Cisco

Cisco

Sorted By Creation Time

SPAN port config

Home: www.packetnexus.com

I have confirmed, via Cisco, that if the OS
is less than 5.X it is not possible.  Under version 5.x or greater you can
have 1 TX/RX span port and up to 4 EGRESS SPAN Sessions (RX Only)


> I'm trying to add a second sensor to a separate VLAN on a CISCO 5500
switch.
> The network boyz tell me there can be only one SPAN port per switch.  Can
> anyone confirm that for me?

It depends on the version of CatOS running on the switch.  This is true on
the 5xxx series with older versions of CatOS, definitely.  There's a
really interesting doc on Cisco's site about port mirroring/spanning that
can be found here:

http://www.cisco.com/warp/public/473/41.html
http://www.cisco.com/warp/public/473/41.pdf

I'm pretty sure you need CatOS v5.1 (or higher) on the 5xxx series
switches to do spanning using multiple ports.  Your network guys are right
if they are using older versions of CatOS.  Also note that this changes
depending on the switch platform, as well.  The Cat2900 series, for
example, has been doing "port mirroring" to multiple ports for quite some
time.  One word of caution, however - according to the doc I've referenced
above, on the Cat5xxx/6xxx:

"Whether one or several ports will eventually transmit the packet has
absolutely no influence on the switch operation. Thus, considering this
architecture, the SPAN feature has no impact on the performance."

But I believe this to be false.  We've been able to get our Cat6500 in the
lab to drop frames on the SPAN port with fairly low levels of traffic
(below 400Mbps).  What's eerie is that the switch appears to be performing
fine - no errors, no low RAM, no high CPU, etc.  It just silently drops
frames on the span port.  This does not appear to affect the delivery of
regular/production traffic, but you can see why this might concern someone
when it comes to IDS.  (NOTE: if you aren't going over 100Mbps, don't
worry about this - sub-100 appears to work fine)

Unfortunately, we do not have a support contract on our Cat6500, so I'm
trying to navigate Cisco from the outside to get some answers.  This is,
of course, not easy.  I've made ZERO progress.  But I do know that I can
get both the 3500 and 6500 series switches to drop frames when spanning,
and this concerns me.

Hope this helps,

-Greg


http://www.cisco.com/warp/public/473/41.html#summ

Basicly you can have one rx/rx+tx OR 4 TX only...


Back to the Index

FW: testing for IP address space leakage in NAT systems

Home: www.packetnexus.com

I use a firewall filter, but you can throw up a filter to check for
them.  I also check for outgoing and incoming leakage:

On my Cisco I do this.

Access lists:
access-list 101 deny   ip mynetwork any log-input
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any log-input
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any log-input
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any log-input
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any log-input
access-list 101 permit ip any any
access-list 102 permit ip mynetwork any
access-list 102 deny   ip any any log

In wan interfaces:
 ip access-group 101 in
 ip access-group 102 out

You can accomplish these filters with any firewall using similar rules.



I was wondering if anyone knows of a method to test a NAT system for
address space leakage.

Thanks.

--Bob


Back to the Index