Cisco Switching/Routing :: 3548XL Port Spanning / Mirroring With Snort IDS
Oct 30, 2012
I am trying to configure a SNORT IDS system running on a physical machine using Linux as the base OS. I have a small lab network setup with 3 VLANs, a 3548 switch and a 2611 router acting as the router on a stick/inter-vlan router. My goal is to setup SNORT as a host-based IDS system. To do that I know I need to use the "port monitor" command on the switch and I have tested this and it works fine only when the snort system and the traffic I want to monitor reside on the same VLAN.My problem is I want to be able to monitor a trunk link betwee the switch and router to see traffic coming from my 3 VLANs which contain servers. My goal is to run attacks on the servers to test SNORT's effectiveness.
Relevant information from my configuration: interface fa 0/1 on switch is the trunk like carry 3 vlans to the router On the switch:
int fa 0/1
switchport mode trunk
int fa 0/5
port monitor fa 0/1
switchport mode access
The switch will not allow me to configure fa 0/5 as a trunk, only can be an access port.So right now, SNORT does not see any traffic other than traffic from my router to the switch. I assume because this is going over the native VLAN (1 in this case) and that is the same VLAN that SNORT box resides on on interface fa 0/5. So I know the span is working to an extent, but traffic from my other VLANs (server to server traffic) does not show on SNORT at all.I have done some research on Cisco.com and see the following seemingly contradicting information:
VLAN Filtering When you monitor a trunk port as a source port, all VLANs active on the trunk are monitored by default. You can use VLAN filtering in order to limit SPAN traffic monitoring on trunk source ports to specific VLANs Then I see, under the section for the 3500 series: A monitor port cannot be a dynamic-access port or a trunk port. However, a static-access port can monitor a VLAN on a trunk, a multi-VLAN, or a dynamic-access port. The VLAN that is monitored is the one that is associated with the static-access port.
My question is, does that mean the 3548 cannot support spanning a trunk link and having all VLANs on that trunk be monitored correctly to the monitoring port? I know the 3548 is old, but it is the only thing right now I have to work with. I could put the SNORT box inline on the network, but that is another mess in itself.
View 6 Replies
ADVERTISEMENT
Oct 21, 2012
I've just installed 2 of these in my workplace on a PLC network.I'm now looking to set one of the ports up as my diagnostic port and would like to be able to mirror any of the other ports to this port.I believe it is called SPAN on Cisco switches.The only reference I can find to it is configuring via Telnet which I haven't got a clue about.On my old Wiedmuller switches it was just a few clicks away.
View 3 Replies
View Related
Apr 23, 2013
Are you only able to have two sessions for port mirroring on a Cisco 4510?
View 1 Replies
View Related
May 20, 2013
I have cisco 2651. It contains two FastEthernet interfaces: Fa0/0, Fa0/1.Fa0/1 has an ip address. Fa0/0 hasn't an ip address.I need to create monitor session from source Fa0/1 to destination Fa0/0. Then i want to connect my notebook to Fa0/0 to analyze some traffic from port Fa0/1
View 2 Replies
View Related
Oct 19, 2012
I have a small lab setup and I am trying to implement an IDS/IPS on the network. I have 3 VLANs setup (10, 20, and 30) with the switch and a router allowing for inter-vlan communication. Port FA 0/1 on the switch is setup as a trunk using 802.1Q connected to a single interface on the router.
I want to be able to monitor traffic on the trunk link on the switch and replicate that to the IDS/IPS host. Is there a way I can mirror traffic from FA 0/1 (the trunk link) to a regular access port on the switch which would connect to the IDS/IPS?
I have seen several articles on Cisco.com saying that you can have a source port as a multi-vlan link, but others say it is not possible. I did not have a chance to get into the lab to test this yet or else I would have.
View 2 Replies
View Related
Sep 19, 2012
Why is it when I set the port priority for example to 8192 and I then do a show spanning-tree vlan 1 it shows as 8193, does it add the vlan number? so if it was vlan 10 it would be 8202?
