IDSM missing traffic on trunk interface

Unanswered Question
Jan 16th, 2008
User Badges:


I have a scenario where an IDSM with IPS 6 is triggering on traffic from a non-trunk interface but when the same traffic passes over another VLAN on a trunk.

Monitor setup is like this

monitor session 10 source interface Gi1/2

monitor session 10 source interface Gi7/1

monitor session 10 filter vlan 22 - 23 , 208

monitor session 10 destination intrusion-detection-module 5 data-port 1

where 1/2 is the non-trunk interface and 7/1 is the trunk. Traffic from VLAN 23 is firewalled/NATed and sent out on VLAN 208 towards our edge network.

The exact case is that when I browse an external web site with SQL code in the HTML I get an SQL Injection alert from VLAN 208 only. I never get the alert for the same traffic passing behind the firewall over the trunk. When I set a sniffer as source for the SPAN session I see the HTTP request with the SQL code passing through the trunk interface as well as VLAN 208.

Am I missing something here? Shouldn't and IPS report ALL occurrences of bad traffic?


Fredrik Hofgren

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Anonymous (not verified) Tue, 01/22/2008 - 11:52
User Badges:

Some earlier IOS versions IDSM doesn't recognize the packet which is VLAN encapsulated. Since trunk port encapsulates the packet with VLAN information it is not recognized. I suggest upgrading the code to the latest one [atleast min of 3. code].

hoffa2000 Wed, 01/23/2008 - 00:27
User Badges:

What has to be upgraded, the Catalyst IOS or the software on the IDSM? Our Catalyst has IOS 12.2(18)SXF5 and the IDSM the latest version 6.0(3)E1.

It seems odd that it would be a problem with missing VLAN tags. When I set the IDSM to manually capture traffic from an IP in the inside VLAN passing over the trunk the VLAN tag is present when I view the packets in Ethereal.



This Discussion