Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IDSM missing traffic on trunk interface

Hi

I have a scenario where an IDSM with IPS 6 is triggering on traffic from a non-trunk interface but when the same traffic passes over another VLAN on a trunk.

Monitor setup is like this

monitor session 10 source interface Gi1/2

monitor session 10 source interface Gi7/1

monitor session 10 filter vlan 22 - 23 , 208

monitor session 10 destination intrusion-detection-module 5 data-port 1

where 1/2 is the non-trunk interface and 7/1 is the trunk. Traffic from VLAN 23 is firewalled/NATed and sent out on VLAN 208 towards our edge network.

The exact case is that when I browse an external web site with SQL code in the HTML I get an SQL Injection alert from VLAN 208 only. I never get the alert for the same traffic passing behind the firewall over the trunk. When I set a sniffer as source for the SPAN session I see the HTTP request with the SQL code passing through the trunk interface as well as VLAN 208.

Am I missing something here? Shouldn't and IPS report ALL occurrences of bad traffic?

Regards

Fredrik Hofgren

2 REPLIES
Anonymous
N/A

Re: IDSM missing traffic on trunk interface

Some earlier IOS versions IDSM doesn't recognize the packet which is VLAN encapsulated. Since trunk port encapsulates the packet with VLAN information it is not recognized. I suggest upgrading the code to the latest one [atleast min of 3. code].

New Member

Re: IDSM missing traffic on trunk interface

What has to be upgraded, the Catalyst IOS or the software on the IDSM? Our Catalyst has IOS 12.2(18)SXF5 and the IDSM the latest version 6.0(3)E1.

It seems odd that it would be a problem with missing VLAN tags. When I set the IDSM to manually capture traffic from an IP in the inside VLAN passing over the trunk the VLAN tag is present when I view the packets in Ethereal.

/Fredrik

123
Views
0
Helpful
2
Replies