Port Mirroring Configuration on Network Devices

With a deployed on-premises USM Anywhere Sensor, you can implement Network Intrusion Detection (NIDS) Network-based intrusion detection system (NIDS) monitors network traffic and events for suspicious or malicious activity using the sensors that provide management and network monitoring interfaces to networks and network devices. by monitoring the network traffic. You can implement this by enabling promiscuous mode on the port that the Sensor network interface(s) are connected to so they can see the traffic on the networks you wish to monitor, and through the use of port mirroring. This allows USM Anywhere to perform analysis on the network traffic, which aids in the detection of threats in your environment.

By configuring a mirror port on your virtual switch or physical network device, you can clone all traffic to a single port. After configuration, the switch sends a copy of all network packets seen on one port (or an entire VLAN Broadcast domain that is partitioned and isolated in a computer network at the data link layer (OSI layer 2). VLANs allow network administrators to group hosts together, even if the hosts are not on the same network switch.) to another port. The USM Anywhere Sensor immediately starts receiving events from the device through the port and begins its analysis.

Important: AT&T Cybersecurity recommends that you send packets untagged through the SPAN/mirror port. This is because VLAN trunking is currently not supported. Therefore, Bridge Protocol Data Units (BPDUs) or packets sent through the other Layer 2 protocols are dropped. The Layer 2 protocols include, but are not limited to, Cisco Discovery Protocol (CDP), Dynamic Trunking Protocol (DTP), Link Aggregation Control Protocol (LACP), Port Aggregation Protocol (PAgP), Spanning Tree Protocol (STP), and VLAN Trunk Protocol (VTP).

Virtual Switches

  • VMware: This is configured by attaching one of the Sensor network interfaces to a port configured in Promiscuous mode on a Virtual Switch. See Direct Traffic from Your Physical Network to the VMware Sensor for more information.

    In addition, the upstream physical switch that the ESXi host is connected to must have Port Mirroring enabled.

  • Hyper-V: This is configured by attaching one of the Sensor network interfaces to a port configured in Promiscuous mode on the Virtual Network. See Direct Traffic from Your Physical Network to the Hyper-V Sensor for more information.

    In addition, the upstream physical switch that the Hyper-V Server is connected to must have Port Mirroring enabled.

Physical Devices

See the following for detailed information about port mirroring on a number of third-party network devices.

Configuring the ADTRAN (AOS) Switch for Port Mirroring

Configuring the Check Point Gateway for Port Mirroring

Configuring the Cisco ASA 5505 for Port Mirroring

Configuring the Cisco Nexus 5000 Series for Port Mirroring

Configuring the Cisco SGxxx Series for Port Mirroring

Configuring the Dell Networking Force10 Switch for Port Mirroring

Configuring Dell SonicWALL Port Mirroring

Configuring the Fortinet FortiGate Switch for Port Mirroring

Note: Cisco switches support a feature known as a Switched Port Analyzer (SPAN) which enables traffic received on an interface or virtual local area network (VLAN) to be sent to a single physical port. SPAN technically implies that the source and destination ports are local to the same switch. If the traffic destination is on another remote switch, it uses Remote SPAN (RSPAN). If the destination requires crossing one or more IP networks, some switches can use Encapsulated Remote SPAN (ERSPAN).

USM Anywhere supports SPAN, RSPAN, ERSPAN, and VMware Encapsulated Remote Mirroring (L3) Source, which is an ERSPAN-like feature.