Foundation and Supplemental Topics


Capturing Network Traffic

Your IPS sensors can process only traffic that they receive on one of their interfaces. Inline processing mode uses pairs of sensor interfaces, whereas promiscuous mode requires only a single sensor interface. This chapter focuses on the following methods of traffic capture:

  • Capturing traffic for inline mode

  • Capturing traffic for promiscuous mode

It also provides the following detailed sections to explain how the different traffic capture methods can be applied to the Catalyst 4500 and 6500 switches:

  • Configuring Switched Port Analyzer (SPAN) for Catalyst 4500 and 6500 Traffic Capture

  • Configuring Remote Switched Port Analyzer (RSPAN) for Catalyst 4500 and 6500 Traffic Capture

  • Configuring VACLs for Catalyst 6500 Traffic Capture

  • Configuring VACLs for Traffic Capture With Cisco Catalyst 6500 IOS Firewall

  • Advanced Catalyst 6500 Traffic Capture

Capturing Traffic for Inline Mode

Running a sensor in inline mode requires using a pair of sensor interfaces to bridge the traffic between two VLANs. A basic inline configuration is shown in Figure 15-1. The interface from each router is connected to a different sensor interface. The only way traffic passes from one router to the other is if the IPS sensor allows the traffic to pass by taking traffic it receives on one of its interfaces and bridging it to the other interface.

Figure 15-1. Basic Inline Configuration


Note

To bridge traffic means to pass Ethernet traffic (in the link layer) between two interfaces that are on different VLANs.


Some common locations for deploying inline IPS include the following:

  • Between two routers

  • Between a firewall and a router

  • Between a switch and a router

  • Between a switch and a firewall

Basically, you can easily deploy inline IPS between any two physical interfaces. The configuration becomes more difficult, however, with a device such as a switch, in which the router is integrated into the switch's backplane via virtual interfaces (the router does not have physical interfaces). The same situation arises with line cards like the IDSM-2, which are also directly connected to the switch's backplane and do not have physical interfaces.

When dealing with devices (such as the Multilayer Switch Feature Card [MSFC] and IDSM-2) that are connected to your switch via virtual ports, you must artificially create a VLAN boundary at which you can deploy your inline IPS sensor.

Assume that you want to place inline IPS between the user systems on VLAN 1020 and the Internet. (See Figure 15-2.)

Figure 15-2. Basic Network Configuration


Initially, traffic goes from systems on VLAN 1020 directly to the VLAN 1020 interface, allowing the MSFC to route it to the Internet. You cannot connect the sensor's interface to the MSFC since it has only virtual ports, but you can create an artificial VLAN boundary by placing the MSFC on another VLAN (for instance, VLAN 1030) and then using the sensor to bridge traffic from VLAN 1020 to VLAN 1030. The following are the steps required to create this artificial VLAN boundary on your switch:

Step 1.

Shut down the VLAN interface for VLAN 1020.

Step 2.

Create another VLAN interface for VLAN 1030 and assign it the original MSFC IP address for VLAN 1020.

Step 3.

Enable the new VLAN 1030 interface.

Step 4.

Configure a switch port to be in VLAN 1020.

Step 5.

Configure a switch port to be in VLAN 1030.

Step 6.

Connect one sensor inline interface (of the inline interface pair) to the switch port in VLAN 1020.

Step 7.

Connect the second sensor inline interface (of the inline interface pair) to the switch port in VLAN 1030.

After you create the artificial VLAN boundary, the systems on VLAN 1020 can no longer communicate with the MSFC (since the VLAN 1020 interface is shut down). Now the systems must rely on the sensor to bridge the traffic (destined for the Internet) to VLAN 1030. Once the traffic reaches VLAN 1030, the MSFC can route the traffic to the Internet. The same situation also applies to traffic coming from the Internet to systems on VLAN 1020.

Capturing Traffic for Promiscuous Mode

At the network level, your Cisco IPS sensors are the eyes of your intrusion prevention system. But to detect intrusive activity, sensors running in promiscuous mode must be able to view the traffic that is traversing your network. Via its monitoring interface, each promiscuous sensor examines the network traffic that it sees. Unless the monitoring interface is plugged into a hub, you must configure your infrastructure devices to pass specified network traffic to your sensor's monitoring interface. Besides identifying the infrastructure devices that you can use to pass network traffic to your sensors, this section will also examine the following three mechanisms that you can use to configure Cisco switches to mirror traffic to your sensor's promiscuous interface:

  • Switched Port Analyzer (SPAN)

  • Remote Switched Port Analyzer (RSPAN)

  • VLAN Access Control List (VACL)

Traffic Capture Devices

For your sensors running in promiscuous mode to detect intrusive activity, they must be able to view the traffic that is traversing your network. Your sensor's monitoring interface is directly connected to an infrastructure device that mirrors specified network traffic to your sensor for analysis. You can use the following three link-layer network devices to pass traffic to your sensors:

  • Hubs

  • Network taps

  • Switches

Hub Traffic Flow

A hub is a very simple link-layer device. Whenever a device connected to the hub generates network packets, the hub passes that traffic to all of the other ports on the hub. Figure 15-3 shows that when Host A sends traffic to Host C, all of the other devices connected to the hub also receive a copy of the traffic. The other devices connected to the hub simply ignore the traffic that does not match their Ethernet Media Access Control (MAC) address.

Figure 15-3. Hub Traffic Flow


Note

Just as a host is identified by its IP address at the IP layer, each host also has an address, known as the Ethernet MAC address, at the link layer. This address is a 12-byte value that indicates the link-layer address that other devices on the same network segment use to send traffic to it. Your network card has a default Ethernet address assigned by the manufacturer, but most systems allow you to change the value.


If the network segment that you want to monitor with your Cisco IDS sensor uses a hub, your sensor can access the network traffic simply by connecting its monitoring interface into a port on the hub. Unlike other devices that ignore the traffic that does not match their Ethernet MAC address, your sensor puts its interface in promiscuous mode so that it accepts all packets that its network interface card receives.

Network Tap Traffic Flow

Sometimes, you may need to monitor a network segment between two infrastructure devices that are connected without an intervening switch or hub. In this situation you can use a network tap to capture the traffic traversing the segment. A network tap is a device that enables you to split a full-duplex connection into two traffic flows (each flow representing the traffic originating from one of the two devices). The separate traffic flows can then be redirected to an aggregation switch and eventually to your sensor.

Note

An aggregation switch is simply a switch that you use to combine multiple traffic flows and pass the traffic to your sensor. When aggregating flows through the switch, however, you must be careful not to exceed the capacity of your sensor. For instance, if your sensor is an IDS-4215 appliance sensor, aggregating two 100-Mbps traffic flows can overwhelm the sensor's capabilities since the sensor is not rated at 200 Mbps (the maximum capacity of the combined two flows).


Figure 15-4 shows a situation in which you want to monitor the network traffic traversing between a Cisco router and a PIX Firewall. Initially, these devices are connected to each other directly. To monitor this traffic, you can install a network tap between these devices. The network tap continues to pass the traffic between the router and the firewall, but it also sends a copy of this traffic (via the two specific flows) to your aggregation switch.

Figure 15-4. Network Tap Traffic Flow


Note

With inline functionality, you can also simply connect your sensor in line between two infrastructure devices (instead of using a network tap).


Switch Traffic Flow

The most common link-layer device on your network is probably a switch. Unlike a hub, a switch is selective as to the ports through which it passes network traffic. The switch maintains a content-addressable memory (CAM) table that maintains a mapping between Ethernet MAC addresses and the port on which that traffic was observed. When the switch receives traffic for an Ethernet MAC address that is not in its CAM table, it floods the packet out all of the ports (on the same VLAN) similar to a hub. Once the destination host replies, the CAM table is updated. Now when Host A sends traffic to Host C (see Figure 15-5), the traffic is sent only to Host C (instead of every device connected to the switch). In this scenario, your IDS sensor will not be able to monitor your network for intrusive activity since the monitoring interface on your sensor does not receive all the traffic traversing your network.

Figure 15-5. Switch Traffic Flow


To overcome this problem, you need to configure your switch to mirror specific network traffic to your IDS sensor.

Switch Capture Mechanisms

You can use the following three features to enable your Cisco switch to mirror traffic to your IDS sensor's monitoring interface:

  • SPAN

  • RSPAN

  • VACL

Note

Not all of the switch-traffic capture features are available on every Cisco switch platform, but all Cisco switches support some form of the SPAN feature.


Switched Port Analyzer

The Switched Port Analyzer (SPAN) feature enables you to select traffic for analysis by a network analyzer. People refer to SPAN ports by various names, such as "port mirroring" or "port monitoring." Regardless of the name used, the SPAN feature enables you to cause your Cisco switch to pass selected traffic to your IDS sensor's monitoring interface for analysis.

Note

A network analyzer is a device that examines network traffic and provides you with statistics or information about your network traffic. Many network analyzers identify the different types of traffic and their frequency on your network. Using these statistics, you can tune your network to optimize its performance. Your IDS sensor also analyzes the traffic on your network when watching for intrusive activity.


Note

When you use SPAN (or RSPAN) to capture traffic for a specific VLAN, there is a chance that the same traffic can be captured twice. For instance, traffic from two systems on the same VLAN will be captured twice (if you use SPAN to monitor the VLAN in both directions). This occurs because the packets are first captured coming from the originating system and then a second time when the packet goes to the target system. This can cause multiple alerts because the packets are duplicated.


Remote Switched Port Analyzer

Sometimes, you may want to capture traffic from ports that are located on multiple switches. To accomplish this, you can use the Remote Switched Port Analyzer (RSPAN) feature that is available on certain Cisco switches.

RSPAN allows you to monitor source ports spread all over your switched network. This functionality works similarly to normal SPAN functionality, except that instead of traffic being mirrored to a specific destination port, the monitored traffic is flooded to a special RSPAN VLAN. (See Figure 15-6.) The destination port(s) can be located on any switch that has access to this RSPAN VLAN.

Figure 15-6. RSPAN Traffic Flow


If you configure RSPAN to monitor traffic sent by Host A (see Figure 15-6), whenever Host A generates a packet to Host B, a copy of the packet is passed by an application-specific integrated circuit (ASIC) of the Catalyst 6000 Policy Feature Card (PFC) into the predefined RSPAN VLAN. From there, the packet is flooded to all of the ports belonging to the RSPAN VLAN. All of the interswitch links shown in Figure 15-6 are trunks. RSPAN uses these trunks to support the traversal of the RSPAN VLAN traffic. The only access points to the RSPAN-captured traffic are the defined destination ports (where you would locate you IDS sensors).

Note

The RSPAN feature is not available on all Cisco switches. Usually, RSPAN is available only on the high-end switches, such as the Catalyst 4000 and 6500. You also need to have a fairly new operating system version. Refer to the online Cisco documentation to determine whether your switch supports this feature.


VLAN Access Control Lists

A VLAN Access Control List (VACL) access-controls all packets on your Catalyst 6500 switch through the PFC. VACLs are strictly for security packet filtering and redirecting traffic to specific physical switch ports. Unlike IOS ACLs, VACLs are not defined by the direction of the traffic (inbound or outbound).

VACLs are mainly provided to filter traffic on the switch. The capture keyword enables you to use a VACL to mirror matched traffic to a designated capture port. This capture option specifies that packets that match the specified flows are switched normally as well as being captured and transmitted to the configured capture port. Only permitted traffic is sent to the capture port. VACLs enable you to use a fine degree of granularity when specifying which traffic you want to capture. You can use VACLs to capture traffic for both IDS Modules (IDSMs) and appliance sensors.

Note

A flow comprises a traffic stream between a source and destination IP address, a source port and destination port, or a combination of source IP address and source port in conjunction with a destination IP address and destination port. Your VACLs essentially define the flows that represent the interesting traffic on which you want your sensor to perform intrusion-detection analysis. Furthermore, your MSFC uses flows to effectively send packets between different VLANs by crossing the switch's backplane only once.


TCP Resets and Switches

One of the actions that your sensor can take in response to detecting a TCP-based attack is to reset the TCP connection. The sensor resets the TCP connection by sending out TCP packets with the RST flag set to both the source and destination of the TCP connection via its monitoring interface.

