IPS - detect a disabled switch SPAN port

Unanswered Question
Jun 30th, 2010


I am not quite sure this is the good place to post this but let's try:

Consider that I have a switch (e.g. 4500) on which I configure a SPAN destination port connected to an IPS (e.g. 4260). This is quite a standard architecture.

My question will be very simple and concerns more the switch than the IPS: how do I detect (via SNMP or Syslog) that the SPAN port has been disabled by someone on connected on the switch?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rhermes Wed, 06/30/2010 - 12:00

We had to solve this (and similar problems with the Sensors). We had sensors that would quietly crash and nobody would notice until blank reports started showing up. Embarrassed that significant periods of time could go by without noticing that a sensor didn't have any traffic to process we created a "heartbeat" custom signature that would fire on any traffic with a 5 min summary. Our SIM them watches for a few consecutive missed heartbeat signatures from each sensor before alerting our Operations team.

This does require some external elements to work, but it has the benefit of monitoring the entire event communications chain, from sensing to reporting. If anything breaks, you'll know about it.

We asked Cisco to create a standard signature for heartbeat, and it was an approved Cisco feature back in early 6.x days, but it got pulled before being implemented.

- Bob

jacques_henry Wed, 06/30/2010 - 23:41

Hi Bob,

Thanks for sharing your experience!

However, I was challenged to find a solution on the switch because even with your approach (heartbeat signature), it wouldn't fully work with a switch that would have multiple SPAN configured on it. One can still disabled a particular port and the rest of the SPAN would still be operational in sending traffic to the IPS. In fact, it is this kind of scenario I'd like to detect. That's why in the first place I brought my question around to the switch's configuration. (but again maybe it is not the right place to ask this - perhaps in the Network Infrastructure forum?)

Anyway thanks again for your response!



This Discussion