Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5088
Views
0
Helpful
6
Replies

Cisco 3548XL Port Spanning/Mirroring with Snort IDS

Go to solution
minorix46
Level 1
Level 1

‎10-31-2012 09:43 PM - edited ‎03-07-2019 09:47 AM

Hello all,

I am trying to configure a SNORT IDS system running on a physical machine using Linux as the base OS. I have a small lab network setup with 3 VLANs, a 3548 switch and a 2611 router acting as the router on a stick/inter-vlan router. My goal is to setup SNORT as a host-based IDS system. To do that I know I need to use the "port monitor" command on the switch and I have tested this and it works fine only when the snort system and the traffic I want to monitor reside on the same VLAN.

My problem is I want to be able to monitor a trunk link betwee the switch and router to see traffic coming from my 3 VLANs which contain servers. My goal is to run attacks on the servers to test SNORT's effectiveness.

Relevant information from my configuration:

interface fa 0/1 on switch is the trunk like carry 3 vlans to the router

On the switch:

int fa 0/1

  switchport mode trunk

int fa 0/5

  port monitor fa 0/1

  switchport mode access

The switch will not allow me to configure fa 0/5 as a trunk, only can be an access port.

So right now, SNORT does not see any traffic other than traffic from my router to the switch. I assume because this is going over the native VLAN (1 in this case) and that is the same VLAN that SNORT box resides on on interface fa 0/5. So I know the span is working to an extent, but traffic from my other VLANs (server to server traffic) does not show on SNORT at all.

I have done some research on Cisco.com and see the following seemingly contradicting information:

VLAN Filtering

When you monitor a trunk port as a source port, all VLANs active on the trunk are monitored by default. You can use VLAN filtering in order to limit SPAN traffic monitoring on trunk source ports to specific VLANs

Then I see, under the section for the 3500 series:

A monitor port cannot be a dynamic-access port or a trunk port. However, a static-access port can monitor a VLAN on a trunk, a multi-VLAN, or a dynamic-access port. The VLAN that is monitored is the one that is associated with the static-access port.

My question is, does that mean the 3548 cannot support spanning a trunk link and having all VLANs on that trunk be monitored correctly to the monitoring port? I know the 3548 is old, but it is the only thing right now I have to work with. I could put the SNORT box inline on the network, but that is another mess in itself.

Any help is greatly appreciated,

Louis

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
milan.kulik
Level 10
Level 10

‎11-01-2012 12:33 AM

Hi,

I'm afraid the wording of

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#topic1

is clear:

"A monitor port cannot be a dynamic-access port or a trunk port. However, a static-access port can monitor a VLAN on a trunk, a multi-VLAN, or a dynamic-access port. The VLAN that is monitored is the one that is associated with the static-access port."

So you can monitor only one VLAN on a trunk on 3500XL switches.

Note there is a diffrerent command "monitor session ..." used on later IOS versions, but not supported on XLs.

BR,

Milan

View solution in original post

0 Helpful
6 Replies 6

Go to solution
milan.kulik
Level 10
Level 10

‎11-01-2012 12:33 AM

Hi,

I'm afraid the wording of

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#topic1

is clear:

"A monitor port cannot be a dynamic-access port or a trunk port. However, a static-access port can monitor a VLAN on a trunk, a multi-VLAN, or a dynamic-access port. The VLAN that is monitored is the one that is associated with the static-access port."

So you can monitor only one VLAN on a trunk on 3500XL switches.

Note there is a diffrerent command "monitor session ..." used on later IOS versions, but not supported on XLs.

BR,

Milan

0 Helpful

Go to solution
minorix46
Level 1
Level 1
In response to milan.kulik

‎11-01-2012 05:45 AM

Milan,

Thank you for confirming my suspicions. I really needed somone else to interpret the documentation and confirm what I had thought.

It does sound like monitoring all VLANs on a trunk is certainly possibly just not on the model switch I have.

0 Helpful

Go to solution
milan.kulik
Level 10
Level 10
In response to minorix46

‎11-01-2012 06:30 AM

Hi,

yes, I remember monitoring a trunk 8 years ago on Cisco 5000 switch running CatOS already.

Nowadays, you can use  Cisco 3750 or 3560, e.g., with

monitor session session_number destination ... encapsulation replicate 

option, see

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_52_se/command/reference/cli1.html#wp11906497

or

http://www.cisco.com/en/US/customer/docs/switches/lan/catalyst3560/software/release/15.0_2_se/configuration/guide/swspan.html#wp1036749

for details.

BR,

Milan

0 Helpful

Go to solution
minorix46
Level 1
Level 1
In response to milan.kulik

‎11-01-2012 08:37 AM

I know this is also an older model, but I have seen information saying that a 2950 can monitor a trunk port with all VLANs being monitored. Do you know if that is possible or not?

0 Helpful

Go to solution
minorix46
Level 1
Level 1
In response to milan.kulik

‎11-01-2012 09:20 AM

Thank you very much for your help, I will use the 2950 I have instead.

0 Helpful
Customers Also Viewed These Support Documents