I have a Cisco 4235 IDS sensor that I normally use for testing. Currently, we are still experiencing some issues with MyDoom. I have the administrative port on one vlan and the sniffing port on the other. Aside from getting an event that says DGRAM to long (which I cannot figure out why), I am not receiving traffic. Does this seem like a logical and proper setup? Thanks for the advice.
Yes, my sensor is connected to a switch. I see what you are saying as far as the spanning. I appreciate the help. I was just hoping to be able to set the sniffing port to that particular VLAN and capture broadcast traffic moving in that VLAN.
If all you are looking for is broadcast traffic then you won't need span.
The default config on most switches will send the Multi-Cast, and Broad-Cast traffic to the sensor for the vlan to which it is connected.
In addition some Uni-Cast traffic will also be seen, but rarely.
This is where Span is needed to force the copying of these Uni-Cast packets to the sensor for monitoring.
NOTE: Because we are talking about a switch, the Multi-Cast, Broad-Cast, and Uni-Cast above refer specifically to the MAC Addresses of the packets and NOT the IP Addresses of the packets.
In some situations you will have a Broad-Cast IP Packet being sent with a Uni-Cast MAC Address. So be sure to look at the MAC Address and not the IP Address when trying to determine what the switch should do with the packets.
Also understand that very few attacks are ever seen in Multi-Cast, and Broad-Cast traffic. The majority of attacks are in Uni-Cast traffic. So if all the sensor is seeing are the Multi-Cast and Broad-Cast traffic, then don't expect to receive any alarms.
To see if the sensor is seeing any packets you won't be able to look at the alarms being generated (mostly likely all the traffic is OK and will never generate an alarm.) Instead if this is a version 4.x sensor, then execute "show interface" and see if the packet counts on the sensing interface are increasing.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :