“We just bought a new IPS/IDS, just put it between us and our transit provider!”. Sounds slick, huh? This request seems easy, but do you really know if it will function like expected and not jam all network traffic?
Try it out on a mirrored (SPAN) port first! With a SPAN you can get a copy of all traffic from/to a port output on a second port, without interacting with traffic. This can be very helpful if you want to test out some new equipment for Intrusion detection and/or prevention. Snort is an open source alternative for monitoring network traffic for obscurity and irregularities.
To configure a SPAN on 2940, 2950, 2955, 2960, 2970, 3550, 3560 and 3750 switches
Switch#conf t
Switch(config)#monitor session 1 source interface Fa0/18
Switch(config)#monitor session 1 destination interface Fa0/2
Switch(config)#
With the configuration above you will copy all traffic from FastEthernet 0/18 and output it to FastEthernet 0/2
The Cisco Catalyst 2950 is incapable to monitor vlans, but this is possible on for example the Cisco 3750.
To verify a SPAN session
Switch#sh monitor session 1
Session 1
———
Source Ports:
RX Only: None
TX Only: None
Both: Fa0/18
Destination Ports: Fa0/2
I hope this maybe encourages you to test out some applications or equipment that you’ve been wanting to try but haven’t had the guts to!