Using the SPAN Feature with IDS

Chapter 11, "Using Cisco IOS IPS to Secure the Network," discusses the Cisco Intrusion Detection System (IDS) technology. With IDS, a sensor receives a copy of traffic for analysis. If the sensor recognizes the traffic as being malicious or suspicious, the IDS sensor can take a preconfigured action, such as generating an alarm or dynamically configuring a firewall to block the sender.

One way to cause an IDS sensor to receive a copy of network traffic is to configure a port on a Cisco Catalyst switch for the Switched Port Analyzer (SPAN) feature. SPAN allows a copy of traffic destined for another port to be sent out the SPAN port, thus allowing an attached IDS sensor to receive a copy of the traffic, as illustrated in Figure 6-12. Example 6-6 demonstrates how to configure port Gig 0/2 as a SPAN source and port Gig 0/3 as a SPAN destination port.

Figure 6-12 SPAN


Gig0/1 SPAN Source

Data Flow


SPAN Destination

Data Flow


IDS Sensor

Example 6-6 Configuring a SPAN Port

Cat3550(config)# monitor session 1 source interface gigabitethernet0/2 Cat3550(config)# monitor session 1 destination interface gigabitethernet0/3

Cat3550(config)# end

Example 6-6 shows the SPAN port residing on the same switch as the destination port. However, Cisco Catalyst switches also support the Remote SPAN (RSPAN) feature, which allows a SPAN port to be configured on a different switch.

0 0

Post a comment