This section provides some case studies that explain different methods of capturing traffic for IPS Sensor and IDSM-2 blade using different devices. A proper implementation of the traffic capturing technique is a very important and is an essential component of CS IPS operations and functions. Several devices are available to capture the traffic for IPS Sensor as detailed in the list and sections that follow:
Capturing IPS Traffic with a HubA hub is a single broadcast and collision domain, which means that any port connected to it will be able to see all traffic sent by any ports connected to it. Hence, hub deployment is simple and easy, as there is no configuration involved. All you need to do is plug into the hub the sensing interface of the sensor along with all other devices. This type of setup is very useful for learning purposes in an isolated lab environment. For IPS, the hub supports the TCP reset functionality of the sensor, as receiving input packet from the sensor is not an issue for the hub ports. The biggest drawback with a hub is that it is a single collision domain, which results in poor network performance. For a larger deployment, a hub does not scale well, as it is a single broadcast domain. If for any reason, the sensor is unable to sniff the packets, make sure that the hub port, cable and sensor Sniffing ports are in working condition. Be sure that your link light is green and blinking. Capturing IPS Traffic with SPANAs stated earlier, SPAN stands for Switch Port Analyzer. SPAN copies all packets from source VLANS or ports to a destination port. It is supported across most Cisco switches. However, different switches have different limitations on the use of SPAN, including the number of SPAN destination ports. Note Some switches do not allow incoming packets on a SPAN destination port. However, allowing incoming packets on the SPN destination port is necessary if you wish to use a sniffing port as the TCP Reset port. SPAN TerminologyTo understand how SPAN works, and how to configure SPAN correctly, you need to understand different terminologies for SPAN. The following discussion is based on the Figure 14-2. Figure 14-2. SPAN Terminology
SPAN Traffic TypesFollowing is a list of some of SPAN traffic types that can be configured on the switch when configuring SPAN:
SPAN on Catalyst 2900/3500XLThis section explains how to configure SPAN on Catalyst 2900/3500XL switches, and addresses some of the limitations of SPAN configuration. Configuration StepsYou can configure SPAN with the port monitor interface command under the monitor command. Example 14-49 shows how to configure SPAN fa0/1-fa0/2 ports to port fa0/3. Example 14-49. SPAN Configuration
LimitationsSome of the characteristics and limitations of SPAN on 2900/3500XL switches are as follows:
SPAN on Catalyst 2950, 3550 and 3750Although catalyst 2950/3550 and 3750 switches can monitor incoming (Rx) traffic on range of ports or VLANs, these switches can monitor outgoing (Tx) traffic on a single port only. Traffic routed from one VLAN to another is not captured as incoming (Rx) traffic. Whereas Catalyst 3750 and 3550 support two separate SPAN sessions, with separate or overlapping source ports or VLANs, Catalyst 2950 supports only one SPAN session. Both switched and routed interfaces may be configured as source and destination ports. Remote SPAN (RSPAN) is supported on Catalyst 2950, 3550, and 3750 switches. Source port types include FastEthernet, GigabitEthernet, EtherChannel, and VLANs. Multiple SPAN sessions can monitor the same source ports. However, a SPAN source port cannot be configured as a SPAN destination port. Unlike Catalyst 2900/3500XL, source ports can be in the same or different VLANs. Remember that the SPAN destination ports must be physical ports. Note You must be running 12.1(12C)EA1 on Catalyst 3550, and 12.1(13)EA1 on 2950 to support IPS TCP Reset functionality. Configuration StepsYou can configure SPAN using the monitor session command on Catalysts 2950, 3550, or 3750. This section presents some examples of SPAN configuration. Example 14-53 shows the SPAN configuration for SPAN source interfaces (FastEthernet 0/1 and 0/2) and SPAN destination interface FastEthernet 0/3. Example 14-53. SPAN Configuration with Source Interfaces
Note Only an Rx SPAN session can have multiple source ports. Note that the spaces in syntax when specifying multiple interfaces can be dash ( ) or comma ( , ). Example 14-54 shows the SPAN configuration with SPAN source VLANs. Example 14-54. SPAN Configuration with Source VLANs
