WFilter deployment with cisco 2950 switch

4.0

Author:: IMFirewall Software
HomePage:: http://www.imfirewall.us

1. Network Topology

An office uses ISA server 2004 as the proxy server, with a cisco 2950 switch as the central switch. The network topology diagram:

Figure 1

There have two solutions to deploy WFilter in such a network:

Install WFilter directly in the ISA server computer.
Setup a mirroring port in cisco 2950 and connect WFilter computer to the mirroring port.

Please notice: Because WFilter only analysis traffic between local network and the internet, to monitor local proxy servers, you need to add the proxy server ip address to "Local Servers" in "System Settings"->"Monitoring Settings".

2. Port Mirroring Settings of cisco 2950

In this example, the proxy server is connected "Port 23", WFilter computer is connected to "Port 22". To monitor all internet traffic, we need to mirror "port 23" to "port 22".

2.1 Port Mirroring Syntax:

monitor session session_number {destination {interface interface-id [, | -] [encapsulation {dot1q}] [ingress vlan vlan id] | remote vlan vlan-id reflector-port interface-id} | {source {interface interface-id [, | -] [both | rx | tx] | remote vlan vlan-id}}

2.2 Commands:

Set source port: monitor session 1 source interface Fa0/23
Set target port: monitor session 1 destination interface Fa0/22 ingress vlan 1

By default the mirroring port of cisco 2950 is recv-only. However WFilter shall be able to send packages to for blocking purpose. So in this example, we add "ingress vlan 1" parameter to enable outgoing traffic on port 22. If your switch does not support "ingress" parameter, you need to add another NIC as the blocking adapter.

To check whether port mirroring is properly configured, please check: How to check whether port mirroring is properly configured?

For more WFilter deployment examples, please check: WFilter Deployment Examples.