[Snort-users] Cisco 6500 SPAN limitations, dropping packets, VACLs, RSPAN, real world

TO: Snort Users,

From: Jack McDonough, Knowledge Works, Inc.

Would really appreciate feedback, from anyone with hands on knowledge -
primarily with Cisco 6500s and:

- local SPAN session limitations, when source is both tx/rx ( I have
researched this, trying to compare notes)

- using RSPAN to mirror traffic on a local switch, does this work well?

- using VACLs, with specific TCP ports filtered - the scenario is with a
local machine set to sniff on the switch

Thanks in advance for your help and assistance.

Some folks have told me that packets can be dropped on local SPAN sessions
even when the destination port is not over subscribed. But I have heard this
from people that may have an axe to grind or they want to sell you TAPS,
(Test Access Points)or THEIR solution.

I have heard:
SPAN ports are the third priority, after switching and routing, so mirrored
packets can be dropped, but I have not seen a Cisco reference.

Some folks have told me that Cisco has problems with their SPAN ports acting
erratically, but this is not openly discussed, and is supposed "to be a big
secret", because " the Cisco people are certified and will not "say anything
bad" about Cisco.


Here is an excerpt from a thread:
"As Cisco is dropping "mirror" ports and going to capture ports, I now
see vlan tagged traffic. The network folks will not let me use mirror
ports any more since Cisco is removing that in future releases of
their IOS, from what I hear."

Does anybody know anything about the above statement, about Cisco dropping
SPAN or "mirror ports" and going to capture ports? Is anyone not using SPAN
for this reason?

Also, does anyone know if the session limitations for Local SPAN on Cisco
6500s are substantially more limited then on other vendors switches?

Any ideas on what switch or switches to use as a TAP aggregation device,
when we bring back multiple TAPS to a Switch? Which vendor might have less
SPAN limitations?

I have been doing a bit of research on this, so if anyone has experience and
wants to share, I can be reached at 617 877-5560 and I would be happy to
compare notes.

In reference, to the link ***below, I have talked to 9 people about the
following reference, and I have 10 conflicting opinions as to what "egress
sources" means. I think I know what it means, anyone care to share their
viewpoint on the definition?


***
http://www.cisco.com/univercd/cc/td/...22sx/swcg/span.
htm#wp1036881

Local SPAN and RSPAN Source and Destination Limits
These are the local SPAN and RSPAN source and destination limits:


Local SPAN Sessions RSPAN Source Sessions RSPAN Destination Sessions
Egress sources
1 RSPAN VLAN

Supervisor Engine 720
1
1

Supervisor Engine 2
1
(No remote SPAN source session configured)
1
(No local SPAN egress source session configured)

0
(Remote SPAN source session configured)
0
(Local SPAN egress source session configured)

Ingress sources
64
64

Destinations per session
64
1 RSPAN VLAN
64

Thanks Much,

Jack




-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users