about 5 minutes or so, max, FYI. 

Here's some documentation on SPAN/RSPN for the 4500 series:
http://www.cisco.com/en/US/products/hw/switches/ps663/ products_configuration_guide_chapter09186a0080176332.html 

Good luck!

----------------------------------------------------------------------
Roland Dobbins <rdobbins () cisco com> // 408.527.6376 voice

     Everything has been said.  But nobody listens.

                   -- Roger Shattuck
Previous By Date Next
Previous By Thread Next

Current thread: