In order to configure an Intrusion Detection System (IDS) such as Snort (http://www.snort.org) or a sniffer for a switch, you need to select the interfaces or VLANs that you want to monitor . This monitoring is done with Switch Port Analyzer or (SPAN).
While the setup of SPAN differs by switch model, the same concepts are common to all switches. You select the interfaces or VLANs that you want the current port to "monitor." Any traffic sent and received out the monitored interfaces or VLANs should also be sent to your monitor port.
For example, let's assume we want to plug an IDS box into our switch on port fastethernet0/9. Our incoming Internet connection from the firewall is plugged into fastethernet0/1. This means that we want to send all incoming and outgoing traffic for fastethernet0/1 out to our IDS, which is on fastethernet0/9.
For the 2900xl/3500xl series devices, this is fairly straightforward:
interface FastEthernet0/9 port monitor FastEthernet0/1
With this configuration, any packet transmitted or received by fastethernet0/1 is copied (mirrored) out interface fastethernet0/9. That way, our IDS box can listen to all incoming and outgoing packets and look for signs of intrusion.
We can verify this with show port monitor:
switch2#show port monitor Monitor Port Port Being Monitored ------------------ -------------------- FastEthernet0/9 FastEthernet0/1
On 2940, 2950, 2955, 2970, 3550, 3560, 3750 and most other series switches, you need to employ the global monitor command:
! Set up fastEthernet 0/1 as our SOURCE port monitor session 1 source interface fastEthernet 0/1 ! Setup fastEtherent 0/9 as our DESTINTATION port monitor session 1 destination interface fastethernet 0/9
On a 2950, we can have only one monitor session and we can monitor only source interfaces.
To see the monitor configuration, use the show monitor command
# show monitor session 1 Session 1 --------- Source Ports: RX Only: None TX Only: None Both: Fa0/1 Destination Ports: Fa0/9