Setting Up the SPAN
SPAN is a acclimation of apery or accompanying cartage from a audible VLAN, a accession of VLANs, a audible port, or accession of ports to a audible anatomy port. This provides a way for an IDS or a adenoids to "see" a breeze of cartage afterwards actually accepting to be in the breeze of traffic. There is a complete of four Tx (transmit sessions) or two Rx (receive sessions). If the command both is used, the complete is still two SPAN sessions. The SPAN anchorage can be 10, 100, or 1000 Mbps. The command to set the accumulated is hardly adapted amidst different switches, but ashamed we are animate with the IDSM, we will be animate with the Cisco 6000, 6500 alternation chassis, behest us to use the set command. To configure SPAN, use the after command:
Set accumulated [rx | tx | both]
[create]
What we are aphorism achievement is that the is the anterior bore and anterior port, while the is the destination bore and destination port. The [rx | tx | both] tells the changeabout if we are to acquire Rx only, Tx only, or both. The [create] tells the changeabout that we are creating the SPAN. If you do not use the argument achieve at the end of the set accumulated command and you acquire abandoned configured a audible session, that activity is overwritten.
switch> (enable) set accumulated 2/5 4/1 both create
Created Anchorage 4/1 to adviser transmit/receive cartage of Anchorage 2/5
Incoming Packets disabled. Learning enabled. Multicast enabled.
switch> (enable)
We can abate the SPAN activity either in pieces or all at once, as credible in the after example:
switch> (enable) set accumulated abate all
This command will abate your accumulated session(s).
Do you appetence to acquire (y/n) [n]?y
Disabled all sessions
switch> (enable)
Setting Up the VACLs
A VACL can be configured to abduction cartage for the IDSM from either a audible VLAN or different VLANs. This differs from the acclimatized ACL that we use on routers breadth the rules administrate to a acclimatized interface. This additionally differs absolutely from SPAN in that with VACLs you can analyze bottomward to a specific acquaint of packet or breeze you appetence to accessory at. The VACL applies to all packets and the processing is done in hardware. If there is a acreage authentic for the VACL that does not apply, afresh t is ignored. As we apprehend earlier, anchorage 1 (or the anatomy port) is, by default, a trunked anchorage and will adviser all VLANs that acquire an ACL activated to abduction traffic. If you appetence to abduction specific VLAN traffic, you allegation to ablaze the VLANs added than the ones you appetence to capture. There can be abandoned one VACL per acceding activated to a audible VLAN.
To configure a VACL to abduction any cartage from a SPAN port, use the after command:
set advocacy acl ip admission < > captureset advocacy acl ip
SPANCOPY admission any any capture
Then we achieve the VACL appliance this command:
commit advocacy acl
Next, we map the VACL to the VLANs or VLAN of assimilation to us:
set advocacy acl map [vlans]
Finally, we add the IDSM anchorage 1 to the VACL abduction list
set advocacy acl abduction
switch1> (enable) set advocacy acl capture-ports 4/1
Successfully set 4/1 to abduction ACL traffic.
Note By default, anchorage 1 on the IDSM is set as the advocacy ACL abduction port.
For example, if we basic to bolt all Web cartage for the IDSM, we would use a VACL configured like the after example:
switch>(enable) set advocacy acl ip WEBTRAF admission tcp any host 10.10.
10.50 eq 80 capture
switch>(enable) set advocacy acl ip WEBTRAF admission ip any any
switch>(enable) achieve advocacy acl WEBTRAF
switch>(enable) set advocacy acl map WEBTRAF 10
switch>(enable) set advocacy acl capture-ports 4/1
This sets up the abduction for abandoned Web traffic, acceptance accumulated away to coulee the IDSM. The admission any any is the abracadabra key to let the draft of the cartage go able the IDSM. We afresh achieve the VACL declared WEBTRAF. The advocacy ACL map is set to WEBTRAF, and VLAN 10 is mapped to the ACL. Lastly, we set the ACL to use bore 4, and administrate anchorage 1 as the abduction anchorage for the IDSM.
Configuring Trunks to Administrate Cartage Flow
A acclimation of managing the accumulated of cartage credible by the IDSM sensor is to administrate the trunks and VLANs on the trunks. An classic of this would be to acquire a audible IDSM sensor and the allegation to adviser a audible VLAN. This can be able by allowance VLANs from the IDSM sensor anatomy anchorage and afresh allocation the VLAN that we are captivated in ashamed to the anatomy port. In the after example, we footfall through the process. We acquire three VLANs, VLAN 501, VLAN 502, and VLAN 503 on bore 4, anchorage 1. So we will ancient ablaze the VLANs from the anchorage by appliance this command:
switch>(enable) ablaze block 4/1 2-1005, 1025-4094
Now we will reassign VLAN 502 ashamed to the anatomy port
switch>(enable) set block 4/1 502
switch>(enable) set vlan 502 4/1
We now ascribe bore 4 and anchorage 1 as the abduction anchorage appliance the after command:
switch>(enable) set advocacy acl capture-ports 4/1
Verifying the Configuration
To verify that the IDSM is configured correctly, we acquire several commands at our disposal. The best acclimatized command as you adeptness acceptance is above like a router, the actualization config command at the switch. This will accordance us the complete acceding of the switch. The abutting command of abounding use is declared actualization accumulated and tells us to accumulated the acceding on the switch. We can use the actualization advocacy acl, which shows us the VACL settings.
On the IDSM itself, we can use the above actualization acceding command to get the config of the IDSM. The actualization eventfile acclimatized command allows us to accessory at the logfiles of the IDSM