Appendix

SPAN

Switched Port Analyzer (SPAN) allows you to send a copy of traffic passing through ports to another port on the switch. SPAN is important to mirror received or transmitted (or both) traffic on one or more source ports to a destination port for analysis.

SPAN is mirroring ports in the same switch, RSPAN (Remote SPAN) is mirroring ports in one switch to a port in different switch.

This example describes how to configure RSPAN on Cisco Catalyst switches (Cisco 2960).

RSPAN

A sample topology to monitor traffic on port Gi0/1 in Switch1 using a Ivanti Policy Secure Profiler connected to port Gi0/2 in Switch2 is shown below.

Create a VLAN that will be used as an RSPAN-VLAN on both switches. In this example vlan ID 999 is used as the RSPAN-VLAN. Allow the RSPAN-VLAN on the trunk port between Switch1 and Switch2.

Switch1 (Source switch)

Switch1#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

Switch1(config)#vlan 999

Switch1(config-vlan)#name RSPAN-Vlan

Switch1(config-vlan)#remote-span

Switch1(config-vlan)#exit

Switch1(config)#monitor session 1 source interface Gi0/1

Switch1(config)#monitor session 1 destination remote vlan 999

Switch1(config)#end

Allow VLAN ID 999 on the trunk port Gi0/2

Switch1#sh run int g0/2

Building configuration...

Current configuration : 175 bytes

!

interface GigabitEthernet0/2

description To-Switch2-port-Gi0/1

switchport trunk allowed vlan 74,999

switchport mode trunk

end

Switch2 (destination switch)

Switch2#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

Switch2(config)#vlan 999

Switch2(config-vlan)#name RSPAN-Vlan

Switch2(config-vlan)#remote-span

Switch2(config-vlan)#exit

Switch2(config)#monitor session 1 source remote vlan 999

Switch2(config)#end

Allow vlan id 999 on the trunk port Gi0/1

Switch2#sh run int g0/1

Building configuration...

Current configuration : 175 bytes

!

interface GigabitEthernet0/1

description To-Switch1-port-Gi0/2

switchport trunk allowed vlan 10,20,30,999,60

switchport mode trunk

end

Allow VLAN id 999 on trunk port Gi0/2.

Switch1#sh run int g0/2

Building configuration...

Current configuration : 175 bytes

!
interface GigabitEthernet0/2

description To-Switch2-port-Gi0/2

switchport trunk allowed vlan 60,999

switchport mode trunk

end

NetFlow 

NetFlow is a network protocol developed by Cisco for collecting IP traffic information and monitoring network traffic. Using a NetFlow collector and analyzer, you can see where network traffic is coming from and going to and how much traffic is being generated.

NetFlow V5 or V9 has to be configured on Cisco switch.

Commands on Cisco Switch

ueba-switch(config)#flow exporter UEBA

ueba-switch(config-flow-exporter)# destination <Ivanti Policy Secure IP>

ueba-switch(config-flow-exporter)#transport udp 2055   

ueba-switch(config-flow-exporter)#export-protocol netflow-v9 (or netflow-v5)

Cisco 3850 Catalyst switches support only v9 whereas Cisco 2960 supports both v5 and v9

ueba-switch(config)#flow record UEBA

  ueba-switch(config-flow-record)# match ipv4 protocol

  ueba-switch(config-flow-record)#match ipv4 source address

  ueba-switch(config-flow-record)#match ipv4 destination address

  ueba-switch(config-flow-record)# match transport source-port

  ueba-switch(config-flow-record)#match transport destination-port

  ueba-switch(config-flow-record)#match interface input 

  ueba-switch(config-flow-record)#collect interface output

 ueba-switch(config)#flow monitor UEBA

  ueba-switch(config-flow-monitor)#exporter UEBA

  ueba-switch(config-flow-monitor)#cache timeout active 60

  ueba-switch(config-flow-monitor)#record UEBA

  ueba-switch(config)#interface GigabitEthernet1/0/3    ---(interface to which client endpoint is connected)

  ueba-switch(config-if)#ip flow monitor UEBA input