IPS appliance and blocking devices

Unanswered Question
Sep 30th, 2009


Recently I upgraded the supervisor on my Catalyst6509 to a SUP720-3B. This upgrade switched me from CatOS to IOS which is a welcome change. However I am having trouble configuring my IPS appliance(4250XL Build Version 6.0(5)E3) to use the new Supervisor as a blocking device. For now I really want to use it as an IDS device in promiscous mode. The Vlans I want to inspect do not exist on the 6509 and they are switched to the PIX. The appliance itself is connected to the 6509. I had this configured in CatOS and it seemed to be pretty rock solid. In a nutshell I have setup a monitor session from the source interface and pointed it to the sensing interface on the IDS. The IDS is able to login to the 6509. Basically all I need the IDS appliance to do is write an access list to the switch blocking any device that fires signatures I have setup to block. I had this configured in CatOS but the documentation to do this with IOS seems "sketchy" at best. Can anyone please provide some real life configuration examples that may accomplish this task?

Many Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
marcabal Wed, 09/30/2009 - 13:05

With Cat OS the sensor is typically configured to connect (ssh or telnet) into the switch Supervisor and create a Vlan ACL. The ACL is applied to the vlan itself, and the ACL is able to deny packets even when both machines in the connection are on the same vlan (no routing).

With Cat OS there is usually also an MSFS where the MSFC is routing between vlans/subnets.

The sensor might be configured to block with the MSFC. The sensor connects (telnet or ssh) to the MSFC (rather than the Supervisor) and creates ACLs that it applies to the router interfaces in either IN or OUT direction. With an MSFC the router interface is usually a vlan interface (though may also be a WAN port).

The ACL can NOT block packets that are only switched layer 2 between machines in the same vlan (inlike the Vlan ACLs done on the Supervisor itself). It can only block packets that get layer 3 routed through the MSFC.

When switching from Cat OS to Native IOS on the switch the Blocking configuration winds up looking more like the Blocking on an MSFC (rather than the Blocking on the Supervisor).

The sensor treats a Native IOS switch more as a Router than as a Switch.

So when you configure it in the sensor think of it, and configure it as you would a Router (instead of a switch).

You have to configure which layer 3 Router interfaces to apply the ACL, and in which direction. Typically you would apply it to a Vlan interface (the vlan interface where an actual IP is assigned for routing).

You will be able to Block packets that are layer 3 Routed from one vlan to another, but not packets that stay in the same vlan.

Native IOS itself does support both VLAN Acls, and Router Interface ACLs, BUT the sensor Only supports blocking with the Router Interface ACLs in Native IOS. It does not support blocking with the VLAN Acls in Native IOS.

So you block on the Vlan Interface, and not technically on the Vlan itself.

In your situation with a Firewall, how is the firewall connected to the switch, and how is the traffic being routed?

If the Native IOS switch is ONLY doing layer 2 switching, and is not doing any layer 3 IP Routing, then you will not be able to do any Blocking using that switch.

If the Native IOS switch itself brings packets in from External networks (either vlans connected to edge routers, or having its own WAN ports), and layer 3 IP Routes the traffic to the firewall, then you can block on this Routing interface from the External interface.

Let's say for example my edge Router to my service provider is connected off vlan 10. In my Native IOS I have vlan 10 connected to the edge router, and have vlan 11 connected to the firewall.

I have IPs on both vlan 10 and vlan 11 in order to route traffic.

I could configure my sensor to Block on vlan 11 interface in the IN direction (or with vlan 10 interface using OUT). And it would block External IPs coming into my firewall because they are "routed" through the vlan interfaces where the sensor is applying ACLs.

agivens02 Thu, 10/01/2009 - 05:05

Thank you for the awesome response. Apparently I will not be able to use the 6509 as a blocking device. The SUP720 does have an MSFC and I am doing plenty of routing with it. However, right now I have 9 vlans that are used on various campuses for student wifi. These vlan (or subnets if you prefer) only exist on the PIX. Since all campuses have the PIX set as the gateway of last resort all this traffic is switched directly to the PIX which in turn is configured to keep them off the internal network. For various reasons this traffic needs to be inspected. If I were to use the PIX as a blocking device is it true that I would need to connect the sensing interface to the PIX? Do you feel that this is the only option? We do have a new ASA with an IPS card but in the mean time I was hoping to make this work on a temporary basis. I greatly appreciate your time.


This Discussion