VACL vs. SPAN
Hello
I have a question about JOINT-2 on the 6500 cat.
Is there than some performance issues for use VACL rather than the LENGTH?
Thank you
Graz.
Actually, the material on the official course of Cisco Secure Intrusion Detection System (CSIDS) , specifically Chapter 8 - setting up JOINT, says that the JOINT-2 "provides a solution IDS in switch providing access to data via VACL capture, SPAN or RSPAN streams".
It clearly indicates (as well as the documentation of IDSM2 - http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_installation_and_configuration_guide_chapter09186a00801a0c95.html#wp589548) that the port 7 and 8 on the IDSM2 are the monitoring of ports.
They are able to control up to 2 sessions of RX SPAN, 4 TX SPAN sessions or 2 sessions SPAN RX + TX. The only factors are that the total amount of traffic split may not exceed 600 Mbps and limitation on sessions SPAN limit the number of ports in the chassis Catalyst 6500 which can have their monitored traffic. (NOTE: new Info based on the information contained in the manual of course)
WRT VACL, Cisco says that the VACL, whereas it is more difficult to configure than SPAN, is the preferred method to send traffic to the IDSM2 "because it allows a subset of traffic must be copied and forwarded to the IDSM2, limiting the amount of traffic, it must treat and more also potentially allowing traffic to additional ports in the chassis to analyze.
Given this information, it would seem that VACL (when properly set up and used) is more powerful and less stressful for the IDSM2 as SPAN.
Alex Arndt
Tags: Cisco Security
Similar Questions
-
Hello
I have some experience with sensors but this is my first time setting up a C6500 with JOINT-2, and I have a few questions of design. The first question is this: can I mix the VACL and large-scale use to capture traffic in the same configuration?
Customer actually uses VACL to capture traffic of some machines, but he wants now to monitor all traffic from and external partner via a VPN concentrator, so I guess in this case I should use SPAN to monitor VPN port: I'm wrong?
The config that the customer is more or less the following:
detection of intrusion data 1-port module 1 module 1-port data 1 intrusion detection capture captures allowed - vlan 1 intrusion detection module 1 data port 2 capture allowed - vlan 1
Plan ID to access VLAN 10
corresponds to the ip address in
direct capture of action
Plan ID to access VLAN 20
corresponds to the ip address to
action forward
VLAN ID vlan-list filter 1
extended IP access list
IP enable any host 192.168.1.1
allow a host ip 192.168.1.1
...
extended IP access list
allow an ip
If I want to use SCOPE, which is the limitation of the number of source ports I can put in the order to "monitor the session?"
Should I send this "span" traffic detection interface 8 (data-port 2) or I can always send to the data port 1 (detection interface 7)?
Why there are two sensing interfaces?
Thanks in advance...
Ruben
First thing to understand is that the customer should not configure data 1 and data-port port 2 to see the same traffic.
The sensor will get duplicate packets and minimize the overall performance of the detector (spending cpu just to throw duplicates) and at worst could cause false positive and negative or even false.
So the first thing to do is to remove the capture set up configuration data-port 2, so only 1 data port is the packet capture.
Now that the data port 2 is released until you can configure data ports 2 for something else.
So if you want to use the span then Yes you can now configure data-port 2 as a destination span port
Can mix you VACL and Span configurations?
Yes, but not on the same data port. A data port can be a vacl capture port and the second data port a destination span port.
However, you want to try to avoid as much as possible of the duplicate packets. So you will want to try and set it up so that traffic will be normally visible on the destination span port will not also view the vacl capture port (means generally change the VACL to not only capture the traffic).
If you use Span to monitor VPN port?
Duration is usually the best way to ensure you get all the packages in and out of a specific port. You will need to make sure that you use a port range (instead of a span of vlan) and make sure cover you the tx and rx traffic so that you get both in and out of traffic.
Also make sure that the traffic that you are covering the traffic not encrypted and non encrypted traffic (which would be ignored by the sensor).
What is the limitation on the number of source ports?
I don't know, and I think he can differ depending on your version of IOS and the type of controller. So you must read the configuration for your cat guide 6K determine the limits of your specific switch.
Should send you traffic to "merged" to 2 ports data or data port 1?
A data port may not be as well a VACL Capture pore and a destination Span port. So if data-port 1 is configured for the VACL Capture then it cannot be a Span destination port. Configure a port as a VACL Capture port and the port other than the destination Span port.
Why are there 2 remote sensing interfaces?
To do similar things to what you ask. So, you can use 2 different surveillance techniques that would not be on a single port. Or to be able to make promiscuity on a port monitoring, while inline vlan pair monitoring IDE oucederomsurlesecondport. Or use 2 ports set inline interface pair followed.