Note Only an Rx SPAN session can have multiple source VLANs. Note that the spaces in syntax when specifying multiple interfaces can be dash () or comma (,). To allow the TCP reset feature on the sniffing port of the switch, define ingress VLAN with the "ingress VLAN" argument. Example 14-55 shows the configuration of a switch port that is required for TCP Resets. Example 14-55. TCP Reset Configuration on the Sniffing Port of the Switch
Note The Catalyst 2950/3550 will allow you to configure a single VLAN to receive untagged TCP Reset packets. TCP Reset support is configured through the "ingress VLAN" keywords. Only one VLAN is permitted. In Example 14-55, TCP reset will be performed only if the attackers are on VLAN 1. If the attack or target is on VLAN 2-5, TCP reset will not work. Catalysts 3550 and 3750 support two monitor sessions as shown in Example 14-56; however, 2950 supports one monitor session. Example 14-56. Configuration of SPAN on 3550
Note Source ports or VLANs can be separated or overlapping, as shown in Example 14-57. SPAN source interface FastEthernet 0/3 is overlapping. If you intend to monitor a VLAN trunk port, and wish to filter one or more of the VLANs on that trunk, you can follow Example 14-57. This example monitors only VLANs 5 and 100-200 on the trunk. Example 14-57. VLAN Filtering with SPAN Configuration
If the monitor session destination port is a trunk, you should also use keyword encapsulation dot1q as shown in Example 14-58. If you do not, packets will be sent on the interface in native format. Example 14-58. Configuration for Trunking on Destination SPAN Port
Example 14-59 shows how to verify the configuration. Example 14-59. Verifying the SPAN Configuration
LimitationsFollowing are some of the limitations of using SPAN on Catalyst 2950, 3550 and 3750:
SPAN on Catalyst 4000/6000 with Cat OSCatalyst 4000/6000 switches running Catalyst OS can be configured to monitor Rx, Tx, and both traffic types for source ports and VLANs. Whereas Catalyst 4000 supports up to 5 SPAN sessions, Catalyst 6000 supports 2 Rx or Both, and 4 Tx sessions. Following are some of the important points to keep in mind when configuring SPAN:
Configuration StepsTo configure SPAN on the Catalyst 6000 series switch, use the following syntax: set span {src_mod/src_ports | src_vlans | sc0} {dest_mod/dest_port} [rx | tx | both] [inpkts {enable | disable}] [learning {enable | disable}] [multicast {enable | disable}] [filter vlans...] [create] The syntax for the SPAN on Cat4k is as follows: set span {src_mod/src_ports | src_vlan} dest_mod/dest_port [rx | tx | both] [filter vlan] [inpkts {enable | disable}] [learning {enable | disable}] [create] Use the create keyword with different destination ports to create multiple SPAN sessions. If the create keyword is not used, and a SPAN session exists with the same destination port, the existing session will be replaced. If the destination port is different, a new session will be created. To create a simple SPAN session with source port 2/1 and destination port 4/5, use the following command: c6500 (enable) set span 2/1 4/5 The following command will configure SPAN for source VLAN 100 and destination 4/5. c6500 (enable) set span 100 4/5 If TCP reset is required on the SPAN destination port, enable inpkts with the following command: c6500 (enable) set span 136 3/5 inpkts enable learning disable To filter certain VLANs, use the filter keyword as follows: c6500 (enable) set span 3/15 4/5 filter 125,150 The following command shows how to remove a SPAN session on the cat6000 switch. c6500 (enable) set span disable 3/5 SPAN on Catalyst 4000/6000 with Native IOSJust as with Catalyst OS, Catalyst 4000/6000 switches running Native IOS can be configured to monitor Rx, Tx, and both traffic types for source ports and VLANs. Although it is possible to mix source interfaces and source VLANs in a single SPAN session, it is not possible to mix source VLANs with filter VLANs in a single SPAN session. The Layer 2 ports (configured with switchport command) and Layer 3 ports (without switchport command) can both be configured as SPAN source or destination ports. Catalyst 4000 supports up to six SPAN sessions (a session configured with both is considered to be two sessions). Catalyst 6000 running Native IOS supports only two SPAN sessions. It supports 64 SPAN destination interfaces. With SPAN source interfaces, the Cat6k supports 1 egress and 64 ingress interfaces. Source interfaces do not need to belong to the same VLAN. Note Catalyst 6000 running Native IOS supports RSPAN (Remote SPAN), but Catalyst 4000 running Native IOS does not support RSPAN. However, neither switch running Native IOS supports IPS TCP Reset functionality with current versions. Configuration StepsThe syntax for configuring Catalyst 6000 series switches is as follows: monitor session session_number source {{single_interface | interface_list | interface_range | mixed_interface_list | single_vlan | vlan_list | vlan_range | mixed_vlan_list} [rx | tx | both]} | {remote vlan rspan_vlan_ID}} monitor session session_number destination {single_interface | interface_list | interface_range | mixed_interface_list} | {remote vlan rspan_vlan_ID}} To configure SPAN on the Catalyst 4000 series switch, use the following syntax: [no] monitor session {session_number} {source {interface type/num} | {vlan vlan_ID}} [, | - | rx | tx | both] [no] monitor session {session_number} {destination {interface type/num} } Example 14-62 shows a simple SPAN configuration based on the source port. Example 14-62. Sample SPAN Configuration Based on the Source Port
Example 14-63 shows the configuration of SPAN based on the source VLAN. Example 14-63. SPAN Configuration Based on the Source VLAN
Example 14-64 shows only the monitor VLAN 100 on a trunk source port. Example 14-64. SPAN Configurations for Filtering Based on VLAN
The following command will remove a SPAN session: c4500(config)# no monitor session 1 Capturing IPS Traffic with Remote SPAN (RSPAN)RSPAN has all the features of SPAN plus support for the source ports and the destination ports that are distributed across multiple switches. RSPAN therefore allows remote monitoring of multiple switches across your network. The traffic for each RSPAN session is carried over a user-specified RSPAN VLAN that is dedicated for that RSPAN session in all participating switches. The SPAN traffic from the sources, which cannot be in the RSPAN VLAN, is switched to the RSPAN VLAN and is forwarded to the destination ports that are configured in the RSPAN VLAN. The traffic type for the sources (ingress, egress, or both) in an RSPAN session can be different in the different source switches but is the same for all the sources in each source switch for each RSPAN session. Do not configure any ports in an RSPAN VLAN except those that are selected to carry the RSPAN traffic. Learning is disabled on the RSPAN VLAN. Hardware RequirementsThe requirements for the RSPAN supervisor engine are as follows:
Configuration StepsWork through the following steps to configure RSPAN for capturing traffic from multiple switches and for monitoring the traffic on the switch port that you choose:
Capturing IPS Traffic with VACLVLAN ACL (VACL) specifies the traffic to be captured for a single port or VLAN. The VACL Capture copies filtered packets from source VLANS to a destination port. It is supported only on Catalyst 6000, with either Cat OS or Native IOS. It offloads processing from the supervisor engine to the Policy Feature Card (PFC), which is required when using this feature. The PFC is included with the Sup1A, Sup2, and Sup720. Here are some important facts about VACL:
VACL configuration on Catalyst Switch running CatOS and Native IOS are discussed in the sections entitled "VACL Configuration on Switch running CatOS" and "VACL Configuration on Switch running Native IOS" sections in Chapter 15, "Troubleshooting IDSM-2 Blade on Switch" respectively. Hence the same information is not repeated in this section. Capturing IPS Traffic with RSPAN and VACLYou can use a combination of RSPAN and VACL features to capture and send the traffic to a SPAN destination across multiple switches. For more details on RSPAN implementation with VACL, refer to the following link: http://www.cisco.com/en/US/products/hw/switches/ps708/products_data_sheet09186a008017b753.html Capturing IPS Traffic with MLS IP IDSOn Catalyst 6000 switches with IOS Firewall (CBAC), VACL Capture no longer functions, and an alternate capture method is needed. Using the mls ip ids command is a good option. This uses an Access Control List (ACL) to define interesting traffic, and then the traffic is captured by applying the command mls ip ids to VLAN interfaces. When monitoring multiple VLANs or interfaces, apply the command to each interface to see both sides of traffic flow. Doing so provides capabilities similar to VACL Capture. Refer to Chapter 15, "Troubleshooting IDSM-2 Blades on Switch" under the sections entitled "MLS IP IDS Configuration on Switch running CatOS" and "MLS IP IDS Configuration on Switch running CatOS" for the MLS IP IDS configuration on the Catalyst switch running CatOS and Native IOS, respectively. |