May 23, 2012

Posts Comments

You are here: Home / Archives for IPS

Working With SPAN Ports

December 7, 2010 By Leave a Comment

For those of you studying for the CCIE you will likely work with SPAN ports. In fact, if you are working on the CCNP Security you will work with them as well when you do the IPS exam. Why is SPAN important and what is it used for. Lets take a look at a scenario.

hub.jpg

In the above figure traffic from Host A will be copied by the Hub device to Host B as well as the Sniffer. This is great as we can see the entire conversation between A and B.

switch.jpg

Now we fast forward in time to the days of switches. If you have a basic understanding of how switches work you know that they make forwarding/filtering decisions. This means that traffic from A to B will NOT be sent to the sniffer, rather its forwarded only to the ports where the destination MAC address exists. This makes it problematic for me when I want to have traffic sent to the sniffer, unless I know how to use SPAN.

SPAN Overview

SPAN is handy in that it allows a Network Administrator to copy traffic from one interface to another, or even take traffic seen on one VLAN and send it to an interface where our Sniffer is at.

In the following configuration I have told my switch to take all the traffic off of g0/1 and copy it to g0/10 where my sniffer is located. I did this by creating a monitor session.

Begin by defining what traffic you want to mirror.

SWITCH#configure terminal
SWITCH(config)#
SWITCH(config)#monitor session 1 source interface G0/1

And then define where you want the traffic mirrored to.

SWITCH(config)#monitor session 1 destination interface G0/10

The following figure shows the end result. The traffic coming in G0/1 from Host A that is being sent to Host B on G0/2 is also being mirrored to G0/10.

span1.jpg

You can verify the configuration as well:

SWITCH#show monitor session 1



Session 1



Source Ports:
    RX Only:       None
        TX Only:       None
        Both:          Gi0/1
Destination Ports: Gi0/10
SWITCH#

For now this works great and we can start to sniff traffic and learn how things work. In the next article of this series I will address the issue of mirroring traffic from a port of VLAN on one switch to a destination on another switch.

Filed Under: CCNP Study Tagged With: , , ,

IEV issues: Solved!

September 4, 2008 By 1 Comment

For 2 days I’ve been messing with IEV on an IPS section of Section 15. I’m not sure what this means. Anyone have an idea?

Picture 3
Uploaded with plasq‘s Skitch!

IDM is running in the background so I know this server can reach the sensor.

And the answer is….

Brandon, The service is not running on the server. Go into service manager in windows services.msc. look for cisco IEV process and start the process. Regards, Tyson Scott – CCIE #13513 R&S and Security Technical Instructor – IPexpert, Inc.
Filed Under: CCIE Security, IPExpert Labs Tagged With: , ,