16 May 2010

Using the SPAN Feature with IDS

With IDS, a sensor receives a copy of traffic for analysis. If the sensor recognizes the traffic as being malicious or suspicious, the IDS sensor can take a preconfigured action, such as generating an alarm or dynamically configuring a firewall to block the sender.

One way to cause an IDS sensor to receive a copy of network traffic is to configure a port on a Cisco Catalyst switch for the Switched Port Analyzer (SPAN) feature. SPAN allows a copy of traffic destined for another port to be sent out the SPAN port, thus allowing an attached IDS sensor to receive a copy of the traffic, as illustrated in Figure below. Example 1-1 demonstrates how to configure port Gig 0/2 as a SPAN source and port Gig 0/3 as a SPAN destination port.













Example Configuring a SPAN Port

SW3550(config)# monitor session 1 source int g0/2
SW3550(config)# monitor session 1 destination int g0/3
SW3550(config)# end

Example shows the SPAN port residing on the same switch as the destination port. However, Cisco Catalyst switches also support the Remote SPAN (RSPAN) feature, which allows a SPAN port to be configured on a different switch.


See Also:
[*] Cisco SPAN With IDS

[*] Configuring RSPAN

CCNA Security Official Exam Certification Guide (Exam 640-553)



biOos
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)