Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
603
Views
0
Helpful
2
Replies

VLAN PAIR

Go to solution
Diego Armando Cambronero Arias
Level 3
Level 3

‎06-23-2010 07:38 AM - edited ‎03-10-2019 05:02 AM

Guys I have a little and stupid question.

Is there any problem with TCP when using VLAN Pairs. Does the IPS reset the connections? Problem is that I'm doing a PAIR for example from vlan 50 do VLAN 51 when the trafic is originated from vlan 50 it will inspect the traffic and sent it to VLAN 51 let say that was a SYN packet.

I have my switch configured to route the traffic originated from vlan 50 so the IPS can watch it. But I do not have a route map configured for the returned traffic from VLAN 51.. So the IPS will never see the SYN ACK comming.

Is that a problem?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Scott Fringer
Cisco Employee
Cisco Employee

‎06-23-2010 09:21 AM

For inline VLAN pairing, if the sensor will not be seeing the full TCP stream, this can be an issue for the sensor as it may determine this is traffic attempting to evade the IDS and in turn deny the traffic.  This can in turn cause the sensor to deny the traffic.

You can instruct the sensor to operate in an asymmetric processing mode which will relax the TCP normalizer as outlined here:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_virtual_sensors.html#wp1038004

Scott

View solution in original post

0 Helpful

Go to solution
rhermes
Level 7
Level 7

‎06-23-2010 10:36 AM

What is connecting the devices on VLAN 50 to the devices on VLAN 51 in your network?

If the only Layer 2 path between these two VLANs is through your in-line IPS sensor, then the sensor will see all inter-VLAN traffic.

The sensor has some signatures set to drop and some to issue a reset, but you can change those default responses if you desire.

- Bob

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Scott Fringer
Cisco Employee
Cisco Employee

‎06-23-2010 09:21 AM

For inline VLAN pairing, if the sensor will not be seeing the full TCP stream, this can be an issue for the sensor as it may determine this is traffic attempting to evade the IDS and in turn deny the traffic.  This can in turn cause the sensor to deny the traffic.

You can instruct the sensor to operate in an asymmetric processing mode which will relax the TCP normalizer as outlined here:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_virtual_sensors.html#wp1038004

Scott

0 Helpful

Go to solution
rhermes
Level 7
Level 7

‎06-23-2010 10:36 AM

What is connecting the devices on VLAN 50 to the devices on VLAN 51 in your network?

If the only Layer 2 path between these two VLANs is through your in-line IPS sensor, then the sensor will see all inter-VLAN traffic.

The sensor has some signatures set to drop and some to issue a reset, but you can change those default responses if you desire.

- Bob

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card