https://community.cisco.com/t5/network-security/ids-mirroring-issue/m-p/3023270#M43029 <P>Did you enable "<SPAN>Promiscuous Mode</SPAN>" on your vSwitch?</P> <P>https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&amp;cmd=displayKC&amp;externalId=1004099</P> Wed, 29 Mar 2017 08:16:07 GMT Dennis Perto 2017-03-29T08:16:07Z https://community.cisco.com/t5/network-security/ids-mirroring-issue/m-p/3023269#M43028 <P>Hi All,</P> <P>I have a below doubt on my setup. I am not sure whether setup i have built is as per IDS standards or not but SNORT IDS is not capturing traffic. I want to be sure from switch end i have mapped the needs of IDS. Below is the setup i have built.</P> <P>Step1:</P> <P>Built EIGRP between router &amp; switch over checkpoint transparent firewall. Neighourship/Routes are received as expected.</P> <P>Router4431---Gi0/0/1Routed Port(IP- 10.10.10.10/29)---------(L2 Bridge)Checkpoint(L2Bridge)---------Gig 0/0/1Routed Port(10.10.10.9/29)3850.</P> <P></P> <P>Step2:</P> <P>Created Snort on VM Dell Server on Shared NIC(VSwitch Group2) with IP 10.10.5.19. NIC is connected to 3850 L2 port Gi0/0/2. This IP is reachable from network working as expected. Other VMs are also reachable under this Vswitch Group. Snort Service on VM is active &amp; running.</P> <P></P> <P>Step3:</P> <P>Need is to monitor the traffic on Inside interface on 3850switch ie Gi0/0/1 which is routed to capture traffic which is received &amp; transfered over this inside port.</P> <P>I have used a port on Dell Server on separate NIC which is placed under dedicated for Snort mirror port Vswitch Group3 connected to 3850 L2 port Gi0/0/3. IP not assigned to this port. Switch port configuration for mirroring is as below.</P> <P>!</P> <P>interface gi0/0/1---Connected to Dell Server Shared Vswitch NIC 2 for all VMS</P> <P>no shut</P> <P>no switchport</P> <P>ip add 10.10.10.9 255.255.255.248</P> <P>!</P> <P>interface gi0/0/1---Connected to Dell Server Shared Vswitch NIC 2 for all VMS</P> <P>no shut</P> <P>switchport access vlan 2201--VLAN for VM Servers including SNORT</P> <P>!</P> <P>interface gi0/0/3---Connected to Dell Server dedicated Vswitch NIC 3 for Snort Mirroring</P> <P>no shut</P> <P>switchport mode access</P> <P>!</P> <P>monitor session 2 source interface Gi0/0/1 both</P> <P>monitor session 2 destination interface Gi0/0/3.</P> <P>!</P> <P>Is above setup is correct? I am not getting logs in snort, i think i am missing something. Please highlight your thoughts on this, can we monitor routed port as a source &amp; Mirror port on Snort side will work without IP?</P> <P></P> <P>Regards,</P> <P>Vishal</P> Sun, 10 Mar 2019 13:48:10 GMT https://community.cisco.com/t5/network-security/ids-mirroring-issue/m-p/3023269#M43028 Vishal Kolamkar 2019-03-10T13:48:10Z https://community.cisco.com/t5/network-security/ids-mirroring-issue/m-p/3023270#M43029 <P>Did you enable "<SPAN>Promiscuous Mode</SPAN>" on your vSwitch?</P> <P>https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&amp;cmd=displayKC&amp;externalId=1004099</P> Wed, 29 Mar 2017 08:16:07 GMT https://community.cisco.com/t5/network-security/ids-mirroring-issue/m-p/3023270#M43029 Dennis Perto 2017-03-29T08:16:07Z