AlienVault® USM Anywhere™

Device Port Mirroring Configuration

With a deployed on-premises USM Anywhere Sensor, you can implement Network Intrusion Detection (NIDS)Network Intrusion Dectection System (NIDS) monitors network traffic and events for suspicious or malicious activity using the sensors that provide management and network monitoring interfaces to networks and network devices. by monitoring the network traffic. You can implement this by enabling promiscuous mode on the port that the Sensor network interface(s) are connected to so they can see the traffic on the networks you wish to monitor, and through the use of port mirroring. This allows USM Anywhere to perform analysis on the network traffic, which aids in the detection of threats in your environment.

By configuring a mirror port on your virtual switch or physical network device, you can clone all traffic to a single port. After configuration, the switch sends a copy of all network packets seen on one port (or an entire VLANBroadcast domain that is partitioned and isolated in a computer network at the data link layer (OSI layer 2). VLANs allow network administrators to group hosts together, even if the hosts are not on the same network switch.) to another port. The USM Anywhere Sensor immediately starts receiving events from the device through the port and begins its analysis.

Important: AT&T Cybersecurity recommends that you send packets untagged through the SPAN/mirror port. This is because VLAN trunking is currently not supported. Therefore, Bridge Protocol Data Units (BPDUs) or packets sent through the other Layer 2 protocols are dropped. The Layer 2 protocols include, but are not limited to, Cisco Discovery Protocol (CDP), Dynamic Trunking Protocol (DTP), Link Aggregation Control Protocol (LACP), Port Aggregation Protocol (PAgP), Spanning Tree Protocol (STP), and VLAN Trunk Protocol (VTP).

Virtual Switches

Physical Devices

See the following for detailed information about port mirroring on a number of third-party network devices.

Configuring the ADTRAN (AOS) Switch for Port Mirroring

Configuring the Check Point Gateway for Port Mirroring

Configuring the Cisco ASA 5505 for Port Mirroring

Configuring the Cisco Nexus 5000 Series for Port Mirroring

Configuring the Cisco SGxxx Series for Port Mirroring

Configuring the Dell Networking Force10 Switch for Port Mirroring

Configuring Dell SonicWALL Port Mirroring

Configuring the Fortinet FortiGate Switch for Port Mirroring

Note: Cisco switches support a feature known as a Switched Port Analyzer (SPAN) which enables traffic received on an interface or virtual local area network (VLAN) to be sent to a single physical port. SPAN technically implies that the source and destination ports are local to the same switch. If the traffic destination is on another remote switch, it uses Remote SPAN (RSPAN). If the destination requires crossing one or more IP networks, some switches can use Encapsulated Remote SPAN (ERSPAN).

USM Anywhere supports SPAN, RSPAN, ERSPAN, and VMware Encapsulated Remote Mirroring (L3) Source, which is an ERSPAN-like feature.