Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Cisco Catalyst - SNORT

From: "shannong" <shannong () texas net>
Date: Mon, 23 Jun 2003 14:48:45 -0500
When mirroring traffic for many ports (or VLANs) under high loads such
as 600-1000Mbps, the catalyst can incur a CPU load even though the docs
say it shouldn't. I don't know if it's only when doing ports from more
than one module, ports from more than one VLAN, or FE ports to GE ports,
or simply a load factor, but the "problem" definitely exists.  You can
use capture ACLs instead of span ports on 6500s.  Do you have NativeIOS
or CatOS?

You can allow for spanning traffic on a port while also accepting
network traffic from it as a host.  As previously mentioned, it is
better to have a separate NIC for this.
-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of twig les
Sent: Monday, June 23, 2003 11:38 AM
To: Tinsley Paul; 'Falvo, Jose Luis - (Arg)';
'Snort-users () lists sourceforge net'
Subject: RE: [Snort-users] Cisco Catalyst - SNORT

We're mirroring a gig port via fiber on a 6509 and have been for
almost 2 years.  I've never noticed any performance difference
at all.  Caveat - We prolly only hit about 80-100 Mbs.

--- Tinsley Paul <Paul.Tinsley () HCAhealthcare com> wrote:

I recently asked this question of Cisco in reference to vlan
mirroring to a
gig fiber port on a 6509 and they said there should be no
performance
degredation as it's all done "in hardware."

-----Original Message-----
From: Falvo, Jose Luis - (Arg) [mailto:Jose.Falvo () attla com]
Sent: Monday, June 23, 2003 10:15 AM
To: 'javier () liendo net'
Cc: 'Snort-users () lists sourceforge net'; Rochas, Esteban -
(Ext Arg)
Subject: RE: [Snort-users] Cisco Catalyst - SNORT


Thanks Javier,
Could will be any performance problem configuring SPAN port in
a switch with
high traffic ?
Regards,
jose


-----Mensaje original-----
De: Javier Liendo [mailto:javier () liendo net]
Enviado el: Lunes, 23 de Junio de 2003 11:56 a.m.
Para: Falvo, Jose Luis - (Arg);
'Snort-users () lists sourceforge net'
Asunto: Re: [Snort-users] Cisco Catalyst - SNORT


hello jose

you'll have to configure the switch port where you are
plugging the snort device as a "span" port...

pls take a look at the following link to see how you
can configure it on a 6000 series catalyst switch...



http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/12_1e/swconf
ig/s

pan.htm

also in my experience, if you configure a switch port
as span then you can not pass any management traffic
through that port so you will have to add another
network card and plug it to another switch port if you
want to manage this device remotely...

saludos

javier


--- "Falvo, Jose Luis - (Arg)" <Jose.Falvo () attla com>
wrote:

Hi All,
I'm probing Snort in our network. Snort was
installed and its run correctly.
Our problem is that snort only listen packet unicast
to snort IP or any
broadcast packet of VLAN where its was connected. 
Questions is:

In a Cisco Catalyst 8540 or Calalyst 6509, which is
configuration port for
SNORT listen all packet of the VLAN?

Regards and thanks,


Jose Luis Falvo
Dpto. Ingeniería 
AT&T Latin America
Tel. (54 11) 5288-0182 
 Olga Cosentini  1031 - Cap Fed
                                                  
Buenos Aires - Argentina

Este mensaje es confidencial. El mismo contiene
información reservada 
y que no puede ser difundida. Si usted ha recibido
este e-mail 
por error, por favor avísenos inmediatamente vía
e-mail y tenga la 
amabilidad de eliminarlo de su sistema; no deberá
copiar el mensaje 
ni divulgar su contenido a ninguna persona. Muchas
gracias.
 
This message is confidential. It contains
information that is privileged and
legally exempt from disclosure. If you have received
this e-mail by mistake,

please let us know immediately by e-mail and delete
it from your system; 
you should also not copy the message nor disclose
its contents to anyone. 
Thank You.





-------------------------------------------------------

This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An
INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10%
Monthly Commission!
INetU Dedicated Managed Hosting
http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or
unsubscribe:


https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:


http://www.geocrawler.com/redir-sf.php3?list=snort-users
Este mensaje es confidencial. El mismo contiene información
reservada 
y que no puede ser difundida. Si usted ha recibido este e-mail

por error, por favor avísenos inmediatamente vía e-mail y
tenga la 
amabilidad de eliminarlo de su sistema; no deberá copiar el
mensaje 
ni divulgar su contenido a ninguna persona. Muchas gracias.
 
This message is confidential. It contains information that is
privileged and
legally exempt from disclosure. If you have received this
e-mail by mistake,

please let us know immediately by e-mail and delete it from
your system; 
you should also not copy the message nor disclose its contents
to anyone. 
Thank You.



-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU
Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly
Commission!
INetU Dedicated Managed Hosting
http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU
Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly
Commission!
INetU Dedicated Managed Hosting
http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



=====
-----------------------------------------------------------
Emo is what happens when the glee club goes punk.       
-----------------------------------------------------------

__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com


-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: