Advanced Traffic Capture Configurations for the Catalyst 6500

Previous page
Table of content
Next page
[ LiB ]  

By default, a sensor appliance can only analyze traffic that comes from the VLAN to which its monitoring port is assigned. You can monitor traffic from multiple VLANs if the Sensor's monitoring port is configured as a trunk port, in which case a Sensor would by default receive traffic from all VLANs. Similarly, the IDSM in its default configuration would receive traffic from all VLANs because its monitoring port is a trunk port.

So to specify which VLANs should have their traffic monitored for IDS analysis, you must first remove all VLANs from the trunk port. After the trunk port is clear, go back and add the VLANs that will be monitored . To complete the configuration, you also need to assign the Sensor's monitoring port to the native VLAN and as the destination capture port. The complete task list for the configuration follows :

  1. Configure the destination capture port as a switch trunk port.

  2. Clear all VLANs from the trunk port.

  3. To the cleared trunk port, add the VLANs that you want to monitor.

  4. Assign the Sensor's monitoring port to the VLAN of interest.

  5. Designate the Sensor's monitoring port as the destination capture port.

You can implement this configuration sequence with both the VACL and the MLS IP IDS scenarios; however, because the exam focuses on configurations using VACLs, we also focus on VACLs in our examples. Refer to previous sections for command syntax when using the MLS IP IDS method.

Configuring the Trunk Port

The following sections discuss the VACL commands for the configuration sequence listed above.

Configure the Destination Capture Port as a Switch Trunk Port

The VACL command to complete this task is the set port dot1qtunnel command. 


 switch> (enable) set port dot1qtunnel 6/1 access

The complete syntax for the command is 


 set port dot1qtunnel {  mod_num  [/  port_num  ]} access

Clear All VLANs from the Switch's Destination Capture Port

The following command example shows the use of the clear trunk command to remove all VLANs from the trunk port, which is also the destination capture port: 


 switch>(enable) clear trunk 6/1 1-1005, 1025-4094

The complete syntax for this command is 


 clear trunk <  mod  /  port  > [  vlans  ]

Table 4.16 lists and describes the command syntax for the clear trunk command.

Table 4.16. Command Syntax for the clear trunk Command

Command Syntax

Description

mod/port

Number of the module and the port on the module.

vlans

(Optional) Number of the VLAN to remove from the allowed VLAN list. Valid values range from 1 to 1005 and 1025 to 4094.


graphics/alert_icon.gif

When configuring VLANs to be captured using VACLs, you first use the clear trunk command to remove all VLANs from the trunk port before adding back the VLANs to be monitored. Be prepared to answer exam questions regarding this information.


Assign the VLANs to Be Monitored to the Trunk Port

Once you clear all the VLANs from the trunk port, you can use the set trunk command to go back and configure the trunk ports and to add the VLANs. This example of that command's use configures module/port 6/1 as the trunk port and adds VLANs 1, 2, and 3 to the trunk port for monitoring: 


 switch>(enable) set trunk 6/1 1-3

The syntax for this command is 


 set trunk <  mod  /  port  > [  vlans  ]

Table 4.17 lists and describes the command syntax for the set trunk command.

Table 4.17. Command Syntax for the set trunk Command

Command Syntax

Description

mod/port

Number of the module and the port on the module.

vlans

(Optional) VLANs to add to the list of allowed VLANs on the trunk port. Valid values range from 1 to 1005 and 1025 to 4094.


Assign the Destination Port and the Sensor Monitoring Port to the VLAN

The next step is to use the set vlan command to set the destination port on the switch. This step also assigns the Sensor's monitor port, to which the destination port is connected, to the VLAN of interest. The following example assigns the destination capture port of 6/1 to VLAN 1000. The destination capture port is connected to the Sensor's monitoring port (which as you recall is not assigned with an IP address): 


 switch>(enable) set vlan 1000 6/1

The syntax for the set vlan command is 


 set vlan  vlan_num mod/ports

Table 4.18 lists and describes the command syntax for the set vlan command.

Table 4.18. Command Syntax for the set vlan Command

Command Syntax

Description

vlan_num

Number identifying the VLAN

mod/ports

Number of the module and ports on the module belonging to the VLAN


Use the set security acl capture-ports Command to Assign the Destination Ports

Finally, use the set security acl capture-ports command to specify the destination ports that will receive the traffic captured in the set security acl ip command. The following example sets the module/port 6/1 as the destination capture port: 


 switch>(enable) set security acl capture-ports 6/1

Recall that the syntax for this command is simple: 


 set security acl capture-ports <  mod/ports  >[, <  mod/ports  >...]

Single Sensor, Single VLAN Scenario

We now go through some configuration examples to illustrate the concepts that we've been through in previous sections. In the example shown in Figure 4.4, only traffic from VLAN 1 is monitored and sent to the Sensor's monitoring port via the trunk port.

Figure 4.4. Traffic from VLAN 1 is sent to the switch's trunk port and monitored via the Sensor's monitoring port. Traffic from VLANs 2 and 3 is ignored.

graphics/04fig04.gif


To configure this example using VACLs, the relevant commands in the sequence are 


 switch>(enable) clear trunk 0/8 2-1005, 1025-4094 switch>(enable) set trunk 0/8 1 switch>(enable) set vlan 1 0/8 switch>(enable) set security acl capture-ports 0/8

Single Sensor, Multiple VLANs Scenario

Figure 4.5 shows a configuration where multiple VLANs are monitored to a single Sensor.

Figure 4.5. Multiple VLANs being monitored to a single Sensor. Traffic from VLANs 1 and 2 is captured whereas traffic from VLAN 3 is ignored.

graphics/04fig05.gif


The command sequence to complete this configuration where VLANs 1 and 2 are monitored is 


 switch>(enable) clear trunk 0/8 2-1005, 1025-4094 switch>(enable) set trunk 0/8 1-2 switch>(enable) set vlan 1 0/8 switch>(enable) set security acl capture-ports 0/8

Multiple Sensors, Multiple VLANs Scenario

Finally, Figure 4.6 shows a configuration where multiple VLANs are monitored to multiple sensors.

Figure 4.6. Multiple VLANs being monitored to multiple sensors. Traffic from VLAN 100 on Module 6 is monitored by Sensor A, whereas traffic from VLANs 200 and 300 on Module 7 is monitored by Sensor B.

graphics/04fig06.gif


The command sequence to complete this configuration, where VLAN 100 is monitored to Sensor A and VLANs 200 and 300 are monitored on Sensor B, is as follows:

To configure VLAN traffic from VLAN 100 to be monitored by Sensor A, use these commands: 


 switch>(enable) clear trunk 6/8 2-1005, 1025-4094 switch>(enable) set trunk 6/8 100 switch>(enable) set vlan 100 6/8 switch>(enable) set security acl capture-ports 6/8

To configure VLAN traffic from VLANs 200 and 300 to be monitored by Sensor B, use these commands: 


 switch>(enable) clear trunk 7/8 2-1005, 1025-4094 switch>(enable) set trunk 7/8 200, 300 switch>(enable) set vlan 200 7/8 switch>(enable) set security acl capture-ports 7/8

[ LiB ]  

Previous page
Table of content
Next page
CSIDS Exam Cram 2 (Exam 642-531)
CSIDS Exam Cram 2 (Exam 642-531)
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 213
BUY ON AMAZON
A+ Fast Pass
PostgreSQL(c) The comprehensive guide to building, programming, and administering PostgreSQL databases
101 Microsoft Visual Basic .NET Applications
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
Junos Cookbook (Cookbooks (OReilly))
User Interfaces in C#: Windows Forms and Custom Controls
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy