Spanned port for IDS

We're about to get an IDS system which will require a spanned port on the inside of our network. Inside our network we have a few 6500's so I'd span a port on one of our core switches...my question is, there is definetly more then 1GB of traffic going through the core at any time...how would I get all this traffic to the IDS system? Would I just create an etherchannel and use it as a destination, and plug all the ports into the IDS?

Thanks for that link. According to that link you have to have seperate IDS's attached to the etherchannel (one per port):
"The IPS appliances must be in on-a-stick mode, meaning that the IPS appliance can only use one sensing port on that Catalyst switch. That port is trunked so that the IPS appliance has an inbound and outbound path to and from the switch."
Am I reading that wrong? Can I have one IPS with three or four ports attached to the same switch in an etherchannel?
It's starting to sound like I'm going to have to limit what ports I source...which means the IDS could potentially miss a threat or report it later then it could....

Similar Messages

  • CS11800 - Can I have a SPAN port for my IDS box?

    I have a network design that calls for a few CS11800s and it's smaller brother. The security team has asked if this content switch has a SPAN port that is availble so we can hang our IDS box off.
    Thanks
    B

    I am not extremely familiar with the CS11xxx series and its configuration options, but I can tell you that from experience with Cisco Catalyst switches and non-Cisco IDS devices a SPAN port is not always the best solution. In some instances I have had to disable packet learning in the SPAN session, and in other cases I have had to forego using SPAN at all and settled for an uplink to a hub that connected the IDS device and my router(s). This is especially true if the IDS device needs to be a member of the same VLAN as the traffic it is monitoring in order to send RST packets back onto the segment.
    I have researched this issue on my own and even opened TAC cases for a solution, but have received solutions ranging from "There's no reason this shouldn't work" to "You can not set up a SPAN session for IDS purposes." My recommendation would be (even though it does decrease performance a bit) to implement the hub solution, regardless of the CS11800 capabilities. This will prove to remove any potential X factors in the SPAN functionality and make your life a lot easier.
    Just my 2 cents. :)

  • Need to setup monitoring aon multiple ports for IDS

    I have a cisco 3845. I need to need to setup monitoring aon multiple ports for IDS on 2 ports. How do I do this.
    Also,
    Is there a way to make ports on the switch portion act like hubs.
    Thanks

    I assume that you are referring to the Ethernet Switch Module in the 3845. If so it should support SPAN. Here is a SPAN configurations guide:
    http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122limit/122z/122zj15/fz1636nm.htm#1820129

  • Applying span port for sniffer

    Hi,
    We want to sniff some traffic that is passing between two nodes in our network.
    The flow will look like this;
    Edge switch > Core switch > (Wireless controller A) > metro ethernet link > Core switch > (wireless controller B)
    Wireless controller is connected to the core switch. We want to sniff traffic that passes from controller A towards the other side of the network.
    Controller A side belongs to us, hence we can only put sniffing on our end.
    Please help to understand how to setup span port on a laptop in this setup.
    If we connect a notebook on the coreswitch to sniff traffic passing through, will it be right?
    Appreciate all inputs.

    That's correct, the only thing I might note is to decide if you want to collect both rx and tx data?  By leaving it default, as you did above, it will capture"both" directions.  Capturing both is fine, but it will increase your wireshark capture size.  I would also recommend applying a wireshark filter to only see the specific traffic you are interested in.  A simple Google search will give you more info on wireshark filters.  Lastly, remember to remove the monitor session once you are done.  We see leftover SPAN sessions often causing various switch problems, so they are only recomended to use as needed. 
    HTH
    Luke

  • Span Port (For Whole Vlan)

    Hi All,
    I have a similar setup to the attached. I want to make sure that I mirror all traffic going through vlan 1. The Server is my device that I will be mirroring all traffic to. How do I ensure that traffic from all switches on VLAN 1 is mirrored to the port the server is plugged into? 
    On the Core switch I currently have the following -
    monitor session 1 source vlan 1
    monitor session 1 destination interface Gi4/0/22  (This is where my server is plugged into)
    But I don't think I'm actually monitoring traffic from the other switches. Is there something else I need to add / configure on my access switching to ensure I'm spanning all VLAN 1 traffic from all switches to my server?
    Thanks

    Are you monitoring on an egress switch like the switch that the default gateway is for all of your users? If so, you should be capturing everything. If not, you'll possibly need to move your capture. This type of capture is local to a switch. The only other way that I know if is to create an RSPAN session on every switch that you want to capture from. You create a special remote span vlan. On the edge switch, monitor for vlan 1 as the source, and the destination is that special vlan. Do that for every switch. On your capture switch, monitor the source of the special vlan and then your destination would be your port. You would capture all traffic at that point..
    HTH,
    John

  • Monitor or Span port Vulnerablility

    Is the CISCO IDS/IPS device connecting to Monitor or SPAN port Vulnerable? Is there a document which I can refer to ?

    It's very unlikely, but not impossible. Snort's had a few and the general concept is applicable to any IDS. If you suck in data off the network and process it, there's the potential for vulnerabilities. If you're worried about it, put the management interface in a management dmz.
    http://www.infoworld.com/article/03/03/04/HNsnort_1.html

  • SPAN port or Capture?

    We currently have Cat6513 switches installed and our looking into an IDSM-2 module, but for the time being until we can actually purchase them, I would like to install a few snort sensor into the switch to "monitor" a few VLANs.
    I've read where there are only two SPAN ports and to gain some type of correlation to the events, I figure I would need to install a separate snort sensor for each vlan. The problem is the limit of two SPAN ports. I heard that there is a way to utilize a "capture" feature on the 65xx systems.
    Is the appropriate way for this to use the "capture" commands and if so how would I do that?
    Also, I read where the SPAN ports have no performance impact on the switch, but would the "capture" commands?
    I apologize if this is the wrong forum for this but I wasn't sure if this would be more of a switching or IDS question...
    Thanks for any assistance!
    -Jeff

    The solution to that issue of only two span ports is to use VACLS. There is documentation in the Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 5.1.
    http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df92.html#wp1030828
    Refer to Catalyst 6500 Series Switch Command Reference for more information on trunk ports and ACLs.

  • Is SPAN port not allowed in Nexus FEX Port ?

    Hi
        Customer want me to defined a SPAN port on N2K, it is a fex port. when I configure I got the following statement from the switch.
    Is there any way to solve the problem?
    n5k-N2K(config-monitor)# destination ?
      interface  Configure interfaces
    n5k-N2K(config-monitor)# destination interface eth102/1/18
    ERROR: Eth102/1/18: Configuration not allowed on fex interface
    N5K VERSION
    Cisco Nexus Operating System (NX-OS) Software
    TAC support: http://www.cisco.com/tac
    Copyright (c) 2002-2009, Cisco Systems, Inc. All rights reserved.
    The copyrights to certain works contained herein are owned by
    other third parties and are used and distributed under license.
    Some parts of this software are covered under the GNU Public
    License. A copy of the license is available at
    http://www.gnu.org/licenses/gpl.html.
    Software
      BIOS:      version 1.2.0
      loader:    version N/A
      kickstart: version 4.0(1a)N2(1)
      system:    version 4.0(1a)N2(1)
      BIOS compile time:       06/19/08
      kickstart image file is: bootflash:/n5000-uk9-kickstart.4.0.1a.N2.1.bin
      kickstart compile time:  2/25/2009 0:00:00 [02/25/2009 08:29:12]
      system image file is:    bootflash:/n5000-uk9.4.0.1a.N2.1.bin
      system compile time:     2/25/2009 0:00:00 [02/25/2009 08:56:57]

      Hi,
    A FEX port cannot be configured as a SPAN destination. Only a switch port can be configured and used as a SPAN destination.
    See link below for more info:
    http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/release/notes/Rel_5_1_3_N2_1/Nexus5000_Release_Notes_5_1_3_N2.html
    HTH

  • SPAN Configuration for IDSM

    Dears,
    We have IDSM / FWSM running in our 6500 Switch, the FWSM is in transparent mode and for IDSM we configured one SPAN Port.
    Right now we have one requirement for SPAN configuration. currently the 6500 with the current SUP has limitation for only 2 SPAN Sessions,
    And we are using both, one is for FWSM and the second one for IDSM.
    Any one can help and suggest for another option?
    Thanks.

    When running a FWSM in a 6500, you don't need to use a SPAN session to send traffic to the FWSM.  To send traffic through the FWSM, use the "firewall" set of commands in the 6500 switch configuration.
    I recommend reading the section "Assigning VLANs to the Firewall Services Module" from the FWSM 4.1 Configuration Guide:
    http://www.cisco.com/en/US/customer/docs/security/fwsm/fwsm41/configuration/guide/switch_f.html#wp1175820
    There's also an example of these commands in the "FWSM Basic Configuration Example" here:
    http://www.cisco.com/en/US/customer/products/hw/modules/ps2706/products_configuration_example09186a00808b4d9f.shtml#sw
    A similar command exists for the IDSM ("intrusion-detection module"), for use in certain configurations.  You can read more here, in the "Configuring IDSM-2" section of the IPS 6.1 Configuration Guide for CLI:
    http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_idsm2.html#wp1030828
    If nothing else, using these commands could free up the 2 available SPAN sessions for other use (such as a NAM module).