-
How to use the anti-span norton on thunderbird
I want to use Norton anti-Span as my spam filter in Thunderbird. How can I do this?
Have you asked Norton how their software works? It would be the best place to start.
-
I installed Thunderbird on a new computer and many (almost all) incoming messages have "[span]' added to the subject line. What I put or modify to remove the notice?
You need to look elsewhere. Thunderbird does not use the word Spam or change the subject line. Check with your email provider and their spam filters or your antivirus software.
-
When I go to c - span.org and try clicking on c-span, 1,2 or 3, I get a white screen instead of the video. On PBS.org when I try to tell a Frontline video I get a white screen but no video. This happens with several websites that show video. I have blocker disabled, no chance. When I use Internet Explorer the videois displayed. This problem has nit exist before I upgraded to Firefox 13.0
Hello nowaytoday, it is probably a problem related to the recent update of the adobe flash plugin, which was released on 8 June (IE uses another variant of the plugin). Please refer to the following article for common solutions: 11.3 Flash does not load video in Firefox
-
Is there a bug with firefox when he supported "aria-labelledby" < span > element attribute?
I use firefox 10.0.3 and using JAWS 13 to read on the screen.
I put the attribute "aria-labelledby" for the duration, and only first item's content has been read that even I put three 'id' for this attribute. It can work perfectly in IE8.<table role="grid" summary="Details table"> <tr> <td type="columnTitle"><span tabIndex="0" role="gridcell">Date</span></td> <th id="_NS_hdr1" role="columnheader" type="columnTitle"><span tabIndex="-1" role="columnheader">3/4</span></th> <th id="_NS_hdr2" role="columnheader" type="columnTitle"><span tabIndex="-1" role="columnheader">3/11</span></th> <th id="_NS_hdr3" role="columnheader" type="columnTitle"><span tabIndex="-1" role="columnheader">3/18</span></th> <th id="_NS_hdr4" role="columnheader" type="columnTitle"><span tabIndex="-1" role="columnheader">3/25</span></th> </tr> <tr> <th id="_NS_hdr5" role="rowheader" type="columnTitle"><span tabIndex="-1" role="rowheader">Count</span></th> <td headers="_NS_hdr1 _NS_hdr5" type="datavalue"> <span tabIndex="-1" id="_NS_N158B5CC0.1614A0C80" role="gridcell" aria-labelledby="_NS_hdr1 _NS_hdr5 _NS_N158B5CC0.1614A0C80">0</span> </td> <td headers="_NS_hdr2 _NS_hdr5" type="datavalue"> <span tabIndex="-1" id="_NS_N158B5CC0.1614A1200" role="gridcell" aria-labelledby="_NS_hdr2 _NS_hdr5 _NS_N158B5CC0.1614A1200">75</span></td> <td headers="_NS_hdr3 _NS_hdr5" type="datavalue"> <span tabIndex="-1" id="_NS_N158B5CC0.1614A1780" role="gridcell" aria-labelledby="_NS_hdr3 _NS_hdr5 _NS_N158B5CC0.1614A1780">231</span> </td> <td headers="_NS_hdr4 _NS_hdr5" type="datavalue"> <span tabIndex="-1" id="_NS_N158B5CC0.1614A1D00" role="gridcell" aria-labelledby="_NS_hdr4 _NS_hdr5 _NS_N158B5CC0.1614A1D00">81</span> </td> </tr> </table>
Hello!
I think you don't need the ARIA markup for what you're trying to accomplish. Firefox has very sophisticated algorithms correctly make accessible data tables. You are already using line and column inside the table headers, and you use the attribute headers etc. You don't need the extra markup role and aria-labelledby to create the table works the way you want. JAWS 13 also supports this interface table and should work without all the stuff of WAI-ARIA. I think because we have this sophisticated table interface, the largest part of the ARIA markup is ignored inside the correctly marked data tables.
Make a test without the ARIA markup and report if you still have problems.
Note that Firefox 11 improves even a couple of these things in the data tables still further, you can update.
-
Center frequency and Span for ESA Spectrum Analyzer
Hi all
I ask a silly question but I've tried several things didn't work so ask you all.
I need to set the Analyzer of spectrum as follows:
RBW: 10 kHz
Scanning: AUto
Length of 2400 Mhz
REF level-40 dBm
Track 1: view
Track 2: max Hold
Tarce 3: min hold
R HAND CENTER freq 65850kHz
But when I run my program all values are preparing ex CENTER FREQ it always defined as 1200 Mhz.
I don't know is there any adjustment which automated Center freq come always supply for half the interval of?
If someone can tell me the solution for this...
Thank you very much
Hi all...
Got the difference between Center freq and span solution is too big... If its not to accept...
Now, I get the correct values... Due to the beginning of the range huge freq spectrum was below of beach... That was the problem...
Thank you all...
-
Windows Movie Maker spans video
I use Windows Movie Maker 5.1 on XP.
When I import a video portrait in WMM, it spans the video to fill the preview, making the video look "fat". When I save the movie, the output seems tense.
Is it possible to maintain the original dimensions of the video, thus leaving a black space on the sides of the video?
Did some research and it helped:
http://groups.Google.com/group/Microsoft.public.WindowsXP.MovieMaker/MSG/7d247728c94d19a2?hl=en
http://www.windowsmoviemakers.NET/forums/ShowPost.aspx?&PostID=15544
It turns out that wmm does not maintain the proportions. At first, I imported my wmv video and turned using wmm, but it was tense. So I went and shot using another program to make potrait. When I imported it again, it is also tense. It turns out that that's the long way round. Sorry if I did not mention the full detail. I used the effect of 'spin the right person' and it worked. Thank you
-
Mstsc/span switch becomes black windows when openning more apps. Errors of limited resources.
Original title: RDP with Multiply monitors
Hi guys
I try to use RDP with two monitors. I have XP SP3 and I have been using the mstsc/span
After a while I feel the black screens when I open additional applications. Then the Word will be error blame low resources. If I RDP on the server without the span switch all right. All ideas
Hi Cbits IT,
Remote Desktop connection supports screens high resolution that can be split over multiple monitors. However, the total resolution across all monitors must be less than 4096 x 2048 pixels. Monitors must have the same resolution. In addition, monitors must be aligned side-by-side.
We recommend that you reduce the resolution and check the result.
Note: Total resolution may not exceed more than 4096 x 2048 pixels.
For additional assistance, see "Split on multiple monitors" section in this article
Visit our Microsoft answers feedback Forum and let us know what you think.
-
When I right-click a contact in my email addresses to display the source I have 'span.fontswight.
Hello
1 did you change on your computer before this problem?
2. you use webmail or an email client?
Previous post your answer for you help in this matter.
-
Is the spanning tree bpdu filtering on the 5548 "bpdufilter default spanning-tree portfast'
It seems to me as "the protocols spanning-tree bpdu filtering" on the 5548 the same "spanning-tree portfast default bpdufilter" on the switches of the series N - is that correct? If this is not the case, what is the equivalent command to 'spanning-tree portfast default bpdufilter?
Ken
They lead to the same result, just with a little different method. N-series bpdufilter search all ports configured for portfast and disables the transmission and reception of BPDUS on these interfaces. With the looks of 5548 bpdufiltering for ports with covering weight tree disabled. There is not a command on the 5548 that will search interfaces in portfast mode and filter the BPDU.
-
Spanning tree of routing bridge
Good day to all
I have a problem in my network with an old device with a 10mbit half duplex nic - we have switches Powerconnect N3048 in basket - we found that they don't play well with the old device, so we added a 1000/100 old switch to do the translation so to speak.
The problem now is that STP has not been configured in time and the older switch has taken the role of routing bridge.
My question is - if I have now set up the N3048 be the bridge on the road, I'll be able to do without affecting the production network traffic, or do I need to down the network to make the change? Will be the change of the switch N3048 force older to cede control, or they will fight?
Thanks in advance
Eric
By default most of the switches will have a default priority of 32768. In this case, the switches, then use to determine MAC address which is the root device. If this is the case in this scenario, all you have to do is set a less important priority tree covering the desired root switch.
On your central switch, issue the following command:
console (config) #spanning 4096 tree priority
This switch will become the root switch. Should not all switches to be restarted, but will cause a topology of notifications of changes throughout the network, and some ports may change their current status. It depends on the topology.
I could do this during non peak hours. May also want to check the switch that you added to the network and make sure that it doesn't have a priority tree covering of 4096. If this is the case, set it to something higher.
-
I have a stack of 4 switches PowerConnect 7048 core. There are unacceptable delays on the network so I'm cleaning configurations and verification spanning tree as these have been set up by he previous admin. The four active links of 10 GB, the spanning tree different reports States:
two are
Te3/2/1 port active
Status: Disabled role: disabled
Identification of the port: 128.167 shipping: 0
Fast port: no Protection from root: No.
