RE: Port spanning question [7:34469]
All right to continue this with a little more detail. I have 6509 w/ 2 sup 2's, and a blade for switching. On the switch blade I am taking port fa3/47 and doing a mon session 1 and pumping that out to fa3/48 which I would be using to hang an IDS off. My question is this, since I am monitoring on fa3/47 both Tx and Rx and pushing to to fa3/48, is fa3/48 only allowed to listen, and not speak? That is the question. Before I turn on mon sess 1 destination fa3/48 I can do pings etc, to test for connectivity and all is good. Once I start pumping out the traffic to fa3/48 the device can no longer ping etc. Is this standard OP that the port fa3/48 only becomes a listening port so to speak. Sorry about the redundancy here, just trying to make myself clear as MUD. Kell -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 05, 2002 1:22 PM To: [EMAIL PROTECTED] Subject: Re: Port spanning question [7:34469] I think he was asking about the Switched Port Analyzer (SPAN) feature that allows one to connect a protocol analyzer or RMON probe or other device to one switch port and monitor other ports. This is a switch feature, not a router feature. Priscilla At 12:40 PM 2/5/02, Tom Martin wrote: >Steven, > >STP is a layer 2 only function and in general it is configured only on >switches. It can be configured on a router if the router is configured to >act as a transparent bridge. More info can be found on Cisco's web site >at: > >http://www.cisco.com/univercd/cc/td/doc/product/software/ssr83/rpc_r/53998. htm > >- Tom > >On Tue, 05 Feb 2002 11:38:32 -0500, Bates, Steven (SIGNAL) wrote: > > > Is it possible to do port spanning on a router, or is this just a layer > > 2 option? > > > > Thanks > > > > Steven Kell Bates > > misconduct and Nondisclosure violations to [EMAIL PROTECTED] Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34626&t=34469 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Port spanning question [7:34469]
It all looks so obvious now: Switch-A(config)#interface fastEthernet 3/1 Switch-A(config-if)#switchport Switch-A(config-if)#switchport access vlan 1 Doh...Doh...Doh ! Thought BVI's seemed a bit long winded. I'm embarrassed! Gaz ""Gaz"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Doh! > > I upgraded a 6000 a few months ago to have a quick play, but had to > downgrade it shortly after for an install. > I presume from your post that I may have been creating switched ports the > long way? > Creating BVI's is probably the long way. > I had mistaked it as a router with a hell of a lot of interfaces, so I > thought I would have to bridge between interfaces. > > Maybe I should have another go when I've got more time available? > > Oh well - Live and learn. > > > Gaz > > > ""Michael Williams"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Not yet. So far the Native IOS has been a supereme OS. You can make > > switchports for the ports you want to be switchports, but it's IOS for the > > rest. It's nice to have the entire switch under IOS control. > > > > Mike W.Patrick Ramsey wrote: > > > > > > how are you liking ios? seen any problems or performance > > > issues? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34623&t=34469 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Port spanning question [7:34469]
Doh! I upgraded a 6000 a few months ago to have a quick play, but had to downgrade it shortly after for an install. I presume from your post that I may have been creating switched ports the long way? Creating BVI's is probably the long way. I had mistaked it as a router with a hell of a lot of interfaces, so I thought I would have to bridge between interfaces. Maybe I should have another go when I've got more time available? Oh well - Live and learn. Gaz ""Michael Williams"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Not yet. So far the Native IOS has been a supereme OS. You can make > switchports for the ports you want to be switchports, but it's IOS for the > rest. It's nice to have the entire switch under IOS control. > > Mike W.Patrick Ramsey wrote: > > > > how are you liking ios? seen any problems or performance > > issues? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34620&t=34469 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Port spanning question [7:34469]
I believe you are correct. I misunderstood. Although I've connected a laptop to a monitor (span) port before without using the inpkts command, and I was able to use the laptop on the network as well as hear any traffic from the other port(s). Mike W. Patrick Ramsey wrote: > > I'm not totally positive because I have never used the inpkts > switch on a monitor command...but I think he might have been > referring to the sniffer being able to send packets out... (say > you are using a sniffer, not in promiscuous mode, and you want > to be able to do reverse lookups on ip addresses sniffed) good > theory? :) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34618&t=34469 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Port spanning question [7:34469]
