The advent of switched networks resulted in Network IDS having great difficulty in promiscuously monitoring their networks. This was overcome by configuring a switch to replicate the data from all ports or VLAN’s onto a single port. This function has a multitude of names including; Port Mirroring, Monitoring Port, Spanning Port, SPAN port and Link Mode port.
Port Mirroring generally indicates the ability to copy the traffic from a single port to a mirror port but disallows any type of bidirectional traffic on the port.
Spanning Port usually indicates the ability to copy traffic from all the ports to a single port but also typically disallows bidirectional traffic on the port.
In the case of Cisco, SPAN stands for Switch Port ANalyzer. Some switches do not allow SPAN ports to transmit packets, this is an issue if you wish to use IDS TCP countermeasures such as resets.
FortiGate
The Switch Port Analyzer (SPAN) feature is now available for hardware switch interfaces on FortiGate models with built-in hardware switches (for example, the FortiGate-100D, 140D, and 200D etc.)
To enable SPAN on a hardware switch via the GUI, go to System > Network > Interfaces and edit a hardware switch interface.
By default the system may have a hardware switch interface called LAN. A new hardware switch interface can also be created.
Select the SPAN check box, then select a source port from which traffic will be mirrored.
Select the destination port to which the mirrored traffic is sent.
Select to mirror traffic received, traffic sent, or both.
SPAN can also be enabled in the CLI:
config system virtual-switch
edit set span enable
set span-source-port set span-dest-port set span-direction {both | Tx | Rx}
end
end
http://kb.fortinet.com/kb/documentLink.do?externalID=FD36798
Arista
Port Mirroring Setup
The CLI for port mirrors is base on the industry standard. The following commands are supported:
monitor session source interface [ rx | tx | both ]
monitor session destination
Step 1 – Create the monitor sessions with a source interface
7050-1(config)#monitor session test1 ?
destination Mirroring destination configuration commands
source Mirroring source configuration commands
7050-1(config)#monitor session test1 source ?
Ethernet Ethernet interface
Port-Channel Lag interface
7050-1(config)#monitor session test1 source ethernet 1 ?
both Configure mirroring in both transmit and receive directions
rx Configure mirroring only in receive direction
tx Configure mirroring only in transmit direction
, extend list
– specify range
7050-1(config)#monitor session test1 source ethernet 1 7050-1(config)#
Alternatively create a port range to monitor multiple ports
7050-1(config)#monitor session test1 source ethernet 1-4
7050-1(config)#
Or use a list of ports to monitor interesting interfaces
7050-1(config)#monitor session test1 source ethernet 1,3,5,7-9
7050-1(config)#
Specifying the optional direction of “Rx” or “Tx” controls the direction of mirroring, with “both” being the default.
7050-1(config)#monitor session test1 source ethernet 1-4 tx
7050-1(config)#
Additionally a port channel can be a monitor source.
7050-1(config)#monitor session test2 source port-Channel 1
7050-1(config)#
To add or remove source ports on a mirroring session the command can be issued multiple times. Any new ports are added to the existing list, and existing ones are retained. Similarly to remove ports from the mirroring session use the “no” format of the command and any commands not listed are retained on the session.
Step 2 Set the monitor destination
7050-1(config)#monitor session test1 destination et 24
7050-1(config)#
To verify the mirror session entry use the following command:
7050-1#sh monitor session
Session test1
————————
Source Ports
Tx Only: Et1, Et2, Et3, Et4, Et5, Et7, Et8
Et9
Destination Port: Et24
https://eos.arista.com/introduction-to-port-mirroring/