Documentation Center
AlienVault® USM Anywhere™

Device Port Mirroring Configuration

With a deployed on-premises USM Anywhere Sensor, you can implement Network Intrusion Detection (NIDS)Network Intrusion Dectection System (NIDS) monitors network traffic and events for suspicious or malicious activity using the Sensors that provide management and network monitoring interfaces to networks and network devices. by monitoring the network traffic. You can implement this by enabling promiscuous mode on the port that the Sensor network interface(s) are connected to so they can see the traffic on the networks you wish to monitor, and through the use of port mirroring. This allows USM Anywhere to perform analysis on the network traffic, which aids in the detection of threats in your environment.

By configuring a mirror port on your virtual switch or physical network device, you can clone all traffic to a single port. After configuration, the switch sends a copy of all network packets seen on one port (or an entire VLANBroadcast domain that is partitioned and isolated in a computer network at the data link layer (OSI layer 2). VLANs allow network administrators to group hosts together, even if the hosts are not on the same network switch.) to another port. The USM Anywhere Sensor immediately starts receiving events from the device through the port and begins its analysis.

Virtual Switches

Physical Devices

See the following for detailed information about port mirroring on a number of third-party network devices.

Configuring the ADTRAN (AOS) Switch for Port Mirroring

Configuring the Check Point Gateway for Port Mirroring

Configuring the Cisco ASA 5505 for Port Mirroring

Configuring the Cisco Nexus 5000 Series for Port Mirroring

Configuring the Cisco SGxxx Series for Port Mirroring

Configuring the Dell Networking Force10 Switch for Port Mirroring

Configuring Dell SonicWALL Port Mirroring

Configuring the Fortinet-FortiGate Switch for Port Mirroring

Note: Cisco switches support a feature known as SPAN (short for Switch Port Analyzer) which allows traffic received on an interface or VLAN to be sent to a single physical port. SPAN technically implies that the source and destination ports are local to the same switch. If the traffic destination is on another remote switch, it uses Remote SPAN (RSPAN). If the destination requires crossing one or more IP networks, some switches can use Encapsulated Remote SPAN (ERSPAN).

USM Anywhere supports both SPAN and RSPAN. It does not support ERSPAN.