Snort mailing list archives
Cisco 6500 SPAN limitations, dropping packets, VACLs, RSPAN, real world
From: "Jack McDonough" <JMcDonough () KnowledgeWorks Info>
Date: Wed, 28 Apr 2004 00:28:01 -0400
TO: Snort Users, From: Jack McDonough, Knowledge Works, Inc. Would really appreciate feedback, from anyone with hands on knowledge - primarily with Cisco 6500s and: - local SPAN session limitations, when source is both tx/rx ( I have researched this, trying to compare notes) - using RSPAN to mirror traffic on a local switch, does this work well? - using VACLs, with specific TCP ports filtered - the scenario is with a local machine set to sniff on the switch Thanks in advance for your help and assistance. Some folks have told me that packets can be dropped on local SPAN sessions even when the destination port is not over subscribed. But I have heard this from people that may have an axe to grind or they want to sell you TAPS, (Test Access Points)or THEIR solution. I have heard: SPAN ports are the third priority, after switching and routing, so mirrored packets can be dropped, but I have not seen a Cisco reference. Some folks have told me that Cisco has problems with their SPAN ports acting erratically, but this is not openly discussed, and is supposed "to be a big secret", because " the Cisco people are certified and will not "say anything bad" about Cisco. Here is an excerpt from a thread: "As Cisco is dropping "mirror" ports and going to capture ports, I now see vlan tagged traffic. The network folks will not let me use mirror ports any more since Cisco is removing that in future releases of their IOS, from what I hear." Does anybody know anything about the above statement, about Cisco dropping SPAN or "mirror ports" and going to capture ports? Is anyone not using SPAN for this reason? Also, does anyone know if the session limitations for Local SPAN on Cisco 6500s are substantially more limited then on other vendors switches? Any ideas on what switch or switches to use as a TAP aggregation device, when we bring back multiple TAPS to a Switch? Which vendor might have less SPAN limitations? I have been doing a bit of research on this, so if anyone has experience and wants to share, I can be reached at 617 877-5560 and I would be happy to compare notes. In reference, to the link ***below, I have talked to 9 people about the following reference, and I have 10 conflicting opinions as to what "egress sources" means. I think I know what it means, anyone care to share their viewpoint on the definition? *** http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/span. htm#wp1036881 Local SPAN and RSPAN Source and Destination Limits These are the local SPAN and RSPAN source and destination limits: Local SPAN Sessions RSPAN Source Sessions RSPAN Destination Sessions Egress sources 1 RSPAN VLAN Supervisor Engine 720 1 1 Supervisor Engine 2 1 (No remote SPAN source session configured) 1 (No local SPAN egress source session configured) 0 (Remote SPAN source session configured) 0 (Local SPAN egress source session configured) Ingress sources 64 64 Destinations per session 64 1 RSPAN VLAN 64 Thanks Much, Jack ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Cisco 6500 SPAN limitations, dropping packets, VACLs, RSPAN, real world Jack McDonough (Apr 27)