Snort mailing list archives
RE: Span/Snoop ports...
From: "Snort" <Snort () InterCept Net>
Date: Mon, 21 Mar 2005 13:31:07 -0500
Your particular cisco switch does not have span port capabilities, by the release notes (of course you already knew that) http://www.cisco.com/univercd/cc/td/doc/product/l3sw/4908g_l3/ios_12/rel _nts/78_7194.htm#wp17049 http://www.cisco.com/univercd/cc/td/doc/product/l3sw/4908g_l3/ios_12/rel _nts/78_7194.htm#wp57935 Table 4 Features Not Supported on the Catalyst 2948G-L3 and the Catalyst 4908G-L3 Switch Routers Features Not Supported Layer 2 source MAC address filtering with standard Access Control List (ACL) User Datagram Protocol (UDP) turbo flooding Port-based snooping (SPAN) The 2948G-L3 is end of life, and more than likely superseded by the 2950. http://www.cisco.com/en/US/products/hw/switches/ps708/prod_eol_notice091 86a008032d4ff.html The new switches comes with either SMI or EMI, EMI gives more functionally like BPG routing, rate limiting, QOS, high availablity etc etc. The 2950 only comes in EMI. The SMI The next model up for yours is the 2950, which handles SPAN ports and RSPAN (remote port span), but it does not manage L3 vlans, only participates in them. http://www.cisco.com/en/US/products/hw/switches/ps628/products_data_shee t09186a00801cfb64.html the next switch that handles L3 is the 3550 http://www.cisco.com/en/US/products/hw/switches/ps646/products_data_shee t09186a00800913d7.html You could however, setup a Linux server as gateway for your internal LAN and point all your desktops and servers to it, and make it's default gateway the L3 switch, so, you pretty much insert your self in the network and then sniff that traffic. But that pretty much will only sniff broadcast and traffic between networks... you could also, get a good Dell powerconnect hub, uplink it to the cisco and connect all your devices to it and sniff on that.... Thanks, Michael Brown _____ From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Marc Hering Posted At: Friday, March 18, 2005 8:31 AM Posted To: Snort Conversation: Span/Snoop ports... Subject: [Snort-users] Span/Snoop ports... Hey Guys, I just deployed a Snort box to one of our data centers...and I ran into a bit of a snafu. We have a 2948G-L3 switch and want to snort on it. The problem is that a L3 switch doesn't suppprt a snoop port...Has anyone found a way around this? Thanks!
Current thread:
- Span/Snoop ports... Marc Hering (Mar 18)
- Re: Span/Snoop ports... Paul Halliday (Mar 18)
- Re: Span/Snoop ports... Ulric Eriksson (Mar 18)
- RE: Span/Snoop ports... Lee Clemens (Mar 18)
- Re: Span/Snoop ports... Skip Carter (Mar 18)
- <Possible follow-ups>
- RE: Span/Snoop ports... Richard Bejtlich (Mar 18)
- RE: Span/Snoop ports... Snort (Mar 21)