Not all switches allow a port that is configured as the SPAN destination port to receive incoming traffic. Since the sensor's monitoring interface is usually a SPAN port on a Cisco switch, this presents a problem. If the switch does not enable the SPAN destination port to receive incoming traffic, the TCP RST packets will not be accepted, thus preventing the sensor from resetting the TCP connection. Therefore, if you are using a SPAN port to capture your network traffic and plan to use the TCP reset capability, you need to verify that your switch supports the capability to receive incoming traffic on the SPAN destination port.

Note

A switch learns the Ethernet MAC addresses that it sees coming from a specific port so that the switch can direct traffic to that port in the future. To prevent the sensor's Ethernet MAC address from being learned by the switch (enabling an attacker to potentially identify the location of the sensor and attack it), your Cisco IDS sensor uses a randomly-generated Ethernet MAC address when it creates its TCP reset packets.


Configuring SPAN for Catalyst 4500 and 6500 Traffic Capture

The SPAN functionality on Catalyst 4000 and 6500 switches provides more functionality than the SPAN functionality provided on the Catalyst 2900XL/3500Xl switches. For instance, on the Catalyst 4000 and 6500 switches, you can typically configure four to six SPAN sessions, compared with one or two on the Catalyst 2900XL/3500Xl switches. Plus your destination port can be configured to accept incoming traffic (useful for TCP reset functionality).

The monitor session Command

To capture traffic by using the SPAN feature on a Catalyst 4000 or 6500 (running IOS), you need to use the monitor session command. This command enables you to specify whether you want to capture all the traffic to the monitored ports or just the received or sent traffic. The syntax for the monitor session command is as follows:

monitor session {session} {source {interface port(s)} [rx | tx | both]} monitor session {session} {source vlan vlan_id [rx]} monitor session {session} {destination {interface port}} 

Unlike the port monitor command, the monitor session command requires you to explicitly specify the source and destination ports by using two different forms of the command. Table 15-2 describes the parameters for the monitor session global configuration command.

Table 15-2. monitor session Parameters

Parameter

Description

session

Number of the SPAN session. The only valid value is usually 1, but some switches support more than one SPAN session.

source

Keyword indicating that you are specifying a source port (the port to be monitored).

source vlan

Keyword indicating that you are specifying a source VLAN (to be monitored).

destination

Keyword indicating that you are specifying a destination port for the SPAN session.

interface

Keyword indicating that you are specifying a port.

port(s)

The port to be configured as either a source or destination. The port includes the interface type, module, and port, such as FastEthernet 0/10. For source ports, you can specify a comma-delimited list or a range of ports (such as "10-20").

rx

Keyword indicating that you want to capture only the traffic received by the source port(s)(ingress traffic).

tx

Keyword indicating that you want to capture only the traffic transmitted by the source port(s) (egress traffic).

both

Keyword indicating that you want to capture all traffic on the source port(s).

vlan

Keyword indicating that you are specifying a VLAN to be monitored.

vlan-id

ID of the VLAN to be monitored. Valid IDs are in the range from 1 to 1005. You do not need to enter the leading zeros for the VLAN ID.


Using the monitor session command, you need to define both the source port(s) and the destination port, since this command is entered in the global configuration mode.

If you want to configure SPAN so that traffic transmitted and received on FastEthernet ports 3/9 and 3/12 (SPAN source ports) is mirrored on FastEthernet port 3/4 (SPAN destination), you use the following command:

Console(config)# monitor session 1 source interface fa3/9 , fa3/12 both Console(config)# monitor session 1 destination fa3/4 

Configuring RSPAN for Catalyst 4500 and 6500 Traffic Capture

To use the RSPAN functionality on your Catalyst 4500 and 6500 switches (running IOS), you must define a VLAN to be used for RSPAN by using the remote-span command in the VLAN subconfiguration command. You must also perform other configuration tasks, such as defining the trunks to carry the RSPAN VLAN traffic. For information on these other configuration tasks, refer to the SPAN and RSPAN documentation available on Cisco.com.

Note

To remove an existing RSPAN association, you need to use the no remote-span command in the VLAN subconfiguration command mode for the current RSPAN VLAN.


Suppose that you want to configure VLAN 1040 as your RSPAN VLAN. The following commands make VLAN 1040 your RSPAN VLAN:

Cat6# configure terminal Cat6(config)# vlan 1040 Cat6(config-vlan)# remote-span 

Note

You will need to configure the RSPAN VLAN on each switch, along with establishing trunks between the various switches.


Configuring VACLs for Catalyst 6500 Traffic Capture

When configuring a VACL on Cisco IOS, you need to go through the following steps:

Step 1.

Configure an Access Control List (ACL).

Step 2.

Create a VLAN access map.

Step 3.

Match the ACL to the access map.

Step 4.

Define an action for the access map.

Step 5.

Apply the access map to the VLANs.

Step 6.

Configure capture ports.

You also need to configure the TCP reset port to complete the configuration. This is not part of configuring your VACL, but it is necessary to ensure that the TCP reset traffic can reach the hosts for which it is intended.

Configure an ACL

With IOS, you specify the interesting traffic that you want to monitor using an ACL. Therefore, the first step in setting up a VACL is to create your ACL. Suppose, for example, that you are using the IDSM-2 to protect a web server farm and that the subnet for the web servers is 172.12.31.0. You may create an ACL similar to the following to allow any hosts to connect to port 80 on any system on the server farm subnet:

Router(Config)# access-list 110 permit tcp any 172.12.31.0.0.0.0.255 eq 80 

Note

In many situations, you may be able to use ACLs that you have already constructed to restrict traffic into your network.


Create a VLAN Access Map

You begin to configure the VACL by establishing a VLAN access map by using the vlan access-map command. After creating a VLAN access map, you must match it to an ACL and define its actions by using the following two subcommands:

  • match

  • action

The vlan access-map command basically creates the access map and enables you to assign a name to it. The following command creates an access map named "my_map":

Router(config)# vlan access-map my_map 

Match ACL to Access Map

To specify which traffic the VLAN access map applies to, you need to associate the VLAN access map with an ACL on the router. You do this via the match subcommand. In our example, the ACL is 110, so the commands would be as follows:

Router(config)# vlan access-map my_map Router(config-access-map)# match ip address 110 Router(Config-access-map)# 

Define Action for Access Map

Besides specifying the interesting traffic by associating an ACL to the VLAN access map, you must also specify an action to be performed on the traffic that the ACL matches. You accomplish this by using the action subcommand. For our example, the action is to forward and capture the traffic, so the commands would be as follows:

Router(config)# vlan access-map my_map Router(config-access-map)# action forward capture Router(Config-access-map)# 

Note

Although you are interested in capturing the traffic, you must also specify the forward action. Otherwise, the traffic matched by the VLAN access map will not be sent by the switch functionality to its destination, which is similar to denying the traffic with an ACL deny statement.


Apply Access Map to VLANs

Now you need to decide which VLANs on your router you are going to apply to your VLAN access map. You accomplish this with the vlan filter command. For our example, you would use the following command:

Router(config)# vlan filter my_map 10-12,15 

Configure Capture Ports

Finally, you need to configure which port on your router will receive the captured traffic. You accomplish this with the switchport capture command. For our example, the commands would be as follows:

Router(config)# interface fa 5/7 Router(config-if) switchport capture allowed vlan 10-12, 15 

The allowed keyword enables you to limit the traffic sent to the capture port. Any VLANs that are not included in the allowed list will not be sent to the capture port. Using this option enables you to separate captured traffic between multiple capture ports (such as when you have multiple IDSM-2 blades in the same chassis). The VACL captures all of the interesting traffic. Then you limit which traffic is actually sent to each capture port.

Configuring VACLs for Traffic Capture With Cisco Catalyst 6500 IOS Firewall

When using the Cisco IOS Firewall on your Multilayer Switch Feature Card (MSFC), you may be unable to directly configure VACLs to capture network traffic for your sensor. If you apply the ip inspect IOS Firewall command on a specific VLAN interface, you cannot create a VACL for that same VLAN at the switch level. These two features are mutually incompatible. To overcome this limitation, you can use the mls ip ids MSFC router command to designate which packets will be captured by your security ACL.

With normal VACLs, the VACL establishes a security ACL that actually determines which traffic is allowed through the switch. With the mls ip ids command, however, you will be defining an extended ACL (on your MSFC) to designate which traffic will be captured. A copy of any traffic that is permitted by the extended ACL will be passed to your capture port, but the extended ACL will not prevent this traffic from reaching its intended destination.

When using the mls ip ids command, you need to go through the following steps to configure a VACL:

Step 1.

Configure the extended ACL.

Step 2.

Apply the ACL to an interface or VLAN.

Step 3.

Assign the capture port.

Configure the Extended ACL

Just as in regular VACL configuration, your first step in creating an IOS Firewall VACL is to define the interesting traffic. In this situation, the interesting traffic is determined by an extended ACL that you create on your MSFC. The command to create the extended ACL is ip access-list and its syntax is as follows:

ip access-list extended access-list-number {deny|permit} protocol source_IP       source_wild-card destination_IP destination_wild-card [log | log-input] 

Table 15-3 describes the major parameters for the ip access-list router configuration command.

Table 15-3. ip access-list Parameters

Parameter

Description

access-list-number

Number identifying the ACL being created. Valid values are between 100 and 199, and 2000 and 2699.

deny

Keyword indicating that the traffic being specified should be dropped by the ACL.

permit

Keyword indicating that the traffic should be allowed by the ACL.

protocol

Name or number of an IP protocol that defines the traffic that you are interested in. Some common keywords are tcp, udp, icmp, and eigrp.

source_IP

The source host or network IP address of packets that you are interested in.

source_wildcard

A mask that indicates which bits in the source_IP address are used for comparison. Each zero bit in the mask indicates bits in the source_IP address that must exactly match the address of the packet being checked. Bits set to 1 are automatically matched.

destination_IP

The destination host or network IP address of packets that you are interested in.

destination_wildcard

A mask that indicates which bits in the destination_IP are used for comparison. Each zero bit in the mask indicates bits in the destination_IP address that must exactly match the address of the packet being checked. Bits set to 1 are automatically matched.

log

(Optional) Causes an informational logging message to be sent to the console when packets are matched to the ACL.

log-input

(Optional) Includes the input interface and source Ethernet MAC address in logging output.


The ip access-list command is executed on your MSFC, not on your Catalyst switch console. Suppose that you want to define an ACL (150) that permits User Datagram Protocol (UDP) traffic from 10.20.30.1 to 10.30.30.1. To accomplish this, you enter the following commands on your router console:

MSFC# configure terminal MSFC(config)# ip access-list extended 150 permit tcp 10.20.30.1 0.0.0.0      10.30.30.1 0.0.0.0 MSFC(config)# 

Apply ACL to an Interface or VLAN

Next you need to apply the extended ACL to a VLAN interface on the MSFC. You use the interface vlan command to enter the configuration mode for a specific interface. Then you use the mls ip ids command to apply the extended ACL to that interface.

The syntax for the interface vlan command is as follows:

interface vlan vlan_number 

The syntax for the mls ip ids command is as follows:

mls ip ids acl_number 

To continue with our example, you would enter the following commands on your router to apply ACL 150 to VLAN 40.

MSFC# configure terminal MSFC(config)# interface vlan 40 MSFC(config-if)# mls ip ids 150 

Assign the Capture Port

Finally, you need to assign the capture port to receive the traffic that is captured (permitted) by your extended ACL. You need to use the switchport capture command to define your capture ports. This command is executed on your switch console.

Note

If your switch is running CatOS instead of IOS, you would use the set security acl command to define your capture ports. For more information on this command, refer to the Cisco documentation.


The syntax for the switchport capture command is as follows:

switchport capture 

In our ongoing example, you would need to enter the following command on your switch console to establish port 5 on module 3 as you capture port:

Cat6# configure terminal Cat6(config)# interface fastethernet 3/5 Cat6(config-if)# switchport capture 

Note

If you want to limit the traffic to a capture port, you can use the switchport capture allowed vlan command to restrict the traffic sent to a specific capture port based on the traffic's VLAN. By dividing the traffic to the capture ports based on the traffic's VLAN, you can limit the amount of traffic being sent to the single capture port. When deploying multiple IDSM-2 modules in a single switch, you need to use the switchport capture allowed vlan command to divide your captured traffic across multiple capture ports (since each IDSM-2 can process a maximum of 600 Mbps).


Advanced Catalyst 6500 Traffic Capture

So far our examination has focused on the ways that you can use your Cisco switch to capture network traffic for analysis by your sensor. The next step involves configuring the port on the switch through which your sensor receives its captured traffic.

By default your appliance sensors are usually connected to your switch via a standard access port. Since this port is usually not configured as a trunk, your sensor will receive only traffic that belongs to the same VLAN as the VLAN assigned to the switch port.

The monitoring port on your IDSM, however, is configured as a trunk port by default and accepts all of the traffic that it receives. You might not want the IDSM's monitoring port analyzing traffic from every VLAN on the switch.

In both of these situations, you need to understand how to configure the trunking properties of the ports on your switch so that you can limit the acceptable traffic to only those VLANs that you consider interesting.

Note

The examples here use IOS command examples. For information on how to perform these operations using CatOS, refer to the Cisco documentation.


When configuring a trunk port on your switch, you will need to perform various tasks to change the port's characteristics. You use specific switch commands to change your port's properties, but you will essentially also need to perform the following high-level tasks:

Step 1.

Configure a destination port.

Step 2.

Define trunks to capture.

Step 3.

Assign switch ports to a VLAN.

Step 4.

Create a VACL.

Configure Destination Port

The first task you need to perform to configure a trunk port on your switch is to convert your destination port (the port through which your sensor's monitoring interface is connected to the switch) to a trunk port instead of to a regular access port.

Note

The monitoring port on your IDSM is configured as a trunk port by default. Therefore, this step is not necessary if you are configuring multiple VLANs for your IDSM's monitoring port.


To change the basic characteristics of a switch port so that it becomes a trunk port, use the switchport trunk IOS command. This command is executed from the interface configuration mode.

If your destination port is port 5 on module 3, you need to enter the following command on your switch to enable trunking on that port:

Cat6# configure terminal Cat6(config)# interface fastethernet 3/5 Cat6(config-if)# switchport trunk encapsulation dot1q 

Define Trunks to Capture

At this point, your destination port is configured as a trunk port. Now you need to define the VLANs that you want the destination port to accept. The switchport trunk IOS command also enables you to define which VLANs an existing trunk port is allowed to process.

If your destination port is port 5 on module 3 and you want to trunk VLANs 30, 40, and 50, you need to enter the following commands on your switch to define the allowed VLANs on the destination port:

Cat6# configure terminal Cat6(config)# interface fastethernet 3/5 Cat6(config-if)# switchport trunk allowed vlan 30,40,50 

Assign Switch Ports to VLANs

Besides configuring the VLANs that your destination port will accept, you also need to know how to assign ports on your switch to various VLANs. You do this with the switchport access IOS command.

Note

Before you can use the switchport access command, you must make sure that the port is configured as a switch port by using the switchport IOS command.


Suppose that you want to place port 3 on module 2 into VLAN 10 and port 4 on module 4 into VLAN 8. The switch commands to accomplish this are displayed in Example 15-1.

Example 15-1. Configuring Switch Ports Using IOS
Cat6# configure terminal Cat6(config) interface fastethernet 3/2 Cat6(config-if)# switchport Cat6(config-if)# switchport access vlan 10 Cat6(config-if)# exit Cat6(conf)# interface fastethernet 4/4 Cat6(config-if)# switchport Cat6(config-if)# switchport access vlan 8 

Create the VACL

You have now configured the characteristics of your trunk port that represents the connection to the monitoring interface on your sensor. You still need to go through the various tasks (explained earlier in this chapter) to create your VACL. Then you need to assign that VACL to the trunk port that you configured as its capture port.



CCSP IPS Exam Certification Guide
CCSP IPS Exam Certification Guide
ISBN: 1587201461
EAN: 2147483647
Year: 2004
Pages: 119
Authors: Earl Carter

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net