Re: 3548 SPAN port

niglio · ‎12-03-2002

I have two 3548XL switch connected in stack through 2 FE port (I don't know if it is a FEC).

I have NO VLAN defined.

I need to put an IDS to monitor all the traffic passing through the 2 switches.

Do I need to define 2 SPAN port, one for each switch or is there a way to use 1 SPAN port only?

Thanks

ibland · ‎12-03-2002

Try using 2 port monitor commands on the span port on one switch for the IDS (e.g. using interface fa0/3 as the span port, and interface fa0/1 & fa0/2 as the uplink ports ) :

int fa0/3

port monitor fa0/1

port monitor fa0/2

This should work as long as you're not using ISL/802.1q between the two switches.

Cheers,

Ian.

ibland · ‎12-03-2002

Assuming

Interface fa0/1 and fa0/2 are the inter switch ports, and fa0/2 is the span port,

try this on one switch only (no need for this on both switches) :

int fa0/3

port monitor fa0/1

port monitor fa0/2

As long as there's no trunking, this should work. I imagine that you have spanning tree on and only one interface is forwarding at any time.

Cheers,

Ian.

niglio · ‎12-04-2002

As there is no VLAN defined, if a workstation and a server connected on the same switch are talking, will i be able to monitor this traffic even if there is no reason for this data to be trasmitted to the secon switch?

Thanks

DAVE GENTON · ‎12-05-2002

No, not if the IDS is on the other switch. Once the MAC address is learned for each device and associated to their respective ports the traffic will only be forwarded there, you would have to span on that particular switch as well for local traffic.

d-