View 7 Replies
View Related
Feb 23, 2012
2960 switch stack (flex) Spanning tree re-calculate from stack port one?I need to identify with port in the stack is causing the re-calc I have four 48 port switches and show spanning detail only indicates stack port 1.
View 1 Replies
View Related
Feb 12, 2012
I recently received a Cisco 3548 XL Switch, I'm trying to reset the password from the console. I've followed the steps but when I type from here: [code]
View 6 Replies
View Related
Mar 14, 2013
i was able to configure (via SF200 web interface) a port mirroring from port FE17 to FE7.i have supressed this port mirroring.when i try to reconfigure a port mirroring from port FE17 to FE3. The SF200 web interface crash. the SF200 seems to reboot.
i have updated the SF200 firmware from V1.1.2.0 to V1.1.2.9.44 when i was able to configure (via SF200 web interface) a port mirroring from port FE17 to FE7.But after having suppressed this port mirroring again, i was not able to reconfigure a new port mirroring from port FE1 to FE3 (the SF200 hangs).
i have also tried to return to default factory setting but this does not solve the issue.i am working on SF200-24P
View 2 Replies
View Related
Mar 2, 2011
is ASR 1006 supported span port or port mirroring? Any config about that?
View 2 Replies
View Related
Oct 31, 2011
I have a Cisco Catalyst 3750X switch, and I have configured port mirroring on it. Traffic from 12 of the 1G ports will be mirrored to both 10G ports, and I have connected both 10G ports to a server that captures the traffic.
Currently, I have one of the 12 1G ports connected to another server that replays a pcap file once at maximum speed (i.e. option -t in tcpreplay). I thought that this setup means I should get twice the number of packets (and rate) from the two 10G ports. However, I noticed that although the original pcap file contains 4288 packets, the number of packets from the two 10G ports varies between 31000 to 34000 packets, which is about 7 to 8 times the original number of packets. Why am I getting more than twice the amount of traffic, and why does the output vary?
View 2 Replies
View Related
Jan 31, 2011
I have looked up the command sequence for port mirroring and it seems pretty straight forward however in my case the command will not execute.
I have a 851W with 12.4T
If I do: #monitor session 1 source interface fa 4 (wan port)
i get the response invalid input detected however if I do the same command for fa 1, fa ,2 and fa 3 they work
Using the ? shows the valid entries are [0-4] for fastethernet
I just want to monitor WAN traffic with WireShark, particularly DDNS requests, with a spare PC connected to a free lan port.
I would use a hub on the Wan connection but unfortunately I do not have one at the moment.
View 8 Replies
View Related
Apr 28, 2013
I have created a mirror to copy all packets from Interface gi1 to interface gi28. I don't see any port 80 traffic, or 443 or any revelant traffic. I see mostly broadcast from other devices. I have a security device that is logging all the copied packets from my firewall for malware/IPS, etc inspection.Right now I have it monitoring vlan 1 in the hope that it would resolve this issue but I see no change.
View 1 Replies
View Related
May 3, 2011
I want to configure port mirroring on SG300 swtich, port monitoring status is "Not Ready" , and i can not monitor the source interface!
View 1 Replies
View Related
Nov 8, 2011
I'm troubleshooting a LAN issue I have, and I wanted to hook up wireshark to record traffic over the course of a couple of hours for later diagnostics. I went into the web administration interface, clicked Administration > Diagnostics > Port and VLAN Mirroring, and added a port mirror from the port I wanted to watch to a port to which I had connected a laptop. I picked the Tx and Rx options, and clicked Apply.I did receive lots of traffic in wireshark, but I noticed immediately that the server on the port I had mirrored was suddenly unavailable on the network -- pings timed out. This lasted until I removed the mirror, then the server was suddenly reachable once again.Does this feature not work the way I had thought it does? What I saw looked more like a forward than what I would call a mirror. The documentation leads me to believe mirroring is intended to be used in just the way I was attempting to use it.
View 1 Replies
View Related
Sep 14, 2011
I'm trying to setup port mirroring on a Cisco ASA 5510, but when I try to use the switchport monitor command, that command is not recognized.I've selected what interface I want to configure (conf-if), but the switchport command seems to not be part of the IOS.I'm running ASA version 8.2(1)
View 9 Replies
View Related
Oct 25, 2012
I have been told there is a limit (8) on the number of source ports that can be mirrored to a given destination port. I can find no specifications or other documentation to corroborate this claim. Any factual data to confirm or refute this claim?
View 7 Replies
View Related
Apr 24, 2013
I read that maximum spanning tree instance number is 128, is there any switches that can go more than128 instances ? or can we do this from IOS updates ?
View 3 Replies
View Related
Feb 29, 2012
I have a 3750 switch which has the command 'spanning-tree vlan **'. I am struggling to remove this command, as this particular VLAN is one I want to distribute across our network.I have so far, set the switch to VTP Transparent mode and removed the VLAN from the database, this removes the command. If I then put the switch back to VTP client mode (or manually add the VLAN, while in in VTP transparent mode) then the command comes back. Submitting the command 'spanning-tree vlan **' command has no affect.
View 1 Replies
View Related
May 8, 2012
I want to have an opinion that which switch shall I replace the Cisco 2960s with so as to elimintae the need for spanning tree in there but then what would be the design look like between Netscreen and those new switches. Also would it be vendor independant to work Between Cisco and Netscreens/Cuberguard.
View 1 Replies
View Related
Mar 21, 2012
..I am connecting a Nexus 5K to a 6509 without VSS. Is the recommended configuration just straight etherchannel? Since the 6509 cannot do vpc, is an etherchannel the best way to configure this uplink? How does spanning-tree operate.
View 3 Replies
View Related
Oct 20, 2011
i can't configure "logging event spanning-tree" on a specific port under IOS 12.2.(58) SE2 (all other "logging events" are possible), under 12.2 (55) it is possible. Is it now a known bug or a default value?
View 4 Replies
View Related
May 2, 2012
Recently we will add 2 new core Switch 3750X, these 2 equipments will manage the spanning tree ( root)my idea is to change the priority in order to make 1 or the 2 of them the root, my question is if i setup the same priority for both when one go down the other will assume the role of root in the spanning tree topology ?
View 15 Replies
View Related
Jan 24, 2013
Recently our company purchased 3 Lynksys SGE2010p, At the moment they work as a stack but as we are implementing UCCX we need to mirror 15 ports but during the provisioning i've noticed that the limit is 8 ports per stack. I'm wondering whether this is a known issue or just a known limitation . I believe that most probably i'll need to move back to stand alone mode so i could configure 8 mirrored ports per switch.
View 2 Replies
View Related
Mar 1, 2006
Does it have this switch some port mirroring capability (SPAN or other)?
View 2 Replies
View Related
Jun 19, 2012
changing the Spanning-tree mode on a live 6500 running in a VSS mode?If so what are the things to watch out?
View 1 Replies
View Related
May 12, 2013
I have two switches claiming to be the root bridge for the same vlans. The 3750-X stack was configured to be the root for vlans present and the 2960S was brought online over the weekend to replace another one. This is the command I used to attempt and make the 3750-X stack the root
spanning-tree vlan 1-2,10,50,101,200,900,999 root primary diameter 4
The IOS converted that to this
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree portfast bpduguard default
[code]......
