Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
922
Views
0
Helpful
4
Replies

CS11800 - Can I have a SPAN port for my IDS box?

bjwhite
Level 1
Level 1

‎05-07-2001 10:43 AM

I have a network design that calls for a few CS11800s and it's smaller brother. The security team has asked if this content switch has a SPAN port that is availble so we can hang our IDS box off.

Thanks

B

Labels:
0 Helpful
4 Replies 4

bover
Level 1
Level 1

‎05-07-2001 11:00 AM

I am not extremely familiar with the CS11xxx series and its configuration options, but I can tell you that from experience with Cisco Catalyst switches and non-Cisco IDS devices a SPAN port is not always the best solution. In some instances I have had to disable packet learning in the SPAN session, and in other cases I have had to forego using SPAN at all and settled for an uplink to a hub that connected the IDS device and my router(s). This is especially true if the IDS device needs to be a member of the same VLAN as the traffic it is monitoring in order to send RST packets back onto the segment.

I have researched this issue on my own and even opened TAC cases for a solution, but have received solutions ranging from "There's no reason this shouldn't work" to "You can not set up a SPAN session for IDS purposes." My recommendation would be (even though it does decrease performance a bit) to implement the hub solution, regardless of the CS11800 capabilities. This will prove to remove any potential X factors in the SPAN functionality and make your life a lot easier.

Just my 2 cents. :)

0 Helpful

4ngreenfield
Level 1
Level 1

‎05-10-2001 11:07 AM

The CSS's do not have SPAN ports in the traditional sense. They do have an ethernet management port that is non-routable, but I think that's as close as your going to get to anything like a SPAN port. Your best bet is to either set up a VLAN for management purposes (sniffer, IDS, etc.) for each NMS device, or if you don't want to burn up ports on the CSS, use a hub or 3500 series switch and use that for IDS and sniffers. You will need to bridge that port, however, to the other VLAN(s) configured to have visibility to the other interface ports (unless, of course, you have one, big, flat VLAN).

0 Helpful

0dseelig
Level 1
Level 1

‎07-02-2001 05:26 AM

All Cisco switches can be configured to mirror traffic.

0 Helpful

kwon47
Level 1
Level 1
In response to 0dseelig

‎07-11-2001 05:11 AM

Yes, but these are content switches that came from the Arrowpoint aquisition. I do not know of any way to SPAN ports on the CSS series switches. They didn't even support trunking when they first came out, though the 5 code now supports it.

You'll have to put a hub in front of the CSS to monitor the traffic.

0 Helpful
Customers Also Viewed These Support Documents