Case Studies


This section provides some case studies that explain different methods of capturing traffic for IPS Sensor and IDSM-2 blade using different devices. A proper implementation of the traffic capturing technique is a very important and is an essential component of CS IPS operations and functions. Several devices are available to capture the traffic for IPS Sensor as detailed in the list and sections that follow:

  • Capturing IPS traffic with a hub

  • Capturing IPS traffic with SPAN

  • Capturing IPS traffic with remote SPAN (RSPAN)

  • Capturing IPS traffic with VACL

  • Capturing IPS traffic with RSPAN and VACL

  • Capturing IPS traffic with MLS IP IDS

Capturing IPS Traffic with a Hub

A hub is a single broadcast and collision domain, which means that any port connected to it will be able to see all traffic sent by any ports connected to it. Hence, hub deployment is simple and easy, as there is no configuration involved. All you need to do is plug into the hub the sensing interface of the sensor along with all other devices. This type of setup is very useful for learning purposes in an isolated lab environment. For IPS, the hub supports the TCP reset functionality of the sensor, as receiving input packet from the sensor is not an issue for the hub ports.

The biggest drawback with a hub is that it is a single collision domain, which results in poor network performance. For a larger deployment, a hub does not scale well, as it is a single broadcast domain.

If for any reason, the sensor is unable to sniff the packets, make sure that the hub port, cable and sensor Sniffing ports are in working condition. Be sure that your link light is green and blinking.

Capturing IPS Traffic with SPAN

As stated earlier, SPAN stands for Switch Port Analyzer. SPAN copies all packets from source VLANS or ports to a destination port. It is supported across most Cisco switches. However, different switches have different limitations on the use of SPAN, including the number of SPAN destination ports.

Note

Some switches do not allow incoming packets on a SPAN destination port. However, allowing incoming packets on the SPN destination port is necessary if you wish to use a sniffing port as the TCP Reset port.


SPAN Terminology

To understand how SPAN works, and how to configure SPAN correctly, you need to understand different terminologies for SPAN. The following discussion is based on the Figure 14-2.

Figure 14-2. SPAN Terminology


  • Ingress Traffic Traffic that is entering into the switch is called Ingress Traffic.

  • Egress Traffic Traffic that is leaving from the switch is called Egress Traffic.

  • SPAN Source port or VLAN SPAN source port can be the incoming port for the Ingress or outgoing port for the Egress traffic. SPAN Source Ports or VLANs are configured as either Rx (for Ingress traffic), Tx (for Egress traffic), or both (Ingress and Egress traffic on a port)

  • SPAN Destination Port Spanned traffic is transmitted to this port. This is where the IPS Sensor is connected.

SPAN Traffic Types

Following is a list of some of SPAN traffic types that can be configured on the switch when configuring SPAN:

  • Receive SPAN (Rx) The Rx SPAN session monitors all traffic inbound to a source port or VLAN, before modification or processing is performed by the switch. With Rx type, you must configure rx on both ports traffic traverses. For example, to capture the traffic in Figure 14-2 from Host A to Host B, configure Rx SPAN on both ports of the switch.

  • Transmit SPAN (Tx) The Tx SPAN session monitors all traffic outbound from a source port or VLAN, after modification and processing is performed on the switch. To capture the traffic in Figure 14-2 from Host A to Host B, configure both ports for Host A and Host B to be Tx SPAN.

  • Transmit and Receive SPAN (Both) With transmit and receive (both SPAN types), configure just one port instead of two to get the packet for both directions. In Figure 14-2, you just need to configure either switch port for Host A or Host B port as both to get a copy of the traffic that flows through the switch. If both ports are configured, then Sensor might get duplicate copies of packets.

SPAN on Catalyst 2900/3500XL

This section explains how to configure SPAN on Catalyst 2900/3500XL switches, and addresses some of the limitations of SPAN configuration.

Configuration Steps

You can configure SPAN with the port monitor interface command under the monitor command. Example 14-49 shows how to configure SPAN fa0/1-fa0/2 ports to port fa0/3.

Example 14-49. SPAN Configuration

c3524(config-if)#interface fa0/3 c3524(config-if)#port monitor fa0/1 c3524(config-if)#port monitor fa0/2 c3524(config-if)#^Z c3524#show port monitor Monitor Port          Port Being Monitored --------------------- --------------------- FastEthernet0/24      FastEthernet0/1 FastEthernet0/24      FastEthernet0/2 C3524# 

Limitations

Some of the characteristics and limitations of SPAN on 2900/3500XL switches are as follows:

  • Monitored ports must be on same VLANYou must have monitored and monitor interface on the same VLAN; otherwise, you will not be able to configure SPAN. Example 14-50 shows a message that will appear if the monitored and monitor ports are in different VLANs.

    Example 14-50. The Message that Is Shown when Monitored and Monitor Interfaces Are Not on the Same VLAN.

    c3524(config)#int fa0/3 c3524(config-if)#port monitor fa0/5 FastEthernet0/3 and FastEthernet0/5 are in different vlan c3524(config-if)# 

  • Unable to modify monitored portsIf a port is configured to be monitored for SPAN, you cannot make any changes to the port unless you remove it from monitoring. If you attempt to make any change that is monitored, you will receive a message similar to that shown in Example 14-51.

    Example 14-51. Message Shown on the Switch When Attempting to Make Changes on the Monitored Port

    c3524(config)#int fa0/1 c3524(config-if)#switchport access vlan 2 FastEthernet0/1 is being monitored C3524(config-if)# 

  • Unable to Monitor a source VLANYou can only SPAN the source port, not VLAN. The port monitor vlan command is only used for monitoring management traffic destined to the IP address that is configured as VLAN 1 on the switch. Example 14-52 shows that a message appears on the switch if you try to configure a different VLAN other than for management VLAN.

    Example 14-52. Message That Appears on the Switch When a Different VLAN Is Assigned

    c3524(config)#int fa0/3 c3524(config-if)#port monitor vlan ?   <1-1001> VLAN interface number c3524(config-if)#port monitor vlan 2                               ^ % Invalid input detected at '^' marker. c3524(config-if)#port monitor vlan 1 c3524(config-if)# 

  • Accidentally monitor all portsIf you accidentally configure the port monitor command without specifying a specific port, all ports on the same VLAN of the monitor port will be spanned, which might create undesired results.

  • Monitor Port must be configured as Static Access, not multi-VLAN.

  • SPAN should not monitor Private VLAN Edge ports.

  • If a monitored port is a VLAN trunk, only the specific VLAN that the Monitor port belongs to will be monitored.

  • There is no limit on the number of SPAN sessions.

  • RSPAN (Remote SPAN) is not supported.

  • IPS TCP Resets do not work on most images. Learning cannot be disabled. There have been reports of some older images working, but that is not something you can count on.

SPAN on Catalyst 2950, 3550 and 3750

Although catalyst 2950/3550 and 3750 switches can monitor incoming (Rx) traffic on range of ports or VLANs, these switches can monitor outgoing (Tx) traffic on a single port only. Traffic routed from one VLAN to another is not captured as incoming (Rx) traffic. Whereas Catalyst 3750 and 3550 support two separate SPAN sessions, with separate or overlapping source ports or VLANs, Catalyst 2950 supports only one SPAN session.

Both switched and routed interfaces may be configured as source and destination ports. Remote SPAN (RSPAN) is supported on Catalyst 2950, 3550, and 3750 switches. Source port types include FastEthernet, GigabitEthernet, EtherChannel, and VLANs. Multiple SPAN sessions can monitor the same source ports. However, a SPAN source port cannot be configured as a SPAN destination port.

Unlike Catalyst 2900/3500XL, source ports can be in the same or different VLANs. Remember that the SPAN destination ports must be physical ports.

Note

You must be running 12.1(12C)EA1 on Catalyst 3550, and 12.1(13)EA1 on 2950 to support IPS TCP Reset functionality.


Configuration Steps

You can configure SPAN using the monitor session command on Catalysts 2950, 3550, or 3750. This section presents some examples of SPAN configuration.

Example 14-53 shows the SPAN configuration for SPAN source interfaces (FastEthernet 0/1 and 0/2) and SPAN destination interface FastEthernet 0/3.

Example 14-53. SPAN Configuration with Source Interfaces

c3550(config)# monitor session 1 source ?   interface  SPAN source interface   remote     SPAN source Remote   vlan       SPAN source VLAN c3550(config)#monitor session 1 source interface fa0/1 - 2 rx c3550(config)#monitor session 1 destination interface fa0/3 

Note

Only an Rx SPAN session can have multiple source ports. Note that the spaces in syntax when specifying multiple interfaces can be dash ( ) or comma ( , ).


Example 14-54 shows the SPAN configuration with SPAN source VLANs.

Example 14-54. SPAN Configuration with Source VLANs

c3550(config)# monitor session 1 source vlan 1 - 5 rx c3550(config)#monitor session 1 destination interface fa0/3 

Note

Only an Rx SPAN session can have multiple source VLANs. Note that the spaces in syntax when specifying multiple interfaces can be dash () or comma (,).


To allow the TCP reset feature on the sniffing port of the switch, define ingress VLAN with the "ingress VLAN" argument. Example 14-55 shows the configuration of a switch port that is required for TCP Resets.

Example 14-55. TCP Reset Configuration on the Sniffing Port of the Switch

c3550(config)#monitor session 1 source vlan 1 - 5 rx c3550(config)#monitor session 1 destination interface fa0/3 ingress vlan 1 

Note

The Catalyst 2950/3550 will allow you to configure a single VLAN to receive untagged TCP Reset packets. TCP Reset support is configured through the "ingress VLAN" keywords. Only one VLAN is permitted. In Example 14-55, TCP reset will be performed only if the attackers are on VLAN 1. If the attack or target is on VLAN 2-5, TCP reset will not work.


Catalysts 3550 and 3750 support two monitor sessions as shown in Example 14-56; however, 2950 supports one monitor session.

Example 14-56. Configuration of SPAN on 3550

c3550(config)#monitor session 1 source interface fa0/1 - 3 rx c3550(config)#monitor session 2 source interface fa0/3 , fa0/13 rx c3550(config)#monitor session 1 destination interface fa0/5 c3550(config)#monitor session 2 destination interface fa0/10 

Note

Source ports or VLANs can be separated or overlapping, as shown in Example 14-57. SPAN source interface FastEthernet 0/3 is overlapping.


If you intend to monitor a VLAN trunk port, and wish to filter one or more of the VLANs on that trunk, you can follow Example 14-57. This example monitors only VLANs 5 and 100-200 on the trunk.

Example 14-57. VLAN Filtering with SPAN Configuration

c3550(config)# monitor session 1 source interface gigabit0/1 c3550(config)# monitor session 1 filter vlan 5 , 100 - 200 c3550(config)# monitor session 1 destination interface fa0/5 

If the monitor session destination port is a trunk, you should also use keyword encapsulation dot1q as shown in Example 14-58. If you do not, packets will be sent on the interface in native format.

Example 14-58. Configuration for Trunking on Destination SPAN Port

c3550(config)# monitor session 1 destination interface fa0/5 encapsulation dot1q 

Example 14-59 shows how to verify the configuration.

Example 14-59. Verifying the SPAN Configuration

c3550# show monitor session 1 Session 1 ---------  Type       : Local Session Source Ports:     RX Only:       None     TX Only:       None     Both:          None Source VLANs:     RX Only:       1-3     TX Only:       None     Both:          None Source RSPAN VLAN: None Destination Ports: Fa0/5     Encapsulation: Native Reflector Port:    None Filter VLANs:      None Dest RSPAN VLAN:   None 

Limitations

Following are some of the limitations of using SPAN on Catalyst 2950, 3550 and 3750:

  • Only RX SPAN sessions can have multiple source ports. Tx or both cannot have more than one session, as shown in Example 14-60.

    Example 14-60. RX SPAN Sessions Having Multiple Source Ports

    c3550(config)# monitor session 1 source interface fa0/1 , fa0/2 tx % This platform allows a maximum of 1 TX monitor interface(s) c3550(config)# monitor session 1 source interface fa0/1 , fa0/2 both % This platform allows a maximum of 1 TX monitor interface(s) c3550(config)# monitor session 1 source interface fa0/1 , fa0/2 rx c3550(config)# 

  • It cannot monitor outgoing (TX or Both) traffic on VLANs, as shown in Example 14-61.

    Example 14-61. The Switch Cannot Monitor Outgoing Traffic on VLANs

    c3550(config)# monitor session 1 source vlan 100 tx                                                 ^ % Invalid input detected at '^' marker. c3550(config)# monitor session 1 source vlan 100 ?   ,   Specify another range of VLANs   -   Specify a range of VLANs   rx  Monitor received traffic only c3550(config)# 

  • Destination ports do not participate in the Spanning Tree or other L2 protocols such as CDP, VTP, and so on. Destination ports also do not learn addresses. VLAN changes to destination ports will not take place until you disable the destination port.

SPAN on Catalyst 4000/6000 with Cat OS

Catalyst 4000/6000 switches running Catalyst OS can be configured to monitor Rx, Tx, and both traffic types for source ports and VLANs. Whereas Catalyst 4000 supports up to 5 SPAN sessions, Catalyst 6000 supports 2 Rx or Both, and 4 Tx sessions. Following are some of the important points to keep in mind when configuring SPAN:

  • To support RSPAN (Remote SPAN), you must run 6.3(1) or later on Catalyst 4000, and version 5.3 or later on Catalyst 6000 series switches.

  • To support IPS TCP Reset functionality, you need to enable inpkts, which is disabled by default. This requires Cat OS 5.2 or higher.

  • inpkts enabled can potentially cause spanning tree loops if another switch is mistakenly connected to the SPAN destination port.

  • Learning is enabled by default, but should be disabled to support TCP Reset. Otherwise, an interruption in traffic might be experienced for the server receiving the reset. Recent versions of Cisco IPS no longer have this restriction because a random MAC address is used when sending the RST. However, it is still recommended to disable learning.

Configuration Steps

To configure SPAN on the Catalyst 6000 series switch, use the following syntax:

set span {src_mod/src_ports | src_vlans | sc0} {dest_mod/dest_port} [rx | tx | both]   [inpkts {enable | disable}] [learning {enable | disable}] [multicast {enable |   disable}] [filter vlans...] [create] 


The syntax for the SPAN on Cat4k is as follows:

set span {src_mod/src_ports | src_vlan} dest_mod/dest_port [rx | tx | both] [filter   vlan] [inpkts {enable | disable}] [learning {enable | disable}] [create] 


Use the create keyword with different destination ports to create multiple SPAN sessions. If the create keyword is not used, and a SPAN session exists with the same destination port, the existing session will be replaced. If the destination port is different, a new session will be created.

To create a simple SPAN session with source port 2/1 and destination port 4/5, use the following command:

c6500 (enable) set span 2/1 4/5 


The following command will configure SPAN for source VLAN 100 and destination 4/5.

c6500 (enable) set span 100 4/5 


If TCP reset is required on the SPAN destination port, enable inpkts with the following command:

c6500 (enable) set span 136 3/5 inpkts enable learning disable 


To filter certain VLANs, use the filter keyword as follows:

c6500 (enable) set span 3/15 4/5 filter 125,150 


The following command shows how to remove a SPAN session on the cat6000 switch.

c6500 (enable) set span disable 3/5 


SPAN on Catalyst 4000/6000 with Native IOS

Just as with Catalyst OS, Catalyst 4000/6000 switches running Native IOS can be configured to monitor Rx, Tx, and both traffic types for source ports and VLANs. Although it is possible to mix source interfaces and source VLANs in a single SPAN session, it is not possible to mix source VLANs with filter VLANs in a single SPAN session. The Layer 2 ports (configured with switchport command) and Layer 3 ports (without switchport command) can both be configured as SPAN source or destination ports.

Catalyst 4000 supports up to six SPAN sessions (a session configured with both is considered to be two sessions). Catalyst 6000 running Native IOS supports only two SPAN sessions. It supports 64 SPAN destination interfaces. With SPAN source interfaces, the Cat6k supports 1 egress and 64 ingress interfaces. Source interfaces do not need to belong to the same VLAN.

Note

Catalyst 6000 running Native IOS supports RSPAN (Remote SPAN), but Catalyst 4000 running Native IOS does not support RSPAN. However, neither switch running Native IOS supports IPS TCP Reset functionality with current versions.


Configuration Steps

The syntax for configuring Catalyst 6000 series switches is as follows:

monitor session session_number source {{single_interface | interface_list |   interface_range | mixed_interface_list | single_vlan | vlan_list | vlan_range |   mixed_vlan_list} [rx | tx | both]} | {remote vlan rspan_vlan_ID}} monitor session session_number destination {single_interface | interface_list |   interface_range | mixed_interface_list} | {remote vlan rspan_vlan_ID}} 


To configure SPAN on the Catalyst 4000 series switch, use the following syntax:

[no] monitor session {session_number} {source {interface type/num} | {vlan vlan_ID}}   [, | - | rx | tx | both] [no] monitor session {session_number} {destination {interface type/num} } 


Example 14-62 shows a simple SPAN configuration based on the source port.

Example 14-62. Sample SPAN Configuration Based on the Source Port

c4500(config)#monitor session 1 source interface fastEthernet 3/3 c4500(config)#monitor session 1 destination interface fastethernet 3/4 c4500# show monitor Session 1 --------- Type              : Local Session Source Ports      :     Both          : Fa3/3 Destination Ports : Fa3/4     Encapsulation : Native           Ingress : Disabled C4500# 

Example 14-63 shows the configuration of SPAN based on the source VLAN.

Example 14-63. SPAN Configuration Based on the Source VLAN

c6500(config)# monitor session 1 source vlan 1 - 100 both c6500(config)# monitor session 1 destination interface FastEthernet 3/4 c6500# show monitor Session 1 --------- Type              : Local Session Source VLANs      :     Both          : 1-100 Destination Ports : Fa3/4 C6500# 

Example 14-64 shows only the monitor VLAN 100 on a trunk source port.

Example 14-64. SPAN Configurations for Filtering Based on VLAN

c6500(config)# monitor session 1 source interface GigabitEthernet 3/1 c6500(config)# monitor session 1 filter vlan 100 c6500(config)# monitor session 1 destination interface GigabitEthernet 3/2 c6500# show monitor session 1 Session 1 --------- Type              : Local Session Source Ports      :     Both          : Gi3/1 Destination Ports : Gi3/2 Filter VLANs      : 100 C6500# 

The following command will remove a SPAN session:

c4500(config)# no monitor session 1 


Capturing IPS Traffic with Remote SPAN (RSPAN)

RSPAN has all the features of SPAN plus support for the source ports and the destination ports that are distributed across multiple switches. RSPAN therefore allows remote monitoring of multiple switches across your network.

The traffic for each RSPAN session is carried over a user-specified RSPAN VLAN that is dedicated for that RSPAN session in all participating switches. The SPAN traffic from the sources, which cannot be in the RSPAN VLAN, is switched to the RSPAN VLAN and is forwarded to the destination ports that are configured in the RSPAN VLAN. The traffic type for the sources (ingress, egress, or both) in an RSPAN session can be different in the different source switches but is the same for all the sources in each source switch for each RSPAN session. Do not configure any ports in an RSPAN VLAN except those that are selected to carry the RSPAN traffic. Learning is disabled on the RSPAN VLAN.

Hardware Requirements

The requirements for the RSPAN supervisor engine are as follows:

  • For source switchesThe Catalyst 6500 series switch with any of the following:

    - Supervisor Engine 1A and Policy Feature Card (PFC): WS-X6K-SUP1A-PFC.

    - Supervisor Engine 1A, PFC, and Multilayer Switch Feature Card (MSFC): WS-X6K-SUP1A-MSFC.

    - Supervisor Engine 1A, PFC, and MSFC2: WS-X6K-S1A-MSFC2.

    - Supervisor Engine 2 and PFC2: WS-X6K-S2-PFC2.

    - Supervisor Engine 1A, PFC, and MSFC2: WS-X6K-S1A-MSFC2.

    - Supervisor Engine 720 with the following onboard components: Policy Feature Card 3A (PFC3A/PFC3B/PFC3BXL), Multilayer Switch Feature Card 3 (MSFC3), and integrated 720-Gbps switch fabric: WS-SUP720.

    - Supervisor Engine 32, PFC3B/PFC3BXL, and MSFC2A: WS-SUP32-GE-3B.

  • For destination or intermediate switchesAny Cisco switch supporting RSPAN VLAN.

  • No third-party or other Cisco switches can be placed in the end-to-end path for RSPAN traffic.

Configuration Steps

Work through the following steps to configure RSPAN for capturing traffic from multiple switches and for monitoring the traffic on the switch port that you choose:

Step 1.

Select an RSPAN VLAN for the RSPAN session that does not exist in any of the switches that will participate in RSPAN. With VTP enabled in the network, you can create the RSPAN VLAN in one switch, and VTP propagates it to the other switches in the VTP domain. Use VTP pruning to get an efficient flow of RSPAN traffic, or manually delete the RSPAN VLAN from all trunks that do not need to carry the RSPAN traffic. Example 14-65 shows how to set VLAN 500 as an RSPAN VLAN and verify the configuration.

Example 14-65. Setting RSPAN VLAN for an RSPAN Session on CatOS

Console> (enable) set vlan 200 rspan vlan 200 configuration successful Console> (enable) Console> (enable) show vlan ! display truncated VLAN DynCreated  RSPAN ---- ---------- -------- 1    static     disabled 200  static     enabled Console> (enable) 

Step 2.

Configure RSPAN source ports and VLANs for the RSPAN session. Example 14-66 shows how to configure RSPAN source port and VLAN.

Example 14-66. Configuring Source Port and VLAN for the RSPAN Session

Console> (enable) ! The following line shows how to specify ports 5/1 and 5/2 as the ingress source ! ports for RSPAN VLAN 200 Console> (enable) set rspan source 5/1-2 200 rx Rspan Type      : Source Destination     : - Rspan Vlan      : 200 Admin Source    : Port 5/1-2 Oper Source     : None Direction       : receive Incoming Packets: - Learning        : - Multicast       : enabled Filter          : - Console> (enable) ! The following line shows how to specify VLAN 100 as a source VLAN for RSPAN VLAN 200. ! Selecting the optional rx keyword makes all the ports in the VLAN ingress ports. Console> (enable) set rspan source 100 200 rx Rspan Type      : Source Destination     : - Rspan Vlan      : 200 Admin Source    : VLAN 100 Oper Source     : None Direction       : receive Incoming Packets: - Learning        : - Multicast       : enabled Filter          : - Console> (enable) 

Step 3.

Configure the RSPAN destination ports on the switch you choose. Example 14-67 shows how to configure an RSPAN destination port as RSPAN VLAN to be the source, and the port where the IPS Sensor is connected to be the RSPAN destination port.

Example 14-67. Configuring RSPAN Destination Port

Console> (enable) set rspan destination 6/1 200 Rspan Type      : Destination Destination     : Port 6/1 Rspan Vlan      : 200 Admin Source    : - Oper Source     : - Direction       : - Incoming Packets: disabled Learning        : enabled Multicast       : - Filter          : - Console> (enable) 

Here RSPAN VLAN 200 is configured as the source, and port 6/1 is configured as the destination port of the RSPAN session.

Step 4.

To disable RSPAN sessions, use the following command:

set rspan disable source all 


Capturing IPS Traffic with VACL

VLAN ACL (VACL) specifies the traffic to be captured for a single port or VLAN. The VACL Capture copies filtered packets from source VLANS to a destination port. It is supported only on Catalyst 6000, with either Cat OS or Native IOS. It offloads processing from the supervisor engine to the Policy Feature Card (PFC), which is required when using this feature. The PFC is included with the Sup1A, Sup2, and Sup720.

Here are some important facts about VACL:

  • Traffic matching the filter is copied to the Capture Ports.

  • There is no limit on number of Capture Ports.

  • The Capture Port must be in the forwarding state.

  • Capture Ports do not transmit out all traffic that is captured. They only transmit traffic in the VLAN to which the Capture Port belongs. To capture traffic belonging to multiple VLANs, the Capture Port needs to be configured as a trunk.

  • VACL can be applied to all packets, whether routed or switched, and can be configured on any VLAN.

  • All packets entering a VLAN are checked against VACL, regardless of direction.

  • VACLs can be applied to certain wide area network (WAN) interfaces (requires IOS 12.1(13) E). This is supported on Packet of SONET (POS), ATM, and serial interfaces.

  • VACLs and Catalyst 6000 switches with an IOS Firewall (CBAC) cannot be configured on the same interfaces. When CBAC is needed, consider using mls ip ids instead.

  • Be aware that VACLs apply to all traffic on a VLAN, not just traffic being captured. This can potentially interrupt traffic with a poorly written VACL.

  • TCP Resets are supported. However, if the Capture Destination port is a trunk, the resets will not function properly (TCP Reset can only occur on a single VLAN). IDS 4.0 corrects this limitation.

  • VACL Capture requires CatOS 5.3 or IOS 12.1(8a)EX.

VACL configuration on Catalyst Switch running CatOS and Native IOS are discussed in the sections entitled "VACL Configuration on Switch running CatOS" and "VACL Configuration on Switch running Native IOS" sections in Chapter 15, "Troubleshooting IDSM-2 Blade on Switch" respectively. Hence the same information is not repeated in this section.

Capturing IPS Traffic with RSPAN and VACL

You can use a combination of RSPAN and VACL features to capture and send the traffic to a SPAN destination across multiple switches.

For more details on RSPAN implementation with VACL, refer to the following link:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_data_sheet09186a008017b753.html

Capturing IPS Traffic with MLS IP IDS

On Catalyst 6000 switches with IOS Firewall (CBAC), VACL Capture no longer functions, and an alternate capture method is needed. Using the mls ip ids command is a good option. This uses an Access Control List (ACL) to define interesting traffic, and then the traffic is captured by applying the command mls ip ids to VLAN interfaces. When monitoring multiple VLANs or interfaces, apply the command to each interface to see both sides of traffic flow. Doing so provides capabilities similar to VACL Capture.

Refer to Chapter 15, "Troubleshooting IDSM-2 Blades on Switch" under the sections entitled "MLS IP IDS Configuration on Switch running CatOS" and "MLS IP IDS Configuration on Switch running CatOS" for the MLS IP IDS configuration on the Catalyst switch running CatOS and Native IOS, respectively.



Cisco Network Security Troubleshooting Handbook
Cisco Network Security Troubleshooting Handbook
ISBN: 1587051893
EAN: 2147483647
Year: 2006
Pages: 190
Authors: Mynul Hoda

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net