Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
931
Views
0
Helpful
4
Replies

monitor session for IDS

Tormod Macleod
Level 1
Level 1

‎09-01-2014 04:03 AM - edited ‎03-07-2019 08:35 PM

We currently have a Snort IDS installed in an environment with only one switch. The monitor session config for this is below

monitor session 1 source vlan 34
monitor session 1 destination interface Gi1/5
monitor session 1 filter packet-type good rx

We are adding another three switches into the environment and would like to sniff traffic from all four switches without an additional IDS devices or NICs if possible. My intention is to configure the new switches as follows...

monitor session 1 source vlan 34
monitor session 1 destination remote vlan 35

And then alter the config on the switch to which the IDS is connected as follows...

monitor session 1 source vlan 34
monitor session 1 destination remote vlan 35
monitor session 1 filter packet-type good rx
monitor session 2 destination interface Gi1/5
monitor session 2 source remote vlan 35
monitor session 2 filter packet-type good rx

The original config was done by a former colleague so I just wanted to check whether this was the best way of doing it.

Also, should I remove the monitor session x filter packet-type good rx so that the IDS sees all packets? I would have thought that you want your IDS to see all packets? This command appears to be a default and appears any time I configure a monitoring session.

I'm running cat4500-ipbasek9-mz.122-54.SG1.bin on a Cisco 4948

 

Labels:
0 Helpful
4 Replies 4

Karsten Iwen
VIP
VIP

‎09-01-2014 05:14 AM

Your vlan also needs to be configured for remote-span:

vlan 35
  remote-span

I would keep the filter attached, if the frame is not "good" it can't do any harm on the destination-system. It typically won't even get there.

And make sure that you don't have too much span-traffic on the interswitch-links and the destination-link.

 

0 Helpful

Tormod Macleod
Level 1
Level 1
In response to Karsten Iwen

‎09-01-2014 06:52 AM

Hmmm, it doesn't seem to be working. I'm seeing the traffic from the other switches but not for the one to which the IDS is attached. It's like it won't let me take the VLAN 34 traffic and send it to a RSPAN session on the same switch

0 Helpful

Karsten Iwen
VIP
VIP
In response to Tormod Macleod

‎09-01-2014 07:38 AM

On the switch where the IDS is attached, you don't send the traffic to the remote-span vlan. On that switch the remote-span vlan is only the source and the physical interface is the destination.

0 Helpful

Tormod Macleod
Level 1
Level 1
In response to Karsten Iwen

‎09-01-2014 07:42 AM

So how do I get all of the VLAN 34 traffic sent to interface Gi1/5 on SW1? I'm beginning to think this is not possible with only one interface.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card