Re: SPAN and slammer [7:62917]
John, It looks like you need the "monitor session" command on this box. Check this out in the command reference. HTH, -Bob Sinclair CCIE #10427, MCSE Senior Network Engineer Networking For Future, Inc. www.nffinc.com - Original Message - From: "John Brandis" To: Sent: Wednesday, February 12, 2003 6:56 PM Subject: SPAN and slammer [7:62917] > Hi All, > > Have a 4006 in place here using Version 12.1(12c)EW as my core switch. > Yesterday had fun with Slammer, and last night also. I wanted to use the > SPAN so I could mirror the data from one port to my snort box so I could > verify to the sys-admins that it was slammer (they said it would never > happen here). However, noticed that this command was not available on this > IOS. I had to revert back to a hub scenario between my switch and firewall > to see what was going on. > > My question is, how do you people monitor this without using SPAN, and also, > how do you implement security on a per port basis (such as denying hubs on > your network) > > PS: Any one ever used a tap here, and if so, how did it fit into your > switched network. > > Thanks all > > John > > > > ** > > visit http://www.solution6.com > > UK Customers - http://www.solution6.co.uk > > ** > > The Solution 6 Head Office and NSW Branch has moved premises. > Please make sure you have updated your records with our new details. > > Level 14, 383 Kent Street, Sydney NSW 2000. > > General Phone: 61 2 9278 0666 > > General Fax: 61 2 9278 0555 > > ** > > This email message (and attachments) may contain information that is > confidential to Solution 6. If you are not the intended recipient you cannot > use, distribute or copy the message or attachments. In such a case, please > notify the sender by return email immediately and erase all copies of the > message and attachments. Opinions, conclusions and other information in > this message and attachments that do not relate to the official business of > Solution 6 are neither given nor endorsed by it. > > * Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62924&t=62917 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: SPAN and slammer [7:62917]
Hey, you can't expect Cisco to be consistent, can you? :-) It looks like on the 4000 the SPAN command is "monitor session." See here: ww.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_1_14/config/span.htm Although I understand the gist of your question about port security and hope somebody answers it, I just wanted to mention that you can't recognize that a hub has been inserted. It's just a physical-layer device. It doesn't send frames, just bits. It doesn't have a MAC address. (If it's a managed hub and needs to send management data, then it does have a MAC address, and then you could identify it was there if it happened to send some management data.) Sniffing on switched networks is problematic. I think, strange though it might sound, it's rather common to insert a hub in order to use an analyzer or IDS. It's a shame, though, because you have to set the endpoints to half duplex and risk performance and, worse, auto-negotiation problems. Of course, getting SPAN to work is preferable, but as you noticed, that can be problematic too! Priscilla John Brandis wrote: > > Hi All, > > Have a 4006 in place here using Version 12.1(12c)EW as my core > switch. > Yesterday had fun with Slammer, and last night also. I wanted > to use the > SPAN so I could mirror the data from one port to my snort box > so I could > verify to the sys-admins that it was slammer (they said it > would never > happen here). However, noticed that this command was not > available on this > IOS. I had to revert back to a hub scenario between my switch > and firewall > to see what was going on. > > My question is, how do you people monitor this without using > SPAN, and also, > how do you implement security on a per port basis (such as > denying hubs on > your network) > > PS: Any one ever used a tap here, and if so, how did it fit > into your > switched network. > > Thanks all > > John > > > > ** > > visit http://www.solution6.com > > UK Customers - http://www.solution6.co.uk > > ** > > The Solution 6 Head Office and NSW Branch has moved premises. > Please make sure you have updated your records with our new > details. > > Level 14, 383 Kent Street, Sydney NSW 2000. > > General Phone: 61 2 9278 0666 > > General Fax: 61 2 9278 0555 > > ** > > This email message (and attachments) may contain information > that is confidential to Solution 6. If you are not the intended > recipient you cannot use, distribute or copy the message or > attachments. In such a case, please notify the sender by > return email immediately and erase all copies of the message > and attachments. Opinions, conclusions and other information > in this message and attachments that do not relate to the > official business of Solution 6 are neither given nor endorsed > by it. > > * > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62922&t=62917 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
SPAN and slammer [7:62917]
Hi All, Have a 4006 in place here using Version 12.1(12c)EW as my core switch. Yesterday had fun with Slammer, and last night also. I wanted to use the SPAN so I could mirror the data from one port to my snort box so I could verify to the sys-admins that it was slammer (they said it would never happen here). However, noticed that this command was not available on this IOS. I had to revert back to a hub scenario between my switch and firewall to see what was going on. My question is, how do you people monitor this without using SPAN, and also, how do you implement security on a per port basis (such as denying hubs on your network) PS: Any one ever used a tap here, and if so, how did it fit into your switched network. Thanks all John ** visit http://www.solution6.com UK Customers - http://www.solution6.co.uk ** The Solution 6 Head Office and NSW Branch has moved premises. Please make sure you have updated your records with our new details. Level 14, 383 Kent Street, Sydney NSW 2000. General Phone: 61 2 9278 0666 General Fax: 61 2 9278 0555 ** This email message (and attachments) may contain information that is confidential to Solution 6. If you are not the intended recipient you cannot use, distribute or copy the message or attachments. In such a case, please notify the sender by return email immediately and erase all copies of the message and attachments. Opinions, conclusions and other information in this message and attachments that do not relate to the official business of Solution 6 are neither given nor endorsed by it. * Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62917&t=62917 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
