Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Taps or SPAN (Monitor Session)

Hello,

I'm currently looking into IDS placement and such. I had a thought about for a bit and wondered, what is the true difference between a Monitor Session off of a 3560 switch vs a true network TAP?

Is there any way to get Layer 1 and 2 errors sent to the IDS with a switch and the switch will not strip it?

Thoughts?

Using SPAN session is so much easier.

Thanks,

Matthew

5 REPLIES
New Member

Re: Taps or SPAN (Monitor Session)

A little more info.

My idea was to take SPAN's from our 6500's and other networks and collapse them all to a couple of 3560's. Then the IDS would be tapped off of the 3560's...

Matthew

Gold

Re: Taps or SPAN (Monitor Session)

I'm not exactly sure what you mean by "layer 1 and 2 errors" but I wouldn't expect the sensor to do much at those layers regardless. The higher up the stack you go, the more it does. Have you considered VACL's on the 6500? Not a whole lot different than SPAN's but they allow a lot more (I think the limit is like 4 SPAN's on the 3560???)

New Member

Re: Taps or SPAN (Monitor Session)

What is a VACL never heard of that?

New Member

Re: Taps or SPAN (Monitor Session)

What I was worried about is the that the IDS will not see everything off of a SPAN port from a switch because it would drop certain framing problems or packets that are crafted prior to sending it to the SPAN port.

Gold

Re: Taps or SPAN (Monitor Session)

That might be a valid theoretical problem, but I'm not sure how much I'd worry about it in practice. Evil bad frames shouldn't make it very far on the network and should be dropped long before getting your your IDS.

Here's a good article on implementing VACL's:

http://www.flukenetworks.com/fnet/en-us/supportAndDownloads/KB/IT+Networking/SuperAgent/How_do_I_limit_traffic_spanned_to_SuperAgent_on_a_Cisco_6500.htm

195
Views
0
Helpful
5
Replies
CreatePlease login to create content