|[ LiB ]|
Three methods used to capture network traffic:
SPAN Switches can be configured to mirror source ports or virtual local area network (VLAN) traffic to destination SPAN ports. This port can then be monitored by an IDS sensor.
RSPAN Remote SPAN is the same as SPAN except it allows multiple remote switches to pass their mirrored traffic to an RSPAN port.
VACLs VLAN ACLs allow you to configure ACLs on a multilayer switch to designate which traffic to capture for the sensor.
TCP reset Packet sent from the sensor's sensing port to terminate an attacking session.
The 4250XL appliance has port 1 dedicated to TCP resets, with the monitoring ports on the XL card.
The 2900XL and 3500XL series switches use the port monitor commands.
The 2950 and 3550 use the monitor session commands.
The inpkts enable keywords allow the 4000, 4500, and 6500 switches to receive a TCP reset packet from the sensor on the destination SPAN port.
Use the clear security acl command to remove one or all access control entries (ACEs) from a VACL.
Use the ip access-list command to create an access list when using the mls ip ids command on a Catalyst 6500 (MSFC) running Cisco IOS Firewall.
Use the ip access-list extended command to create an access list for a Catalyst Operating System (OS) 6500 with IOS Firewall running on an MSFC.
Use the vlan access-map command from global config to create a VLAN access map for a Catalyst IOS 6500 switch.
Use the clear trunk and set trunk commands to capture VLAN traffic for the IDS Module 2 (IDSM2).
Use the switch(enable)>set span command to configure a destination SPAN port on a Catalyst 4000 switch.
|[ LiB ]|