SPAN VS IDS

Unanswered Question
amritpatek Fri, 12/07/2007 - 14:05

SPAN selects network traffic for analysis by a Network Analysis Module, a SwitchProbe device, or other RMON probe. SPAN mirrors traffic from one or more source ports (Ethernet, Fast Ethernet, Token Ring, or FDDI) on any VLAN to a destination port for analysis. This is not very different from what a IDS on switch can do. Following link may help you

http://www.cisco.com/en/US/docs/switches/lan/catalyst5000/catos/5.x/configuration/guide/span.html

ghalleen Sat, 12/08/2007 - 00:29

SPAN is a method of getting copies of network traffic by mirroring it to a specific port. There are often other methods that can be used to accomplish the same thing, depending on the type of switch you're using.

An IDS can be connected to a SPAN port.

A SPAN session is mutually inclusive with an IDS sensing interface. If the sensing interface of the IDS device is connected to the same switch to which the monitoring interface or vlan is connected to, a local SPAN is needed. If the source is connected to a remote switch then a RSPAN (Remote SPAN) is needed.

For example:

IDS sensing interface is connected to switch 1 and I want to monitor traffic from VLAN 10, not just on the local switch but on all switches that have VLAN 10 througout the L2 domain. An RSPAN is needed.

First, create an RSPAN Vlan on all switches, either on your vtp server or manually throughout. The vlan is arbitrary.

Vlan 999

remote-span

end

Next, create the source and destination sessions on switch 1 which the sensing interface is connected to f0/24.

monitor session 1 source vlan 10,999 rx

monitor session 1 destination interface f0/24 ingress vlan 10

('ingress vlan 10' is used for untagged traffic. this is needed if you are configuring the IDS to block)

on the remote switches, the following config is needed:

monitor session 1 source vlan 10 rx

moniotr session 1 destination remote vlan 999

Actions

This Discussion