Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VACL vs SPAN

Based on your experiences, which do you prefer? SPAN seems to expose alot of false positive traffic, but will VACL not expose enough?

1 REPLY
New Member

Re: VACL vs SPAN

Span will capture everything but is simple

VACLs allow granular control to certain types of traffic can be filtered out by only using capture on the traffic that you are interested in. Care should be taken with your filters otherwise you could be ignoring genunine attacks.

It is better to run IDS on span for some weeks prior to tuning your VACLs to establish what you what to capture and what to ignore. This applies even if using span ports.

IDS does require tuning but one that has been done, it works really well with either technique.

107
Views
0
Helpful
1
Replies
CreatePlease login to create content