https://community.cisco.com/t5/network-security/monitor-session-for-ids/m-p/2530862#M45455 <P>We currently have a Snort IDS installed in an environment with only one switch. The monitor session config for this is below</P><P><SPAN style="font-size:12px;"><SPAN style="font-family: courier new,courier,monospace;">monitor session 1 source vlan 34<BR />monitor session 1 destination interface Gi1/5<BR />monitor session 1 filter packet-type good rx</SPAN></SPAN></P><P>We are adding another three switches into the environment and would like to sniff traffic from all four switches without and additional IDS devices or NICs if possible. My intention is to configure the new switches as follows...</P><P><SPAN style="font-size:12px;"><SPAN style="font-family: courier new,courier,monospace;">monitor session 1 source vlan 34<BR />monitor session 1 destination remote vlan 35</SPAN></SPAN></P><P>And then alter the config on the switch to which the IDS is connected as follows...</P><P><SPAN style="font-size:12px;"><SPAN style="font-family: courier new,courier,monospace;">monitor session 1 source vlan 34<BR />monitor session 1 destination remote vlan 35<BR />monitor session 1 filter packet-type good rx<BR />monitor session 2 destination interface Gi1/5<BR />monitor session 2 source remote vlan 35<BR />monitor session 2 filter packet-type good rx</SPAN></SPAN></P><P>The original config was done by a former colleague so I just wanted to check whether this was the best way of doing it.</P><P>Also, should I remove the <SPAN style="font-size:12px;"><SPAN style="font-family: courier new,courier,monospace;">monitor session x filter packet-type good rx</SPAN></SPAN> so that the IDS sees all packets? I would have thought that you want your IDS to see all packets? This command appears to be a default and appears any time I configure a monitoring session.</P><P>I'm running cat4500-ipbasek9-mz.122-54.SG1.bin on a Cisco 4948</P><P>&nbsp;</P> Sun, 10 Mar 2019 13:14:18 GMT Tormod Macleod 2019-03-10T13:14:18Z https://community.cisco.com/t5/network-security/monitor-session-for-ids/m-p/2530862#M45455 <P>We currently have a Snort IDS installed in an environment with only one switch. The monitor session config for this is below</P><P><SPAN style="font-size:12px;"><SPAN style="font-family: courier new,courier,monospace;">monitor session 1 source vlan 34<BR />monitor session 1 destination interface Gi1/5<BR />monitor session 1 filter packet-type good rx</SPAN></SPAN></P><P>We are adding another three switches into the environment and would like to sniff traffic from all four switches without and additional IDS devices or NICs if possible. My intention is to configure the new switches as follows...</P><P><SPAN style="font-size:12px;"><SPAN style="font-family: courier new,courier,monospace;">monitor session 1 source vlan 34<BR />monitor session 1 destination remote vlan 35</SPAN></SPAN></P><P>And then alter the config on the switch to which the IDS is connected as follows...</P><P><SPAN style="font-size:12px;"><SPAN style="font-family: courier new,courier,monospace;">monitor session 1 source vlan 34<BR />monitor session 1 destination remote vlan 35<BR />monitor session 1 filter packet-type good rx<BR />monitor session 2 destination interface Gi1/5<BR />monitor session 2 source remote vlan 35<BR />monitor session 2 filter packet-type good rx</SPAN></SPAN></P><P>The original config was done by a former colleague so I just wanted to check whether this was the best way of doing it.</P><P>Also, should I remove the <SPAN style="font-size:12px;"><SPAN style="font-family: courier new,courier,monospace;">monitor session x filter packet-type good rx</SPAN></SPAN> so that the IDS sees all packets? I would have thought that you want your IDS to see all packets? This command appears to be a default and appears any time I configure a monitoring session.</P><P>I'm running cat4500-ipbasek9-mz.122-54.SG1.bin on a Cisco 4948</P><P>&nbsp;</P> Sun, 10 Mar 2019 13:14:18 GMT https://community.cisco.com/t5/network-security/monitor-session-for-ids/m-p/2530862#M45455 Tormod Macleod 2019-03-10T13:14:18Z