Re: Multiple Sniffing Ports Question

revangelista · ‎11-09-2004

I have a 4215 and my requirements are to sniff on four different segments of my network.

Question:

* Do I need to add a 4-FE card to fulfill this requirement?

* Or, can I configure the SPAN ports on my switches and route the traffic out to a different port of a switch which I will directly attach to my 4215's SNIFF interface?

Any assistance would be greatly appreciated.

Best,

--re

sachinraja · ‎11-10-2004

If all these 4 networks are physically/logically seperated from each other , (like PIX DMZ's), then you need to add a 4 FE card on the IDS to monitor the traffic. This is the right way of doing it.

In the second solution, you are complicating your setup with multiple spans. you actually need to span the different vlans onto the port where the 4215 span interface is connected. Well, this might also work, but it all depends on how you might want to implement it !!

hope this helps !!

all the best..

revangelista · ‎11-10-2004

OK, thanks.

sachinraja · ‎11-11-2004

Hello.. please mark the post as a solved one. its easy for the others to refer then.

thanks a lot.. rate replies if found useful !!

All the best !!

brok3n · ‎11-12-2004

Hopefully you dont have a need to apply different rulesets to those segments -- as Cisco still cant do this. Anyone else faced this problem? How are you dealing with it within the Cisco product line? If I have a sensor with a quad card and I want to watch 4 seperate sensors in two DIFFERENT security zones (say a DMZ, a segment outside the FW and and two internal segments) that call for drastically different signature sets/tuning -- how are you doing this?

-WP!