View 2 Replies
View Related
Nov 3, 2011
I am about rip and replace my current 3750G stack with a 3750X stack. I have trunked over vlan and vtp info and implemented a config so it should be ready to go other then moving cables onto it. However one thing I want to correct with our current setup is that the root bridge on our vlans including vlan 1 is on a separate set of switches that we control, however I would like this new stack to be the root bridge for all of our vlans. It will be the central set of switches that all other switches trunk into. I have pre-set higher spanning-tree priorities for each vlan on the new stack so I expect as I move lines into it that the tree will be re-calculated with it as the root bridge. I've ensured that there are no root guards on any of the other switches trunks and priorities are all at default levels for each vlan. Should I enforce root guard on the trunk interfaces of the new master stack? Most of the trunks are port-channels to the other switches - do I need to set root guard on the Port channel interface or on the individual ports that make up the Port channel? On both? Any other recommendations in regards to implementing spanning-tree with the new stack? I know using port channels eliminates a lot of potential for loops but not every trunk is and I'd still like to have spanning-tree on.
View 1 Replies
View Related
Feb 8, 2011
A question concerning the use of REP for IE-3000-4TC switches:
In figure 14 of REP pdf URL can you explain why this creates a loop in the system? From the document, I thought REP and RSTP could talk to each other so why does this create a loop if they are exchanging information between each other? Also, if, in figure 14, the two switches in the STP domain that connect to the REP ring, were also connected to each other, would there still be a loop in the system?
Also, what is the recommended max diameter a REP ring should be. I thought I read some place 130 nodes is ok, but I'm looking to confirm this.
View 3 Replies
View Related
Sep 25, 2012
I am looking for some troubleshooting for some Cisco blade switches that are running high CPU. I have two 3020 blade switches in an HP chassis that each have two 1G links port channeled a pair of Nexus 5548s. Spanning tree has been constantly running about 35% of CPU for the last couple of weeks causing management SVI latency and CLI lag. The Port channel is the root port and the switches have no other connections.
Here are the things I have tried in troubleshooting the issue.
-Remove links from port channel so that one is forwarding and one is blocking -Removed the blocking link so that the switch only has one uplink. -Converted from pvst to rstp -Entered no spanning tree vlan <all vlans> so when you do show spanning tree there are no instances of spanning tree-Connected the single uplink to a different switch
Nothing has changed the continuous high spanning tree utilization of about 35%.
The 3020 switches server interfaces are configured as trunks for ESX running on the blades. It seems the only possible loop that could be causing this issue is on the ESX virtual switches, but I am not sure how that is possible. I say this because I have another pair of 3120s that have the exact same problem! However they were working fine (CPU normal) until the enclosure was populated and began switching traffic. After they began carrying a medium/heavy network switching load, the 3120s are running at a constant 56% spanning tree CPU utilization!
View 2 Replies
View Related
Aug 15, 2012
We will be connecting Cisco 4507 with Extreme Switches. We ran into spanning-tree issues last time. Extreme does not understand spanning-tree. So what i am thinking it to prevent bpdu advertisement from 4507 to extreme switches and also prevent incoming bddu from extreme switch to 4507. I am thinking of using
spanning-tree bpdu filter
spanning-tree bpdu guard
spanning-tree root guard
View 13 Replies
View Related
Nov 9, 2012
I'm testing debug spanning-tree functions in a lab, hardware is Cisco 6509 with SUP-720-3B and WS-X6748-SFP, IOS is 12.2.33.SXJ. It's a root in some vlan's, stp mode is rapid-pvst.I wanted to see how spanning-tree is working (STP packets dump, etc.), and entered following commands on 6509: [code]
Then, I turned the "debug spanning-tree all" mode on. Now, I expect to see BPDU packets from Cisco, and other spanning tree events in logs on syslog server, or in log buffer, but I don't get anyting there. Except, there're some lines in log (they repeat very rare): [code]
View 3 Replies
View Related
Jan 10, 2013
I have problems too when I connect 3com and Cisco.
I have 2 5500g 3com switches connected with 2 links. If LACP is disable, this causes serious problems and STP not works.
Logically , the link, is a port trunk with all the vlans permitted. One switch has STP enable and the other RSTP. Why this not works fine? I need to configure MSTP maybe? PVSTP is not allowed on this switches.
View 2 Replies
View Related
