This is quite an interesting feature, and one that you wouldnt usually expect on a device like this.

Basically, when running IDS/IPS/Snort or any other packet sniffer in promiscuous mode, you need a way to “mirror” traffic from your hosts, to your IDS box. With Cisco switches, this is achieved through the use of the “monitor” commands, which set up Cisco SPAN ports (Switch Port Analyzer).

I needed to do some lab work and didnt have a Cisco switch at home, so looked through the documentation for my 5505. I was suprised to find out that It supports SPAN ports too!! This thing really is a box of tricks.

The config is simple, but first you need to decide which ports to mirror traffic from, and which port to send it to.

In my case, I wanted to mirror traffic from both eth0/0 and eth0/1 and send this to port eth0/5 where my IPS sensor was sat.

The commands used were as follows:

RichASA5505# conf t
RichASA5505(config)# int e0/5
RichASA5505(config-if)# switchport monitor ethernet0/1
RichASA5505(config-if)# switchport monitor ethernet0/2

Thats all there is to it. All traffic sent or received by hosts on port 0/1 and 0/2 will now be seen on port 0/5. Very useful if you want to keep tabs on what your small office workers are up to!
 

This entry was posted on Sunday, December 16th, 2007 at 3:40 pm and is filed under Config. Guides, Tricks and Tips. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.