[ LiB ] |
By default, a sensor appliance can only analyze traffic that comes from the VLAN to which its monitoring port is assigned. You can monitor traffic from multiple VLANs if the Sensor's monitoring port is configured as a trunk port, in which case a Sensor would by default receive traffic from all VLANs. Similarly, the IDSM in its default configuration would receive traffic from all VLANs because its monitoring port is a trunk port.
So to specify which VLANs should have their traffic monitored for IDS analysis, you must first remove all VLANs from the trunk port. After the trunk port is clear, go back and add the VLANs that will be monitored . To complete the configuration, you also need to assign the Sensor's monitoring port to the native VLAN and as the destination capture port. The complete task list for the configuration follows :
Configure the destination capture port as a switch trunk port.
Clear all VLANs from the trunk port.
To the cleared trunk port, add the VLANs that you want to monitor.
Assign the Sensor's monitoring port to the VLAN of interest.
Designate the Sensor's monitoring port as the destination capture port.
You can implement this configuration sequence with both the VACL and the MLS IP IDS scenarios; however, because the exam focuses on configurations using VACLs, we also focus on VACLs in our examples. Refer to previous sections for command syntax when using the MLS IP IDS method.
The following sections discuss the VACL commands for the configuration sequence listed above.
The VACL command to complete this task is the set port dot1qtunnel command.
switch> (enable) set port dot1qtunnel 6/1 access
The complete syntax for the command is
set port dot1qtunnel { mod_num [/ port_num ]} access
The following command example shows the use of the clear trunk command to remove all VLANs from the trunk port, which is also the destination capture port:
switch>(enable) clear trunk 6/1 1-1005, 1025-4094
The complete syntax for this command is
clear trunk < mod / port > [ vlans ]
Table 4.16 lists and describes the command syntax for the clear trunk command.
Command Syntax | Description |
---|---|
mod/port | Number of the module and the port on the module. |
vlans | (Optional) Number of the VLAN to remove from the allowed VLAN list. Valid values range from 1 to 1005 and 1025 to 4094. |
When configuring VLANs to be captured using VACLs, you first use the clear trunk command to remove all VLANs from the trunk port before adding back the VLANs to be monitored. Be prepared to answer exam questions regarding this information. |
Once you clear all the VLANs from the trunk port, you can use the set trunk command to go back and configure the trunk ports and to add the VLANs. This example of that command's use configures module/port 6/1 as the trunk port and adds VLANs 1, 2, and 3 to the trunk port for monitoring:
switch>(enable) set trunk 6/1 1-3
The syntax for this command is
set trunk < mod / port > [ vlans ]
Table 4.17 lists and describes the command syntax for the set trunk command.
Command Syntax | Description |
---|---|
mod/port | Number of the module and the port on the module. |
vlans | (Optional) VLANs to add to the list of allowed VLANs on the trunk port. Valid values range from 1 to 1005 and 1025 to 4094. |
The next step is to use the set vlan command to set the destination port on the switch. This step also assigns the Sensor's monitor port, to which the destination port is connected, to the VLAN of interest. The following example assigns the destination capture port of 6/1 to VLAN 1000. The destination capture port is connected to the Sensor's monitoring port (which as you recall is not assigned with an IP address):
switch>(enable) set vlan 1000 6/1
The syntax for the set vlan command is
set vlan vlan_num mod/ports
Table 4.18 lists and describes the command syntax for the set vlan command.
Command Syntax | Description |
---|---|
vlan_num | Number identifying the VLAN |
mod/ports | Number of the module and ports on the module belonging to the VLAN |
Finally, use the set security acl capture-ports command to specify the destination ports that will receive the traffic captured in the set security acl ip command. The following example sets the module/port 6/1 as the destination capture port:
switch>(enable) set security acl capture-ports 6/1
Recall that the syntax for this command is simple:
set security acl capture-ports < mod/ports >[, < mod/ports >...]
We now go through some configuration examples to illustrate the concepts that we've been through in previous sections. In the example shown in Figure 4.4, only traffic from VLAN 1 is monitored and sent to the Sensor's monitoring port via the trunk port.
To configure this example using VACLs, the relevant commands in the sequence are
switch>(enable) clear trunk 0/8 2-1005, 1025-4094 switch>(enable) set trunk 0/8 1 switch>(enable) set vlan 1 0/8 switch>(enable) set security acl capture-ports 0/8
Figure 4.5 shows a configuration where multiple VLANs are monitored to a single Sensor.
The command sequence to complete this configuration where VLANs 1 and 2 are monitored is
switch>(enable) clear trunk 0/8 2-1005, 1025-4094 switch>(enable) set trunk 0/8 1-2 switch>(enable) set vlan 1 0/8 switch>(enable) set security acl capture-ports 0/8
Finally, Figure 4.6 shows a configuration where multiple VLANs are monitored to multiple sensors.
The command sequence to complete this configuration, where VLAN 100 is monitored to Sensor A and VLANs 200 and 300 are monitored on Sensor B, is as follows:
To configure VLAN traffic from VLAN 100 to be monitored by Sensor A, use these commands:
switch>(enable) clear trunk 6/8 2-1005, 1025-4094 switch>(enable) set trunk 6/8 100 switch>(enable) set vlan 100 6/8 switch>(enable) set security acl capture-ports 6/8
To configure VLAN traffic from VLANs 200 and 300 to be monitored by Sensor B, use these commands:
switch>(enable) clear trunk 7/8 2-1005, 1025-4094 switch>(enable) set trunk 7/8 200, 300 switch>(enable) set vlan 200 7/8 switch>(enable) set security acl capture-ports 7/8
[ LiB ] |