I'm not totally positive because I have never used the inpkts switch on a monitor command...but I think he might have been referring to the sniffer being able to send packets out... (say you are using a sniffer, not in promiscuous mode, and you want to be able to do reverse lookups on ip addresses sniffed) good theory? :) -Patrick >>> "Michael Williams" 02/06/02 03:07AM >>> We've setup span ports to monitor servers, etc and we never had to issue any extra commands so that layer 3 (IP) worked properly. I'm "monitoring" a port right now and the server attached to the port I'm s "monitoring" operates just fine, IP broadcasts, ping, etc Mike W. Jeff D wrote: > > If you want to allow the attached device to ping or browse, be > it an IDS or > pc, you need to add the "inpkts" cmd when setting up any span > or rspan > session. > Confidentiality Disclaimer This email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. ("WellStar") and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error, please notify the sender by reply email and then delete this email and its attachments from your computer. Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34613&t=34469 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Port spanning question [7:34469]
We've setup span ports to monitor servers, etc and we never had to issue any extra commands so that layer 3 (IP) worked properly. I'm "monitoring" a port right now and the server attached to the port I'm s "monitoring" operates just fine, IP broadcasts, ping, etc Mike W. Jeff D wrote: > > If you want to allow the attached device to ping or browse, be > it an IDS or > pc, you need to add the "inpkts" cmd when setting up any span > or rspan > session. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34597&t=34469 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Port spanning question [7:34469]
Not yet. So far the Native IOS has been a supereme OS. You can make switchports for the ports you want to be switchports, but it's IOS for the rest. It's nice to have the entire switch under IOS control. Mike W.Patrick Ramsey wrote: > > how are you liking ios? seen any problems or performance > issues? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34596&t=34469 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Port spanning question [7:34469]
If you want to allow the attached device to ping or browse, be it an IDS or pc, you need to add the "inpkts" cmd when setting up any span or rspan session. Jeff ""Bates, Steven (SIGNAL)"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Actually what is going on is we are trying to get the port span feature > going on a 6509 with native ios. As soon as I turn on the > monitor session destination, the device that is plugged into the port can no > longer ping, etc. If this is an IDS that is monitoring an > egress pipe, how will it do session resets when appropriate? > > Steven Kell Bates Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34574&t=34469 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Port spanning question [7:34469]
> > If this is an IDS that is monitoring an > >egress pipe, how will it do session resets when appropriate? One more stab from the limb I've gotten myself onto. Can you tell us more about your setup? What is it that you think is going to send a session reset? Are you using Cisco Secure Policy Manager? Cisco Secure Policy Manager can send a TCP reset. Remember TCP is end-to-end. The reset must go to the IP address that appears to be attacking. Assuming that the Policy Manager has a route there and that there are no other routing problems en route, sending a TCP reset should work under most conditions. When you say "egress pipe," however, are you saying it's a one-way pipe, and only traffic leaving the network appears on the pipe? I could imagine that would make it harder to recognize an incoming attack. Perhaps that's not the right port to be monitoring. I may be misunderstanding your question, but just let us know if that's the case. > >Steven Kell Bates > Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34565&t=34469 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Port spanning question [7:34469]
At 06:10 PM 2/5/02, Bates, Steven (SIGNAL) wrote: >Actually what is going on is we are trying to get the port span feature >going on a 6509 with native ios. As soon as I turn on the >monitor session destination, the device that is plugged into the port can no >longer ping, etc. I think port 1 on the IDS module is supposed to be the monitor session destination port. The ports or VLANs that you want to monitor are supposed to be the monitor session source ports. Is that what you have? Is it the IDS that can't ping? How do you have it configured? Did you give it an IP address and default gateway? > If this is an IDS that is monitoring an >egress pipe, how will it do session resets when appropriate? It's just monitoring. I doubt that it can send a session reset, whatever that means, but I could be wrong. I think the only thing the IDS module can send is an alarm after it detects an attack. Alarms are generated by the IDS module through the Catalyst 6000 family switch backplane to the Director or Cisco Secure PM. There's more info in the documentation here: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/idsm/idsm_2/13074_03.htm Priscilla >Steven Kell Bates Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34552&t=34469 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Port spanning question [7:34469]
