cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
582
Views
0
Helpful
5
Replies

Taps or SPAN (Monitor Session)

d1701
Level 1
Level 1

Hello,

I'm currently looking into IDS placement and such. I had a thought about for a bit and wondered, what is the true difference between a Monitor Session off of a 3560 switch vs a true network TAP?

Is there any way to get Layer 1 and 2 errors sent to the IDS with a switch and the switch will not strip it?

Thoughts?

Using SPAN session is so much easier.

Thanks,

Matthew

5 Replies 5

d1701
Level 1
Level 1

A little more info.

My idea was to take SPAN's from our 6500's and other networks and collapse them all to a couple of 3560's. Then the IDS would be tapped off of the 3560's...

Matthew

mhellman
Level 7
Level 7

I'm not exactly sure what you mean by "layer 1 and 2 errors" but I wouldn't expect the sensor to do much at those layers regardless. The higher up the stack you go, the more it does. Have you considered VACL's on the 6500? Not a whole lot different than SPAN's but they allow a lot more (I think the limit is like 4 SPAN's on the 3560???)

What is a VACL never heard of that?

What I was worried about is the that the IDS will not see everything off of a SPAN port from a switch because it would drop certain framing problems or packets that are crafted prior to sending it to the SPAN port.

That might be a valid theoretical problem, but I'm not sure how much I'd worry about it in practice. Evil bad frames shouldn't make it very far on the network and should be dropped long before getting your your IDS.

Here's a good article on implementing VACL's:

http://www.flukenetworks.com/fnet/en-us/supportAndDownloads/KB/IT+Networking/SuperAgent/How_do_I_limit_traffic_spanned_to_SuperAgent_on_a_Cisco_6500.htm

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: