OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Greg Shipley (gshipleyneohapsis.com)
Date: Thu Dec 13 2001 - 12:48:27 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Thu, 13 Dec 2001, Mike Disley wrote:

    > I'm trying to add a second sensor to a separate VLAN on a CISCO 5500 switch.
    > The network boyz tell me there can be only one SPAN port per switch. Can
    > anyone confirm that for me?

    It depends on the version of CatOS running on the switch. This is true on
    the 5xxx series with older versions of CatOS, definitely. There's a
    really interesting doc on Cisco's site about port mirroring/spanning that
    can be found here:

    http://www.cisco.com/warp/public/473/41.html
    http://www.cisco.com/warp/public/473/41.pdf

    I'm pretty sure you need CatOS v5.1 (or higher) on the 5xxx series
    switches to do spanning using multiple ports. Your network guys are right
    if they are using older versions of CatOS. Also note that this changes
    depending on the switch platform, as well. The Cat2900 series, for
    example, has been doing "port mirroring" to multiple ports for quite some
    time. One word of caution, however - according to the doc I've referenced
    above, on the Cat5xxx/6xxx:

    "Whether one or several ports will eventually transmit the packet has
    absolutely no influence on the switch operation. Thus, considering this
    architecture, the SPAN feature has no impact on the performance."

    But I believe this to be false. We've been able to get our Cat6500 in the
    lab to drop frames on the SPAN port with fairly low levels of traffic
    (below 400Mbps). What's eerie is that the switch appears to be performing
    fine - no errors, no low RAM, no high CPU, etc. It just silently drops
    frames on the span port. This does not appear to affect the delivery of
    regular/production traffic, but you can see why this might concern someone
    when it comes to IDS. (NOTE: if you aren't going over 100Mbps, don't
    worry about this - sub-100 appears to work fine)

    Unfortunately, we do not have a support contract on our Cat6500, so I'm
    trying to navigate Cisco from the outside to get some answers. This is,
    of course, not easy. I've made ZERO progress. But I do know that I can
    get both the 3500 and 6500 series switches to drop frames when spanning,
    and this concerns me.

    Hope this helps,

    -Greg