Re:Snort on span port

[SN ORT <snort_on_acid () yahoo com>]

Wow. That's exactly what I said. I think he got it
already. Oh but wait, what happened to the "problem"
with the 5500 spanning?


My quote:
> Ok, so if I remember correctly, ---NO I DID NOT
REMEMEBER CORRECTLY-- root-bridges are
> like
> only for vlan trunking protocol and elections and
> what-not of switches that will act as root bridges.
> All they do is keep track of vlans. ** Not sure what
> this
> has to do with port spanning/monitoring.**  Your
> engineers should be spannig at the physical layer
> and
> not the vlan layer. ** They should be spanning the
> physical ports that the vlans are trunked on and
> connected to each other.**  Nevermind the gibberish
> about
> Cisco switches not keeping up with
> spanning...hogwash!
> You assign vlans and trucks to ports, all the
> engineers need to worry about are physically
> spannning
> those ports to your ports.
>
> IOW, let's say my trunk port is port one on one of
> the
> switches. The port is either part of the backbone or
> at least connects to the other switches. Now let's
> say
> your IDS is connected to port two. All the engineer
> has to do is get on the switch, go to port 2 and
> type
> in "port monitor fa0/1" Then you'd be set!


> Message: 3
> Date: Sat, 14 Aug 2004 13:35:13 -0700
> From: Charles Heselton <charles.heselton () gmail com>
> Reply-To: Charles Heselton
> <charles.heselton () gmail com>
> To: snort-users () lists sourceforge net
> Subject: Fwd: [Snort-users] Snort on span port
>
> A solution presented by one of my network engineers.
>
>
> ---------- Forwarded message ----------
> From: Lohr, Corey R <corey.lohr () nmci-isf com>
> Date: Thu, 12 Aug 2004 23:54:40 -0700
> Subject: RE: [Snort-users] Snort on span port
> To: "Garrett, Joshua" <joshua.garrett () nmci-isf com>,
> "Sheldon, Mike
> E." <mike.sheldon () nmci-isf com>, Charles Heselton
> <charles.heselton () gmail com>, "O'Sullivan, Richard"
> <richard.o'sullivan () nmci-isf com>
>
>
> Josh and Mike are right and it has nothing to do
> with root bridge
> selection (tha. The 0.2 Mbps of traffic is switching
> overhead (bpdu,
> hello frames/packets, dot1q/isl frames, and pagp if
> channeling is
> configured). The following would fix the problem:
>  
> +++++         +++++  
> + sw1+ -----+ sw2+
> +++++         +++++
>      |                   |
>      |                   |
> +++++          +++++       ++++++
> + sw3+ -----+ sw4+-----+sniffer+
> +++++          +++++       ++++++
>  
> Setup an rspan on sw1, sw2 and sw3 with source
> port(s) and vlan(s) to
> destination switchport x on sw4.
>  
> Then configure sw4 with a regular span including all
> the source
> switchports and vlan(s) coming from sw1, sw2 and sw3
> to destination
> switchport y on sw4.
>  
> VACLs are used for filter granularity once all span
> requirements have
> been configured to cut down on layer 2 overhead.
>  
> -C
>
>
>  

<snip>

Haw haw!

Marc


                
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail


-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users