HOW TO CONFIGURE IPS 4270 FOR PROMISCOUS MODE

Answered Question
Jul 26th, 2010
User Badges:

I have IPS4270 and I want to configure promiscous mode. I configured my IPS but it is not getting any traffic from vlan. Please how can I configure my IPS for promiscous mode. What would be the configuration ony my switch?


thank you and best regards


Edwin

Correct Answer by Christopher Dreier about 6 years 8 months ago

Hello Edwin,


The up/down on the switch is normal for a monitor destination port.


To clean up the config, run the following commands under the SPAN destination interface:


no switchport mode trunk
no switchport trunk encapsulation dot1q


You mentioned that you are now seeing input traffic on your IPS. Is this correct? Can you please verify that you are seeing traffic leave the switch and arrive at the IPS by the "show int" command on each device?


If you are seeing only unidirectional traffic (ICMP replies only for example) run the following command from global configuration mode so that you will see all bidirectional traffic on VLAN 12:


monitor session 1 source vlan 12


It is normal to only see receive traffic on a promiscuous interface, assuming you are not sending TCP resets out of that same interface.


Thank you,
Blayne Dreier
Cisco TAC IDS Team


**Please check out our Podcast**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

Correct Answer by Christopher Dreier about 6 years 8 months ago

Hello Edwin,


The SPAN destination interface requires no configuration. The monitor session commands control VLAN tagging.


For  example, to copy all traffic on Gi1/0/1 to Gi1/0/33 and maintain dot1q  tags, you would implement the following configuration:


monitor session 1 source interface Gi1/0/1
monitor session 1 destination interface Gi1/0/33 encapsulation replicate


To filter out all monitored VLAN traffic except for VLAN 55, you would implement the following command:


monitor session 1 filter vlan 55


Here is a good reference for all SPAN can offer:

http://tools.cisco.com/squish/856eE


How are you confirming that traffic is not reaching your IPS?

Do you see the SPAN destination port output packet counter on your switch increasing?

Do you see the Total Packets Received counter on your IPS promiscuous interface increasing?


Thank you,
Blayne Dreier
Cisco TAC IDS Team


**Please check out our Podcast**

TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

Correct Answer by rhermes about 6 years 8 months ago

Assuming you would like to gather traffic from intefaces Gi01 thru 20 and send the traffic to yoru 4270 on intergace Gi0/21


monitor session 1 source interface Gi01/ - 20 rx

monitor session 1 destination interface Gi0/21


- Bob

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
rhermes Mon, 07/26/2010 - 09:56
User Badges:
  • Gold, 750 points or more

Assuming you would like to gather traffic from intefaces Gi01 thru 20 and send the traffic to yoru 4270 on intergace Gi0/21


monitor session 1 source interface Gi01/ - 20 rx

monitor session 1 destination interface Gi0/21


- Bob

ericohermoso Mon, 07/26/2010 - 23:24
User Badges:

Thank you.


Do I need to configure my switch interface where the IPS is connected? I configured the switch interface where the IPS is connected as encapsulation dot1q but still I can get any traffic to my IPS.


thank you.

Correct Answer
Christopher Dreier Tue, 07/27/2010 - 06:58
User Badges:
  • Silver, 250 points or more

Hello Edwin,


The SPAN destination interface requires no configuration. The monitor session commands control VLAN tagging.


For  example, to copy all traffic on Gi1/0/1 to Gi1/0/33 and maintain dot1q  tags, you would implement the following configuration:


monitor session 1 source interface Gi1/0/1
monitor session 1 destination interface Gi1/0/33 encapsulation replicate


To filter out all monitored VLAN traffic except for VLAN 55, you would implement the following command:


monitor session 1 filter vlan 55


Here is a good reference for all SPAN can offer:

http://tools.cisco.com/squish/856eE


How are you confirming that traffic is not reaching your IPS?

Do you see the SPAN destination port output packet counter on your switch increasing?

Do you see the Total Packets Received counter on your IPS promiscuous interface increasing?


Thank you,
Blayne Dreier
Cisco TAC IDS Team


**Please check out our Podcast**

TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

ericohermoso Tue, 07/27/2010 - 07:07
User Badges:

Hello,



thanks for the reply.


My command in my switch like this :


monitor session 1 source vlan 12 , 34 rx

monitor session 1 destination interface gi1/0/10 encapsulation dot1q


and I configured my IPS in proper way I guess.


When I issue this comman in IPS :


sh int gi3/0


There is no packet from this two vlan, packets received 0 packets transmit 0.

When I ping devices in vlan 12 check the events status in my IPS i  cannot see the ICMP eventhough I enabled the Sig ID 2004.



thank you


Edwin

Christopher Dreier Tue, 07/27/2010 - 07:26
User Badges:
  • Silver, 250 points or more

Hello Edwin,


Assuming the ICMP on VLAN 12 is flowing through the SPAN session switch and your switch's Gi1/0/10 is directly connected to your IPS's Gi3/0, you should see packet counters increase.


Did you clear the configuration on the destination interface?


If you'd like, you can email me a "show tech"  from your switch and a "show tech" and "show conf" from your IPS. This might provide more insight into what is occurring.


Thank you,
Blayne Dreier

[email protected]
Cisco TAC IDS Team


**Please check out our Podcast**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

ericohermoso Wed, 07/28/2010 - 03:18
User Badges:

My configuration on my destination interface is (switch):


int gi1/0/10

switchport trunk encapsulation dot1q

switchport mode trunk

no shut


monito session 1 source vlan 12 , 34 rx

monitor session 1 destination int gi1/0/10 encapsulation dot1q


On the switch:


sh ip int bri :


interface up


line protocol down



I can see there is recieved packet but there is no transmit packet int the IPS, Note I use promiscous mode.

Correct Answer
Christopher Dreier Wed, 07/28/2010 - 05:51
User Badges:
  • Silver, 250 points or more

Hello Edwin,


The up/down on the switch is normal for a monitor destination port.


To clean up the config, run the following commands under the SPAN destination interface:


no switchport mode trunk
no switchport trunk encapsulation dot1q


You mentioned that you are now seeing input traffic on your IPS. Is this correct? Can you please verify that you are seeing traffic leave the switch and arrive at the IPS by the "show int" command on each device?


If you are seeing only unidirectional traffic (ICMP replies only for example) run the following command from global configuration mode so that you will see all bidirectional traffic on VLAN 12:


monitor session 1 source vlan 12


It is normal to only see receive traffic on a promiscuous interface, assuming you are not sending TCP resets out of that same interface.


Thank you,
Blayne Dreier
Cisco TAC IDS Team


**Please check out our Podcast**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

ericohermoso Wed, 07/28/2010 - 06:35
User Badges:

Hello Blayne,


Thanks,


My IPS is working now. I cleared the configuration, use the :


no monitor session 1 and re-enter again the monitor session 1 configuration. Just followed the Instruction you provided.




thank you and best regards,


Edwin

Actions

This Discussion