A SPAN (Switched Port Analyzer) configuration, also commonly known as port mirroring, is a configuration option for network switches that makes the switch copy any traffic going through one or more ports on the switch to a destination port for traffic inspection by external tools.
This article describes SPAN configurations in detail and provides information on how to confirm that your configuration is working and that your traffic is being seen by the Alert Logic® network intrusion detection system (IDS).
Note: This information is applicable for the Alert Logic® Cloud Defender™ platform.
In This Article
Port mirroring via SPAN configurations are used largely in physical network environments and are sometimes used in virtual environments.
Network IDSs need to be able to inspect customer network traffic in order to successfully perform their functions. Using a SPAN configuration is a great way to accomplish these requirements.
An alternative to port mirroring for capturing and inspecting traffic is the use of a host-based software agent. The Alert Logic network IDS supports both port mirroring and agent-based traffic capturing.
The specifics for configuring SPANs varies based on the switch vendor, the network environment, and what traffic needs to be mirrored. You can find details on how to configure your SPAN by consulting the switch vendor's documentation.
Once you have configured your SPAN and the port is connected to a network interface on an Alert Logic appliance, you will need to specify the networks you wish to monitor within the Alert Logic console. By default, no networks are monitored. Refer to the Threat Manager Detection - Networks documentation for information on creating and specifying your networks.
Confirm Your SPAN Configuration is Working
Once you have configured your networks in the Alert Logic console, the network IDS will begin inspecting your traffic for threats. If threats are found, events and incidents will be generated, which will indicate the characteristics of the threat. In production networks with normal amounts of activity, threats will often be detected within hours or minutes of the network IDS and the SPAN being configured.
Environments that see little activity or are strongly hardened against threats, however, could go days without detected threats. In these cases, it may not be obvious that your SPAN configuration is working successfully. If you are concerned that your SPAN configuration is not working, contact Alert Logic Support to confirm that your traffic is being monitored correctly.