Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

6513 SPAN ports or capture ports?

I posted this in the IDS forum, but didn't quite get an answer that made sense, I'm hoping in the switch forum this might make a little more sense.

We currently have Cat6513 switches installed and our looking into an IDSM-2 module, but for the time being until we can actually purchase them, I would like to install a few snort sensor into the switch to "monitor" a few VLANs.

I've read where there are only two SPAN ports and to gain some type of correlation to the events, I figure I would need to install a separate snort sensor for each vlan. The problem is the limit of two SPAN ports. I heard that there is a way to utilize a "capture" feature on the 65xx systems.

Is the appropriate way for this to use the "capture" commands and if so how would I do that?

Also, I read where the SPAN ports have no performance impact on the switch, but would the "capture" commands?

I apologize if this is the wrong forum for this but I wasn't sure if this would be more of a switching or IDS question...

Thanks for any assistance!

-Jeff

2 REPLIES
Bronze

Re: 6513 SPAN ports or capture ports?

hi

yes there is the capture solution for ur case, it appropriate or not ?????

one beautifull thing that it overcome the session number limit,how u configure it think or do a research using the key word VSPAN,the idea here

1-you limit the traffic you want to capture by an access-list :

#acces-list 105 xxxxxxxxx

2-you define your vlan access-map

(config)#vlan access-map test

3-you match your traffic

(config-access-map)#match ip address 105

4-set the action to forward caption

(config-access-map)#action forward capture

#exit

5-define a filter

(config)#vlan filter test vlan-list 55 (for example we took her the vlan 55)

6- go to the port where your sensor is pluged

(config-if)#switchport

(config-if)#switchport capture allowed vlan 55

(config-if)#switchport capture

and you will get your traffic

about performance as u know ACL consume CPU cycles since you are using a high end switch certainly those ACL are in the tenary table in hardware so performance i thins does not matter

HTP

do rate if so

Bronze

Re: 6513 SPAN ports or capture ports?

hi my friend did you test the post ????

let s us know

324
Views
0
Helpful
2
Replies
CreatePlease login to create content