02-14-2008 06:15 AM - edited 03-05-2019 09:09 PM
Hi
I'm looking into and odd problem here. It all started when I realized our IDSM was randomly NOT triggering on malicious traffic flowing through a trunked interface. This interface handles all our VLANs but only three of those are filtered on the SPAN session sending traffic to the IDSM.
As a troubleshooting step I set the SPAN session destination to a sniffer and sent some nessus and malicious web traffic over the trunk...some was seen on the sniffer but not all.
What could be the problem here? We have a 6513 with SUP720 and DFC cards, is it possible that some traffic is missed by the SPAN session and sent directly to the ports by the DFC? I haven't found any clues in the IDSM manuals or the IOS guide for our 6513.
Regards
Fredrik
02-14-2008 08:22 AM
Fredrik
Without knowing any details of your environment I will suggest that one way that traffic can be dropped in a SPAN session is to oversubscribe the SPAN destination. For example if you have 3 source ports with each being 100 Mb and a single SPAN port also at 100 Mb then it is possible to generate more traffic to SPAN than the SPAN port can handle and some traffic will be dropped.
HTH
Rick
02-14-2008 10:26 AM
Thanks for your answer. I agree it's not easy to solve these things without prior knowledge. To answer your suggestion of oversubscrubtion, I find that unlikely in my case. The trunk port being monitored IS a 1gb port but not at more than 20-30% utilization and the destination port is also a 1gb port.
/Fredrik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide