We help IT Professionals succeed at work.

Monitoring all traffic using cisco 2911 router and the security device

amanzoor
amanzoor asked
on
Hi there,
I wan to capture all traffic for my 2 locations, attached file will show my existing network setup and the planned network setup.  Please suggest if my planned network setup will work properly, the main idea is to capture all traffic.
To capture all the network traffic (for both B and O-campus) I need to install a network security device (watchguard or similar for IPS network security) at B-Campus, What my planning is to monitor Router port 0/1 on Router Port 0/2 and connect the security device’s WAN port at Cisco Router 2911 port 0/2, then connect the LAN port on security device to the Cisco switch 2960 at port 48 and finally connect the Router port (0/0) on one of the gig ports on the security device.  Will this infrastructure capture all the traffic on my security device? And my internet flow will be good?
Help plz
See attached files: network and router config.
network.docx
forEEpuposesAccesslistNewFeb2011.txt
Comment
Watch Question

Sr Manager Cloud Networking Ops
Commented:
Unless I am missing something, you dont show a way to replicate the traffic you want to caoture. That is, if you want to capture all traffic on port 0/1 that port needs to be "fed" fronm a switch that can mirror port traffic. That mirrored traffic would then be fed to your IPS.
amanzoorNetwork infrastructure Admin

Author

Commented:
SteveJ:
Thanks for the reply.
So it means I cannot mirror traffic in Cisco 2911 router from port 0/1 to port 0/2?  If no then this will lead me to start thinking of something else to capture all traffic, seeing my network setup what do you suggest would be the easiest way to capture all traffic?
Help
Steve JenningsSr Manager Cloud Networking Ops

Commented:
You need a switch capable of mirroring a port. Any traffic you want to mirror will need to go in and out of the switch. Depending on the volume of mirrored traffic, you need to make sure the switch is capable .  .  . you dont want to overdrive the switch backplane.

Steve
amanzoorNetwork infrastructure Admin

Author

Commented:
steveJ: now the problem is: Both of my switches 2960 at both campuses have websense.  I am already monitoring port48 to port47 on both switches.  Now I want to install this security device, any other suggestion?
Help plz
Steve JenningsSr Manager Cloud Networking Ops

Commented:
Im not sure I follow. Why not mirror to port 46 and put te sec device there. What traffic do you have going to 47 and 48?
amanzoorNetwork infrastructure Admin

Author

Commented:
SteveJ: at O-campus if you look at the switch 2960, its port 48 has a connection from my Router 2911 and its mirrored to port 47 and at port 47 I have websense sniffing the traffic.  Exactly same setup at B-campus.  what I was referring to is I cannot mirror more than one port on my switch 2960, otherwise things would be easy.  
Now what I am going to do it put 2 security devices at each campus.  At campus B right after the router, and at campus O before the switch 2960, hope this setup will work. instead of finding a way to filter all traffic at a single point.  
Marius GunnerudSenior Systems Engineer
Top Expert 2013
Commented:
Another thing you could do is configure SPAN or RSPAN.  This will duplicate the traffic on one port and send it to another port that is doing the monitoring.
amanzoorNetwork infrastructure Admin

Author

Commented:
MAG03:
I am already monitoring the traffic (for http filtering) on my both switches cisco 2960.
amanzoorNetwork infrastructure Admin

Author

Commented:
Alright so there is no point on this network where I can put one security device.  I have planned to put 2 on each location under my router cisco 2911 that works very well.  In this way I do not have to disrupt the already monitored traffic on switches cisco 2960.  Steve J is right for replication of traffic I would need a switch.
Thanks guys.  I really appreciate your time.