cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

330
Views
0
Helpful
2
Replies
Highlighted
Beginner

Question about Port Spanning with 3548 Switch

Hello all,

I have a small lab setup and I am trying to implement an IDS/IPS on the network. I have 3 VLANs setup (10, 20, and 30) with the switch and a router allowing for inter-vlan communication. Port FA 0/1 on the switch is setup as a trunk using 802.1Q connected to a single interface on the router.

I want to be able to monitor traffic on the trunk link on the switch and replicate that to the IDS/IPS host. Is there a way I can mirror traffic from FA 0/1 (the trunk link) to a regular access port on the switch which would connect to the IDS/IPS?

I have seen several articles on Cisco.com saying that you can have a source port as a multi-vlan link, but others say it is not possible. I did not have a chance to get into the lab to test this yet or else I would have.

Thank you for your help,

Louis

Everyone's tags (3)
2 REPLIES 2

Question about Port Spanning with 3548 Switch

Hello Louis,

Yes, it can be done, You can certanly SPAN a trunk link so you can send all the required information to the IDS/IPS so it can be inspected.

Now remember how the IPS mode works ( Promiscuous, Inline interface, Inline VLAN pair, Inline vlan group) so you can determine how the port connecting to the IPS should be configured.

Hope I could help,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Beginner

Question about Port Spanning with 3548 Switch

This is actually going to be a snort IDS. I understand the different modes, but do you think the port that monitors can be just an access port? I was also thinking about putting the snort box inline on the trunk link from the switch to the router and bridging two interfaces on the snort box to inspect traffic and allow it to pass through. Any idea if this would work on a trunk link?

I suspect it would since I think I read snort/Linux can handle dot1q now.

CreatePlease to create content
Content for Community-Ad