Re: Please Help me! How configure span port to work with encapsulation trunks

[Matt Kettler <mkettler () evi-inc com>]

federico.juarez () ife org mx wrote:

> Please Help Me!
>
> We have a switch Cisco 6500 and have several VLAN and trunks configured. We trie
> to configured port Span to work with IDS Snort, but We can´t see all the
> traficc, Somebody know if that is due to the encapsulation ISL or another
> causes? What can I do? 

AFAIK snort will not understand ISL, which is a cisco protocol, not an
industry standard.

Snort can deal with industry-standard 802.1q VLAN tags, but not ISL.

> RSPAN could be another solution? 
No, RSPAN won't change what format the packet is in.

Your problem is that the source of your SPAN is a port which is using
ISL. RSPAN will let you span to ports on a different switch, but you
need to change what your SPAN/RSPAN is picking up in the first place.

You're pretty much limited to three options:

1) find a different port to monitor, one which isn't an ISL encapsulated
trunk
2) stop using ISL encapsulation on the port you want monitor and switch
to 802.1q instead (dot1q in cisco terminology)
3) don't use snort.



-------------------------------------------------------
This SF.Net email is sponsored by: New Crystal Reports XI.
Version 11 adds new functionality designed to reduce time involved in
creating, integrating, and deploying reporting solutions. Free runtime info,
new features, or free trial, at: http://www.businessobjects.com/devxi/728
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users