Can an IOS router redirect traffic, simliar to port mirroring?

dalahue · ‎01-06-2003

I need to mirror traffic on a 2600 router from all WAN interfaces and one ethernet interface to another ethernet interface. Does anyone know if this is possible. The reason is for a third party IDS device to inspect Site to Site traffic over the WAN links. I had been told that this might be possible with Firewall feature set... Any ideas??

donewald · ‎01-06-2003

Firewall feature set does not allow a router to redirect (SPAN/port Mirror) traffic in this fashion. This feaure set has it's own IDS mechanism/inspection process that you can run packets through. Here is a link about this feature.

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1830/products_feature_guide_chapter09186a00800881c0.html

Many use a switch in the DMZ/outside/and inside your security architecture to allow for such monitoring (Span/Port Mirroring) to an IDS. Cisco switches provide these functions.

Hope this helps,

Don

dalahue · ‎01-06-2003

I am aware of this funcitonality if we were trying to monitor traffic from the router to the LAN. The customer is trying to monitor traffic between serial interfaces on the router though, any thoughts?

donewald · ‎01-06-2003

The only monitoring equipment I've used on Serial links is passive RMON probe, but this will only give you flow/application specific information, not the security information you'd most likely want. Firewall feature set on this router might give you DOS probe type traps to an internal NMS from these links if this is what you're after.

I guess this question would be easier to answer if it was known what your customer is specifically wanting to monitor and see.

Hope this helps,

Don