07-26-2010 02:51 AM - edited 03-10-2019 05:04 AM
I have IPS4270 and I want to configure promiscous mode. I configured my IPS but it is not getting any traffic from vlan. Please how can I configure my IPS for promiscous mode. What would be the configuration ony my switch?
thank you and best regards
Edwin
Solved! Go to Solution.
07-26-2010 09:56 AM
Assuming you would like to gather traffic from intefaces Gi01 thru 20 and send the traffic to yoru 4270 on intergace Gi0/21
monitor session 1 source interface Gi01/ - 20 rx
monitor session 1 destination interface Gi0/21
- Bob
07-27-2010 06:58 AM
Hello Edwin,
The SPAN destination interface requires no configuration. The monitor session commands control VLAN tagging.
For example, to copy all traffic on Gi1/0/1 to Gi1/0/33 and maintain dot1q tags, you would implement the following configuration:
monitor session 1 source interface Gi1/0/1
monitor session 1 destination interface Gi1/0/33 encapsulation replicate
To filter out all monitored VLAN traffic except for VLAN 55, you would implement the following command:
monitor session 1 filter vlan 55
Here is a good reference for all SPAN can offer:
http://tools.cisco.com/squish/856eE
How are you confirming that traffic is not reaching your IPS?
Do you see the SPAN destination port output packet counter on your switch increasing?
Do you see the Total Packets Received counter on your IPS promiscuous interface increasing?
Thank you,
Blayne Dreier
Cisco TAC IDS Team
**Please check out our Podcast**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast
07-28-2010 05:51 AM
Hello Edwin,
The up/down on the switch is normal for a monitor destination port.
To clean up the config, run the following commands under the SPAN destination interface:
no switchport mode trunk
no switchport trunk encapsulation dot1q
You mentioned that you are now seeing input traffic on your IPS. Is this correct? Can you please verify that you are seeing traffic leave the switch and arrive at the IPS by the "show int" command on each device?
If you are seeing only unidirectional traffic (ICMP replies only for example) run the following command from global configuration mode so that you will see all bidirectional traffic on VLAN 12:
monitor session 1 source vlan 12
It is normal to only see receive traffic on a promiscuous interface, assuming you are not sending TCP resets out of that same interface.
Thank you,
Blayne Dreier
Cisco TAC IDS Team
**Please check out our Podcast**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast
07-26-2010 09:56 AM
Assuming you would like to gather traffic from intefaces Gi01 thru 20 and send the traffic to yoru 4270 on intergace Gi0/21
monitor session 1 source interface Gi01/ - 20 rx
monitor session 1 destination interface Gi0/21
- Bob
07-26-2010 11:24 PM
Thank you.
Do I need to configure my switch interface where the IPS is connected? I configured the switch interface where the IPS is connected as encapsulation dot1q but still I can get any traffic to my IPS.
thank you.
07-27-2010 06:58 AM
Hello Edwin,
The SPAN destination interface requires no configuration. The monitor session commands control VLAN tagging.
For example, to copy all traffic on Gi1/0/1 to Gi1/0/33 and maintain dot1q tags, you would implement the following configuration:
monitor session 1 source interface Gi1/0/1
monitor session 1 destination interface Gi1/0/33 encapsulation replicate
To filter out all monitored VLAN traffic except for VLAN 55, you would implement the following command:
monitor session 1 filter vlan 55
Here is a good reference for all SPAN can offer:
http://tools.cisco.com/squish/856eE
How are you confirming that traffic is not reaching your IPS?
Do you see the SPAN destination port output packet counter on your switch increasing?
Do you see the Total Packets Received counter on your IPS promiscuous interface increasing?
Thank you,
Blayne Dreier
Cisco TAC IDS Team
**Please check out our Podcast**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast
07-27-2010 07:07 AM
Hello,
thanks for the reply.
My command in my switch like this :
monitor session 1 source vlan 12 , 34 rx
monitor session 1 destination interface gi1/0/10 encapsulation dot1q
and I configured my IPS in proper way I guess.
When I issue this comman in IPS :
sh int gi3/0
There is no packet from this two vlan, packets received 0 packets transmit 0.
When I ping devices in vlan 12 check the events status in my IPS i cannot see the ICMP eventhough I enabled the Sig ID 2004.
thank you
Edwin
07-27-2010 07:26 AM
Hello Edwin,
Assuming the ICMP on VLAN 12 is flowing through the SPAN session switch and your switch's Gi1/0/10 is directly connected to your IPS's Gi3/0, you should see packet counters increase.
Did you clear the configuration on the destination interface?
If you'd like, you can email me a "show tech" from your switch and a "show tech" and "show conf" from your IPS. This might provide more insight into what is occurring.
Thank you,
Blayne Dreier
blayne@cisco.com
Cisco TAC IDS Team
**Please check out our Podcast**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast
07-28-2010 03:18 AM
My configuration on my destination interface is (switch):
int gi1/0/10
switchport trunk encapsulation dot1q
switchport mode trunk
no shut
monito session 1 source vlan 12 , 34 rx
monitor session 1 destination int gi1/0/10 encapsulation dot1q
On the switch:
sh ip int bri :
interface up
line protocol down
I can see there is recieved packet but there is no transmit packet int the IPS, Note I use promiscous mode.
07-28-2010 05:51 AM
Hello Edwin,
The up/down on the switch is normal for a monitor destination port.
To clean up the config, run the following commands under the SPAN destination interface:
no switchport mode trunk
no switchport trunk encapsulation dot1q
You mentioned that you are now seeing input traffic on your IPS. Is this correct? Can you please verify that you are seeing traffic leave the switch and arrive at the IPS by the "show int" command on each device?
If you are seeing only unidirectional traffic (ICMP replies only for example) run the following command from global configuration mode so that you will see all bidirectional traffic on VLAN 12:
monitor session 1 source vlan 12
It is normal to only see receive traffic on a promiscuous interface, assuming you are not sending TCP resets out of that same interface.
Thank you,
Blayne Dreier
Cisco TAC IDS Team
**Please check out our Podcast**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast
07-28-2010 06:35 AM
Hello Blayne,
Thanks,
My IPS is working now. I cleared the configuration, use the :
no monitor session 1 and re-enter again the monitor session 1 configuration. Just followed the Instruction you provided.
thank you and best regards,
Edwin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide