Foundation Summary


Your IPS sensors can process only traffic that they receive on one of their interfaces. There are two methods for traffic capture:

  • Capturing traffic for inline mode

  • Capturing traffic for promiscuous mode

Some common locations for deploying inline IPS include the following:

  • Between two routers

  • Between a firewall and a router

  • Between a switch and a router

  • Between a switch and a firewall

In promiscuous mode, you can use the following infrastructure devices to capture network traffic:

  • Hubs

  • Network taps

  • Switches

When using switches, you can use the following three mechanisms to configure Cisco switches to mirror traffic to you sensor's promiscuous interface:

  • Switched Port Analyzer (SPAN)

  • Remote Switched Port Analyzer (RSPAN)

  • VLAN Access Control List (VACL)

To capture traffic by using the SPAN feature on a Catalyst 4000 or 6500 (running IOS), you need to use the monitor session command.

When configuring a VACL on Cisco IOS, you need to go through the following tasks:

Step 1.

Configure an ACL.

Step 2.

Create a VLAN access map.

Step 3.

Match the Access Control List (ACL) to the access map.

Step 4.

Define action for the access map.

Step 5.

Apply the access map to VLANs.

Step 6.

Configure capture ports.

When using the IOS Firewall (mls ip ids command), you need to go through the following steps to configure a VACL:

Step 1.

Create the extended ACL.

Step 2.

Apply the ACL to an interface or VLAN.

Step 3.

Assign the capture port.



CCSP IPS Exam Certification Guide
CCSP IPS Exam Certification Guide
ISBN: 1587201461
EAN: 2147483647
Year: 2004
Pages: 119
Authors: Earl Carter

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net