Actually what is going on is we are trying to get the port span feature going on a 6509 with native ios. As soon as I turn on the monitor session destination, the device that is plugged into the port can no longer ping, etc. If this is an IDS that is monitoring an egress pipe, how will it do session resets when appropriate? Steven Kell Bates Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34534&t=34469 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Port spanning question [7:34469]
how are you liking ios? seen any problems or performance issues? >>> "Michael Williams" 02/05/02 04:36PM >>> Here's an interesting twist to that question: If your switch/router is a 6500 running Native IOS, can you span ports that are configured as router interfaces as opposed to switchports? I'm using a 6509 with Native IOS, and I have a server connected to a port configured as a "switchport". I was able to "monitor" that port on another port, also configured as a "switchport". I wonder if it's possible to "monitor" an ethernet port that's being used as a routing interface (i.e. not a switchport). Time to try it out. too bad that 6509 is a production box =) Mike W. > Confidentiality Disclaimer This email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. ("WellStar") and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error, please notify the sender by reply email and then delete this email and its attachments from your computer. Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34522&t=34469 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Port spanning question [7:34469]
Here's an interesting twist to that question: If your switch/router is a 6500 running Native IOS, can you span ports that are configured as router interfaces as opposed to switchports? I'm using a 6509 with Native IOS, and I have a server connected to a port configured as a "switchport". I was able to "monitor" that port on another port, also configured as a "switchport". I wonder if it's possible to "monitor" an ethernet port that's being used as a routing interface (i.e. not a switchport). Time to try it out. too bad that 6509 is a production box =) Mike W. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34518&t=34469 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Port spanning question [7:34469]
I think he was asking about the Switched Port Analyzer (SPAN) feature that allows one to connect a protocol analyzer or RMON probe or other device to one switch port and monitor other ports. This is a switch feature, not a router feature. Priscilla At 12:40 PM 2/5/02, Tom Martin wrote: >Steven, > >STP is a layer 2 only function and in general it is configured only on >switches. It can be configured on a router if the router is configured to >act as a transparent bridge. More info can be found on Cisco's web site >at: > >http://www.cisco.com/univercd/cc/td/doc/product/software/ssr83/rpc_r/53998.htm > >- Tom > >On Tue, 05 Feb 2002 11:38:32 -0500, Bates, Steven (SIGNAL) wrote: > > > Is it possible to do port spanning on a router, or is this just a layer > > 2 option? > > > > Thanks > > > > Steven Kell Bates > > misconduct and Nondisclosure violations to [EMAIL PROTECTED] Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34505&t=34469 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Port spanning question [7:34469]
Inherent port-spanning, no. You can bridge the ports, but your port will be "pruned" after it (the router acting as a bridge) learns the connect Mac Addresses. -Original Message- From: Tom Martin [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 05, 2002 12:41 PM To: [EMAIL PROTECTED] Subject: Re: Port spanning question [7:34469] Steven, STP is a layer 2 only function and in general it is configured only on switches. It can be configured on a router if the router is configured to act as a transparent bridge. More info can be found on Cisco's web site at: http://www.cisco.com/univercd/cc/td/doc/product/software/ssr83/rpc_r/53998.h tm - Tom On Tue, 05 Feb 2002 11:38:32 -0500, Bates, Steven (SIGNAL) wrote: > Is it possible to do port spanning on a router, or is this just a layer > 2 option? > > Thanks > > Steven Kell Bates > misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34489&t=34469 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Port spanning question [7:34469]
I believe it's just switch function. If I'm wrong, someone will correct me, but I'm 99.9% sure. ""Bates, Steven (SIGNAL)"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Is it possible to do port spanning on a router, or is this just a layer 2 > option? > > Thanks > > Steven Kell Bates Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34476&t=34469 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Port spanning question [7:34469]
Steven, STP is a layer 2 only function and in general it is configured only on switches. It can be configured on a router if the router is configured to act as a transparent bridge. More info can be found on Cisco's web site at: http://www.cisco.com/univercd/cc/td/doc/product/software/ssr83/rpc_r/53998.htm - Tom On Tue, 05 Feb 2002 11:38:32 -0500, Bates, Steven (SIGNAL) wrote: > Is it possible to do port spanning on a router, or is this just a layer > 2 option? > > Thanks > > Steven Kell Bates > misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34479&t=34469 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Port spanning question [7:34469]
Is it possible to do port spanning on a router, or is this just a layer 2 option? Thanks Steven Kell Bates Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34469&t=34469 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]