CAPTURING NETWORK TRAFFIC FOR IDS

Three methods used to capture network traffic:

• SPAN Switches can be configured to mirror source ports or virtual local area network (VLAN) traffic to destination SPAN ports. This port can then be monitored by an IDS sensor.

• RSPAN Remote SPAN is the same as SPAN except it allows multiple remote switches to pass their mirrored traffic to an RSPAN port.

• VACLs VLAN ACLs allow you to configure ACLs on a multilayer switch to designate which traffic to capture for the sensor.

TCP reset Packet sent from the sensor's sensing port to terminate an attacking session.

The 4250XL appliance has port 1 dedicated to TCP resets, with the monitoring ports on the XL card.

SPAN configurations:

• The 2900XL and 3500XL series switches use the port monitor commands.

• The 2950 and 3550 use the monitor session commands.

• The inpkts enable keywords allow the 4000, 4500, and 6500 switches to receive a TCP reset packet from the sensor on the destination SPAN port.

Use the clear security acl command to remove one or all access control entries (ACEs) from a VACL.

Use the ip access-list command to create an access list when using the mls ip ids command on a Catalyst 6500 (MSFC) running Cisco IOS Firewall.

Use the ip access-list extended command to create an access list for a Catalyst Operating System (OS) 6500 with IOS Firewall running on an MSFC.

Use the vlan access-map command from global config to create a VLAN access map for a Catalyst IOS 6500 switch.

Use the clear trunk and set trunk commands to capture VLAN traffic for the IDS Module 2 (IDSM2).

Use the switch(enable)>set span command to configure a destination SPAN port on a Catalyst 4000 switch.