Taps or SPAN (Monitor Session)

Unanswered Question
Oct 16th, 2007
User Badges:


I'm currently looking into IDS placement and such. I had a thought about for a bit and wondered, what is the true difference between a Monitor Session off of a 3560 switch vs a true network TAP?

Is there any way to get Layer 1 and 2 errors sent to the IDS with a switch and the switch will not strip it?


Using SPAN session is so much easier.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
d1701 Tue, 10/16/2007 - 05:47
User Badges:

A little more info.

My idea was to take SPAN's from our 6500's and other networks and collapse them all to a couple of 3560's. Then the IDS would be tapped off of the 3560's...


mhellman Wed, 10/17/2007 - 06:16
User Badges:
  • Blue, 1500 points or more

I'm not exactly sure what you mean by "layer 1 and 2 errors" but I wouldn't expect the sensor to do much at those layers regardless. The higher up the stack you go, the more it does. Have you considered VACL's on the 6500? Not a whole lot different than SPAN's but they allow a lot more (I think the limit is like 4 SPAN's on the 3560???)

d1701 Wed, 10/17/2007 - 06:37
User Badges:

What is a VACL never heard of that?

d1701 Wed, 10/17/2007 - 06:38
User Badges:

What I was worried about is the that the IDS will not see everything off of a SPAN port from a switch because it would drop certain framing problems or packets that are crafted prior to sending it to the SPAN port.

mhellman Wed, 10/17/2007 - 06:57
User Badges:
  • Blue, 1500 points or more

That might be a valid theoretical problem, but I'm not sure how much I'd worry about it in practice. Evil bad frames shouldn't make it very far on the network and should be dropped long before getting your your IDS.

Here's a good article on implementing VACL's:



This Discussion