Home: www.packetnexus.com
I have confirmed, via Cisco, that if the OS is less than 5.X it is not possible. Under version 5.x or greater you can have 1 TX/RX span port and up to 4 EGRESS SPAN Sessions (RX Only) > I'm trying to add a second sensor to a separate VLAN on a CISCO 5500 switch. > The network boyz tell me there can be only one SPAN port per switch. Can > anyone confirm that for me? It depends on the version of CatOS running on the switch. This is true on the 5xxx series with older versions of CatOS, definitely. There's a really interesting doc on Cisco's site about port mirroring/spanning that can be found here: http://www.cisco.com/warp/public/473/41.html http://www.cisco.com/warp/public/473/41.pdf I'm pretty sure you need CatOS v5.1 (or higher) on the 5xxx series switches to do spanning using multiple ports. Your network guys are right if they are using older versions of CatOS. Also note that this changes depending on the switch platform, as well. The Cat2900 series, for example, has been doing "port mirroring" to multiple ports for quite some time. One word of caution, however - according to the doc I've referenced above, on the Cat5xxx/6xxx: "Whether one or several ports will eventually transmit the packet has absolutely no influence on the switch operation. Thus, considering this architecture, the SPAN feature has no impact on the performance." But I believe this to be false. We've been able to get our Cat6500 in the lab to drop frames on the SPAN port with fairly low levels of traffic (below 400Mbps). What's eerie is that the switch appears to be performing fine - no errors, no low RAM, no high CPU, etc. It just silently drops frames on the span port. This does not appear to affect the delivery of regular/production traffic, but you can see why this might concern someone when it comes to IDS. (NOTE: if you aren't going over 100Mbps, don't worry about this - sub-100 appears to work fine) Unfortunately, we do not have a support contract on our Cat6500, so I'm trying to navigate Cisco from the outside to get some answers. This is, of course, not easy. I've made ZERO progress. But I do know that I can get both the 3500 and 6500 series switches to drop frames when spanning, and this concerns me. Hope this helps, -Greg http://www.cisco.com/warp/public/473/41.html#summ Basicly you can have one rx/rx+tx OR 4 TX only... Back to the Index
Home: www.packetnexus.com
I use a firewall filter, but you can throw up a filter to check for them. I also check for outgoing and incoming leakage: On my Cisco I do this. Access lists: access-list 101 deny ip mynetwork any log-input access-list 101 deny ip 127.0.0.0 0.255.255.255 any log-input access-list 101 deny ip 10.0.0.0 0.255.255.255 any log-input access-list 101 deny ip 172.16.0.0 0.15.255.255 any log-input access-list 101 deny ip 192.168.0.0 0.0.255.255 any log-input access-list 101 permit ip any any access-list 102 permit ip mynetwork any access-list 102 deny ip any any log In wan interfaces: ip access-group 101 in ip access-group 102 out You can accomplish these filters with any firewall using similar rules. I was wondering if anyone knows of a method to test a NAT system for address space leakage. Thanks. --Bob Back to the Index