Designated the bridge priority: 4096 address: 5C26.0AAA.1EA6
Identification of the designated port: 0.0 cost of access road designated: 0
Root regional CSE: 80:00:5 C: 26:0 A: AA:1E:A6 CST Port cost: 0
Root Guard..................................... FAKE
Loop Guard..................................... FAKE
TCN Guard...................................... FAKE
Portfast auto... TRUEand two are
Te2/2/2 port enabled
State: Forwarding role: designated
Identification of the port: 128.112 shipping: 2000
Fast port: no Protection from root: No.
Designated the bridge priority: 4096 address: 5C26.0AAA.1EA6
Identification of the designated port: 128.112 cost of access road designated: 0
Root regional CSE: 10:00:5: 26:0 A: AA:1E:A6 CST Port cost: 0
Root Guard..................................... FAKE
Loop Guard..................................... FAKE
TCN Guard...................................... FAKE
Portfast auto... TRUE. I think the first one indicates a problem and all must be reported as the redirection and designated. Is that correct and if so, how can this be done?
Thank you
Hello
Does not serve a disabled state. If you do not disable spanning tree, it should allow. http://downloads.Dell.com/manuals/all-products/esuprt_ser_stor_net/esuprt_networking/esuprt_net_fxd_prt_swtchs/PowerConnect-7024_Reference%20Guide_en-us.PDF page 745
-
How can I configure Spanning Tree
Hello
I have several core Dell passes using PowerConnect 6224 s most - these ink in my Cisco provider kit. We run several VLAN and have redundant links between stacked switches.
I have read up on top of the tree covering weight and have the following tasks:
1 map of the network - including the ID of the root bridge, root ports, roads blocked, age max and time of helo
Once I made my analysis information, I don't know how to better optimize the covering tree config, so far I have:
1. make sure RSTP is enabled on all switches
2. make sure that all edge ports have spanning port configured fast shaft
3. not declare spanning port fast shaft on the links between switches
4 force speed and duplex settings on all ports to link between the switches (I guess that's because the auto negotiate takes more time?)I'm not sure is:
1 can I use BPDU guard and if so, where?
2 can I use root guard and if so, where?I read the informative article by Todd: http://en.community.dell.com/support-forums/network-switches/f/866/t/19465205.aspx
But, I don't know where\whether I should to configure the options of guard - am happy to provide additional information as needed.
Thank you
Spanning Tree BPDU Guard is used to disable the port where a new device tries to enter the already
existing STP topology. Thus the devices, which were originally not part of STP, are not allowed to
influence the STP topology. If the Enable value, when a BPDU is received on a port of the tip, this port is disabled. Once the port has been disabled it requires manual intervention to be reactivated.
Spanning Tree Root Guard is used to prevent change of the root of a Spanning Tree instance
in an unexpected way. The priority of an ID of adjustable bridge to zero but another bridge with a low mac ID
address could also set its priority to zero and take root.
Both are defined globally on the switch. If you have any possibility of other network devices being plugged into the switch without your knowledge. It may be a good idea to these permits after that STP is configured on the network. That way if someone randomly connected network with STP on this device, it will not throw your network for a loop.
Here are some good white pages on the tree covering weight
www.Dell.com/.../app_note_13.pdf
www.Dell.com/.../app_note_1.pdf
www.Dell.com/.../pwcnt_MSTP_interoperability.pdf
Thank you
-
Reference Dell Spanning Tree PowerConnect 2748
I had just a simple question on Spanning Tree. We have a network configuration and everything is already difficult to implement the tree covering weight on the powerconnect switches if you already have your network configuration is? is it a day all? A lot of configuration? Or just a simple turn on button?
Sorry, the PowerConnect 27xx switches of the series DO NOT switch support the STP (Spanning Tree) Protocol.
Maybe you are looking for
-
Two laptops, same iTunes account, that do not recognize recent purchases
I have 2 laptops, the two Windows 10 running. The most recent that I do not regularly use because he is fixed on the 'public networks' - long history. I have an iTunes account, which works on both. However, the other oldest does not show the purchase
-
HP 8500 a scaner is not communicating with the computer
He is used to, but now it will not scan HP for computer
-
Get an Access Violation error when playing games
OP: Access Violation errors! I have download games on a game site that I trust and don't usually have problems. In the last 4 months, some of the new games that I downloaded and tried to play, give me the Access Violation error when I try to open the
-
Compatibility issues with the baseball game high heat 2004.
I'm having a problem of compatibility with the game of baseball high heat 2004, I can install it without any problem, however, when I go to play I get a screen that tells me I have to put the CD in the CD drawer, which is where it is. This game work
-
Reduced demand XP to install on Windows 7
I have a request that I installed on XP there are quite a few years. It was an upgrade that requires a "previous" install disk (floppy) and I Can't find that disk more. (I have the CD). The program was so expensive, but it is now about 6 times the pr