secure a cat switch 2950

hi i am currently configuring my switch but i also found this link:

https://www.fir3net.com/Switches/Cisco/security-on-cisco-catalyst-switches.html

the configs i am specifically interested in are:

switch port analyser (span)

span ports allow you to send all the traffic from other ports out to a designated port.  this is normally configured if you need to either place a standard packet sniffer on the designated port or an ids/ips - intrusion detection system & intrusion prevention system - ok .

(config)# monitor session 1 source interface fastethernet 0/1 - 20 both
(config)# monitor session 1 destination interface fastethernet 0/24

storm control

storm control allows you to configure actions at a port level based on overall traffic levels seen per port seen by the switch.  below gives you an example based upon port shutdown should the total throughput of traffic be broadcast based.

(config-if) storm-control action shutdown
(config-if) storm-control broadcast level 70

i have input part of the above commands and they appear to be available on my switch.

question 1. which ports or when should i add these configs above  ?
mikey250Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

KimputerCommented:
use
monitor session 1 source interface fastethernet 0/1

Open in new window


if you want monitor port 1

Add more if you want to monitor more ports

monitor session 1 source interface fastethernet 0/2

Open in new window

(etc etc etc, add as many as you like, or add none, if that's what you need)

These ports should be in use by a PC or something.

The use this command:
monitor session 1 destination interface fastethernet 0/24

Open in new window

On port 24, connect your laptop/pc etc (it will probably have no internet, just incoming packets from all those ports you specified before). Your NIC can have any IP, Wireshark will still display only packets from the ports you specified earlier.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
asavenerCommented:
Understanding Storm Control
Understanding Traffic Storm Control

A traffic storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. The traffic storm control feature prevents LAN ports from being disrupted by a broadcast, multicast, or unicast traffic storm on physical interfaces.

Traffic storm control (also called traffic suppression) monitors incoming traffic levels over a 1-second traffic storm control interval, and during the interval it compares the traffic level with the traffic storm control level that you configure. The traffic storm control level is a percentage of the total available bandwidth of the port. Each port has a single traffic storm control level that is used for all types of traffic (broadcast, multicast, and unicast).



Brief Description of SPAN

What is SPAN and why is it needed? The SPAN feature was introduced on switches because of a fundamental difference that switches have with hubs. When a hub receives a packet on one port, the hub sends out a copy of that packet on all ports except on the one where the hub received the packet. After a switch boots, it starts to build up a Layer 2 forwarding table on the basis of the source MAC address of the different packets that the switch receives. After this forwarding table is built, the switch forwards traffic that is destined for a MAC address directly to the corresponding port.

For example, if you want to capture Ethernet traffic that is sent by host A to host B, and both are connected to a hub, just attach a sniffer to this hub. All other ports see the traffic between hosts A and B:

On a switch, after the host B MAC address is learned, unicast traffic from A to B is only forwarded to the B port. Therefore, the sniffer does not see this traffic:

In this configuration, the sniffer only captures traffic that is flooded to all ports

An extra feature is necessary that artificially copies unicast packets that host A sends to the sniffer port:

SPAN is useful in Intrusion Detection scenarios, and very occasionally in troubleshooting.
0
mikey250Author Commented:
thanks for the advice given around those specific 2 questions.  much appreciated.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.