Shulou(Shulou.com)06/01 Report--

SPAN interpretation:

SPAN technology We can send a copy of the COPY or MIRROR of some data streams on the switch that want to be monitored (hereinafter referred to as the controlled port) to the flow analyzer connected to the monitoring port, such as the IDS of CISCO or the PC controlled port and the monitoring port installed with SNIFFE tools can be on the same switch, that is the local SPAN.

Background environment:

Firewall, this is the first word that comes to mind when we talk about security. The most reliable device is the firewall. Through our carefully configured security scheme, it can indeed bring us good results, but this is far from enough. Because the firewall is for detection when entering the network, a kind of data-driven * (including logic × ×) The private network host downloads the file package carrying the virus, as well as some encrypted * *, which are powerless by the firewall, but if there is an abnormal situation in the network, the firewall is powerless. At this time, you need to have monitoring services in the network, so the firewall is limited, so let's combine port mirroring.

Port mirroring is in our network, and a concept on the switch called port mirror span can solve this problem. Port mirroring, you need to set the source port of the image (the port through which the detected data is coming) and the target port (the port of the link detection device) on the switch, but this is only the detection of the switch data connected by the detection device. For other exchange data on the network, we need to use rspan (remote switch port analysis). We only need to connect a detection device to the switch in the center of the network to detect the information of the whole network.

Local port image configuration command:

Create a port mirror group mirroring-group group-id local

Ethernet interface interface-type interface-number that enters the destination port of the image

Defines the current port as the mirror destination port monitor-port

Ethernet interface interface-type interface-number entering the mirror source port

Configure the mirror source port and specify the direction of the mirrored message mirroring-port {inbound | outbound | both}

Or use this method: create a port mirror group mirroring-group group-id local

Configure the mirror destination port mirroring-group group-idmonitor-port monitor-port

Configure the mirror source port and specify the direction of the mirrored message mirroring-group group-idmirroring-port mirroring-port-list {both | inbound | outbound}

The following is a local port image case: [sw] dis mirroring-group allmirroring-group 1:type: localstatus: activemirroring port:Ethernet1/0/10 bothEthernet1/0/20 bothmonitor port:Ethernet1/0/ 2 build a ftp server and set up users on pc2:

[pc2] ftp server enable[pc2] local-user user1

[pc2-luser-user1] password 123456 [pc2-luser-user1] service-type ftp

Log in to pc2's ftp server from pc1:

Login information was detected on the detection device:

This is the local span, we can see that we have detected the data flow on the switch, see the account number, password, hey!

Using this, we can detect the traffic on the network anytime and anywhere for security control.

OK, we'll do RSPAN next time.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.