Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
618
Views
4
Helpful
3
Replies

SPANing multiple VLANs

ibsenj
Level 1
Level 1

‎01-21-2003 10:24 AM - edited ‎03-09-2019 01:46 AM

I have a SPAN port receiving data from multiple VLANs on a switch. The SPAN port is connected to the sensing interface on a 4250 IDS sensor. I am seeing multiple copies of the same packets when I run snoop on the sensor. I am assuming that what I'm seeing is a packet traversing multiple VLANs.

My question - will the Cisco IDS create an alert for each identical packet, or does it have the smarts to recognize that these are multiple copies of the same packet, and create just one alert?

Regards Jeff

Labels:
0 Helpful
3 Replies 3

marcabal
Cisco Employee
Cisco Employee

‎01-21-2003 11:14 AM

Depends on the signature and the type of traffic.

The atomic signatures will likely alert on each copy of the packet.

The stream based regex signatures may only fire one alarm because the stream reassembly code may throw out the duplicate packet.

Fragmented traffic may also only fire a single alarm because the fragmentation reassembly code may throw out the duplicate packet.

As for why you are getting duplicates:

What type of span are you using, and what type of switch are you using, and what is routing between the vlans?

If you are doing a both (tx+rx) span on a vlan, and both the source and destination ports are in the same vlan then you are getting duplicates even within the same vlan: once for the rx, and again for the tx.

Try using only rx span so you see the packets just when they enter the switch and not when they leave the switch.

If you are using a Cat 6000 with an MSFC doing the routing then try spanning rx on each port of each of the vlans being routed. This way you see the packets come in one vlan, instead of in on one vlan and out on the second vlan. (Note: the MSFC port in many cases doesn't act the same with span as the other physical ports of the switch. Packets being routed by the MSFC may be switched in hardware to increase routing performance, and never actually be sent to the MSFC port, so span won't see them as either rx or tx to the MSFC port.)

0 Helpful

ibsenj
Level 1
Level 1
In response to marcabal

‎01-21-2003 11:45 AM

Thanks for the great reply - according to the network architect we are not SPANing ports, we are SPANing VLANs, as outlined in http://www.cisco.com/warp/public/473/41.html#local.

The switch is a 6513 with MSFC.

Do your recommendations still apply?

Regards, Jeff

0 Helpful

marcabal
Cisco Employee
Cisco Employee
In response to ibsenj

‎01-21-2003 01:20 PM

Yes,

I would suggest trying either an "rx" span of the vlans. (Could lead to duplicates of a few of the packets being routed, but at least not duplicating every packet)

Or an "rx" span of the ports in the vlans. (Should prevent almost all of your duplicates)

A "both" span of the vlans will produce duplicate packets

NOTE: Some deployment scenarios may cause the packet to enter the switch twice inwhich case you may not want to span both of the vlans in these situations to prevent the duplicates.

Example: Internet->Router->Switch->Firewall->SwitchAgain->InternalNetwork

Customers Also Viewed These Support Documents