Mirror Traffic to your Operation Center

If your company has a dedicated Network Operations Center (NOC), Security Operations Center (SOC), or it’s just you with a single machine. You are going to need a way to get the traffic from your company switch to your operation centre, so you can run the traffic through intrusion detection systems, analyze the traffic for anomalies, etc. To do this we will mirror the traffic that is passing through the company switch using Switch Port Analyzer (SPAN) to a port that connects to the NOC.

CAT-3550#configure terminal
CAT-3550(config)#monitor session 1 source interface fastEthernet 0/0
CAT-3550(config)#monitor session 1 destination interface fastEthernet 0/23

For a more extensive configuration, you might have a dedicated switch for the NOC, forward the traffic for a given VLAN to that switch using Remote Switched Port Analyzer (RSPAN). This way you can separate the traffic you want to analysis from the traffic generated from the NOC.

CAT-3550#configure terminal
CAT-3550(config)#monitor session 1 source vlan 5
CAT-3550(config)#monitor session 1 destination interface fastethernet 0/3

Now, on the remote switch

CAT-3550R(config)#monitor session 1 source vlan 5
CAT-3550R(config)#monitor session 1 destination remote vlan 10

Now we can monitor VLAN 10 on a dedicated interface, dedicated machine, or even multiple dedicated machines.

Dec 29th, 2010 • Posted in Catalyst, IOS, SPAN, Switching
No comments yet.

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>