Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
670
Views
0
Helpful
2
Replies

IPS - detect a disabled switch SPAN port

jacques_henry
Level 1
Level 1

‎06-30-2010 06:30 AM - edited ‎03-10-2019 05:02 AM

Hello,

I am not quite sure this is the good place to post this but let's try:

Consider that I have a switch (e.g. 4500) on which I configure a SPAN destination port connected to an IPS (e.g. 4260). This is quite a standard architecture.

My question will be very simple and concerns more the switch than the IPS: how do I detect (via SNMP or Syslog) that the SPAN port has been disabled by someone on connected on the switch?

Thanks!

Labels:
0 Helpful
2 Replies 2

rhermes
Level 7
Level 7

‎06-30-2010 12:00 PM

We had to solve this (and similar problems with the Sensors). We had sensors that would quietly crash and nobody would notice until blank reports started showing up. Embarrassed that significant periods of time could go by without noticing that a sensor didn't have any traffic to process we created a "heartbeat" custom signature that would fire on any traffic with a 5 min summary. Our SIM them watches for a few consecutive missed heartbeat signatures from each sensor before alerting our Operations team.

This does require some external elements to work, but it has the benefit of monitoring the entire event communications chain, from sensing to reporting. If anything breaks, you'll know about it.

We asked Cisco to create a standard signature for heartbeat, and it was an approved Cisco feature back in early 6.x days, but it got pulled before being implemented.

- Bob

0 Helpful

jacques_henry
Level 1
Level 1
In response to rhermes

‎06-30-2010 11:41 PM

Hi Bob,

Thanks for sharing your experience!

However, I was challenged to find a solution on the switch because even with your approach (heartbeat signature), it wouldn't fully work with a switch that would have multiple SPAN configured on it. One can still disabled a particular port and the rest of the SPAN would still be operational in sending traffic to the IPS. In fact, it is this kind of scenario I'd like to detect. That's why in the first place I brought my question around to the switch's configuration. (but again maybe it is not the right place to ask this - perhaps in the Network Infrastructure forum?)

Anyway thanks again for your response!

Florent

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card