  • Control and management port for nm-cids

    Can any body help me to find the difference between the ip address that we use at the interface ids-sensore 1/0 and the ip address of the sensor and its default gateway
    10.10.10.2/24,10.10.10.1

    NM-CIDS information:
    There are 3 interfaces that you need to be aware of with the NM-CIDS.
    The NM-CIDS module has 2 interfaces (FastEthernet0/0 and FastEthernet0/1).
    The 3rd interface actually belongs to the router (IDS-sensor1/0)
    The Fa0/0 interface of the NM-CIDS is the external port of the NM-CIDS. When an IP Address is assigned to the NM-CIDS through the "setup" command, the IP is assigned to this Fa0/0 interface.
    The Fa0/0 interface is the external interface and so will need to be plugged into a hub (or switch), and the IP addresses assigned to it must be an address within the network address range for that network (vlan). The default gateway should be the same default gateway for the other boxes on that network, the default gateway may be one of the addresses of the router in which the NM-CIDS was installed, or could be a completely different router. The NM-CIDS Fa0/0 interface could have been plugged into a completely different network than any of the interfaces of it's parent router.
    Say for example that FastEthernet2/1 of the router is connected to vlan 10 on the switch and assigned an IP Address of 10.1.1.1. The Fa0/1 interface of the NM-CIDS is also plugged into the same switch on vlan 10. Because Fa0/1 of the NM-CIDS is plugged into the same network as Fa2/1 of the router, then both ip addresses can be in the same network and the router IP can be the gateway for the NM-CIDS. The Fa0/1 can have IP 10.1.1.30 with gateway 10.1.1.1 (Fa2/1 of the router).
    Alternatively the Fa0/1 of the NM-CIDS could have been plugged into vlan 30 (network 192.168.1.0) of the switch where the router does not have any of interfaces. In this case the Fa0/1 of the NM-CIDS won't be in the same network as any of the router interfaces. So the Fa0/1 of the NM-CIDS will need an IP address with that network: 192.168.1.27 for example. And the gateway for the NM-CIDS would need to be whatever OTHER router is the default gateway on that network: 192.168.1.1 for example.
    The Fa0/1 interface of the NM-CIDS is the internal interface of the NM-CIDS on the backplane of the router. The Analysis Engine should be configured to monitor this interface.
    The "IDS-Sensor1/0" interface is the router's backplane interface to the NM-CIDS, and has 2 functions.
    1) When the router is configured to send packets to the NM-CIDS for analysis the packts will be sent through the router's IDS-Sensor1/0 interface to the router backplane into the Fa0/1 interface of the NM-CIDS. You can almost think of IDS-Sensor1/0 and Fa0/1 as having a wire between (the wire being the router backplane).
    2) The IDS-Sensor1/0 also serves a second purpose. The IDS-Sensor1/0 ALSO connects to a special part of the NM-CIDS hardware that acts as a console port for the NM-CIDS. When you "session" to the NM-CIDS what is actually happening is a telnet through this IDS-Sensor1/0 interface into the backplane of the router to that special part of the NM-CIDS hardware. So when you session to the NM-CIDS it looks like a console port. It is because of this "telneting" as part of the session command that the router needs an address for the IDS-Sensor1/0 interface.
    The address assigned to the IDS-Sensor1/0 interface is never seen by the IPS software on the NM-CIDS, it is only used by the router inorder to support the session command. This IDS-Sensor1/0 address does not need to be routable so it can be an internal loopback address as seen in this example: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/cliguide/clinmcid.htm#wp1030678
    The loopback address is just a single address on a network that you are never going to use and never need to route packets to.
    This IP Address for IDS-Sensor1/0 should NOT be confused with the IP Address that was assigned to the Fa0/1 interface of the NM-CIDS.

  • NIS extensions for iDS 5.x yet?

    HI all
    Anyone know if the NIS extension plugin they had for iDS 4.x is ported yet for iDS 5.x?
    If not, does anyone know if it is in the works and roughly when it will be available?
    Thanks
    James

    Simon Wakelin wrote:
    Hi,
    Does anyone know if iDS 5 supports the iDS 4.x Solaris Extensions? I heard
    NIS support was dropped?
    No, it does not support the NIS extension yet.
    Regards
    Daniel

  • SPAN port question

    Hi,
    I have two core switches 6500 and Access switches 4500. Both chassis. I need to span ports, but this ports are not in a vlan. I know that there is a limit to span ports that are not in a vlan. Does anyone know which is the limit? Is there a way to make all of them to span?
    Thanks!

    Hi Pablo
    As a forum focused on technical documentation, we checked to see if there was a doc that might answer your question.
    There is not enough information in your question to for us to pinpoint exactly what you need, but have you looked at, for example, “Configuring SPAN, RSPAN, and ERSPAN” for the Catalyst 6500 (IOS 12.2SX)”?
    If this doesn’t help, we’ll refer your question to the appropriate tech support community. They will probably find it helpful to know what operating system (CatOS or IOS) and which release you have, since this determines what SPAN features and restrictions are in effect.
    Thanks for posting,
    Hilde

  • Span port destination vlan

    Hi All, I need to span a port for sniffer. Src port where server is located : gi 1/11(vlan 100) Dest port where sniffer pc is located: gi 1/25 My question is does the port gi1/25 needs to ve on a specific vlan? Can it be on the same vlan as source port I.r. vlan 100 ? Or should it be on any non-source vlan? thanks in advance

    Hi Thomas,
    Which model of switch are you enabling this span?
    Anyways you can have the destination port on any vlan depending on what interface you are monitoring. Only problem is that when you are monitoring a  VLAN rather than physical interface you need to be aware that "A destination port that belongs to a source VLAN of any SPAN session is excluded from the source list and is not monitored"
    Hope that helps.
    Regards
    Najaf

  • SPAN Port Monitoring Setup

    We have three Cicso Catalyst 3750 switches that are stacked.  The primary switch has a VLAN ( # 99 ) setup on it. The VLAN has our incoming internet connection. The LAN ports from the two redundant firewalls are routed back to the primary switch ( non VLAN ). The WAN ports on the firewalls are connected to the VLAN. There are three unused ports ( 46, 47 & 48 ) available on the VLAN. There are also a couple of available ports ( 36 & 38 ) on the primary switch that are not in the VLAN.
    We want to connect a hardware device to one of the ports on the switch that monitors network traffic. Need to connect two ports on the hardware device. One for LAN/WAN traffic, and one for the SPAN port.
    Question:
    Which port would you setup as the LAN port ? 
    Which port would you setup as the SPAN port ?
    What commands would we run to set this up ?
    Thanks

    I would suggest moving this post here: https://supportforums.cisco.com/community/6016/lan-switching-and-routing
    3750 isn't considered a small business switch.

  • Span Port

    In one of my location using catalyst2900 eriesXl switch with IOS ver 11.2.I want to make one port as span for the other port where i connect my firewall for the process of monitering the triffic.Can I do the span port on this switch if so what is the command.

    Hi, this link should cover it. Not sure which release it was introduced so you may have to upgrade from 11.2.
    http://www.cisco.com/en/US/products/hw/switches/ps637/products_configuration_guide_chapter09186a008007e838.html#xtocid22
    hth

Maybe you are looking for

  • [Solved] First installation: HP Photosmart C4280 - Epson EPL-4200L

    Hi, this is my first post in the forum since two day ago have removed kubuntu and installed arch. Thanks the awesome wiki I was able to configure lvm, wireless, bluetooth, graphics, etc but have great problems configuring my two printers. I have inst

  • Dynamic endpoints in SOA and OSB 11g

    Hi, In AIA we have aiaconfiguration properties.xml from where end points of wsdls will be accessible. This enables ease in migrations so that if endpoint changes it is only need to be changed in aiaconfiguration properties.xml. Can the same be acheiv

  • PDF Portfolios from V9 to VX

    Below (first paragraph) is what I understand. My question follows paragraph. Thanks. When you open a 9 portfolio in X, the 9 design appears as expected. Minor editing is allowed (add or delete files, edit filenames or descriptions) and can be saved i

  • No screen light Nano 3rd

    No screen light Nano 3rd

  • Pressing tab key within table not scrolling to next input field

    Hi All, I have a table with editable and read only fields. I have more than 20 columns. When the tab Key is pressed it scrolls only to the editable fields that are in the visible screen. It does not scroll the table to the right to the next input fie