Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPS passive mode monitoring diffrent VLAN's on a single port.

Hi

We have three VLAN's which are carried into a 3560. What we want is to be able to monitor these VLAN's with a single interface on a 4255 that runs as a passive device. I also want this device to be able to send tcp reset's from another interface on the same VLAN's the threats are heard from. Is this possible? Would VLAN grouping and trunking of both ports to the IPS work in this scenario?.

Thanks in advance

3 REPLIES
ovt Bronze
Bronze

Re: IPS passive mode monitoring diffrent VLAN's on a single port

Yes it is possible, but make sure that all packets sent to the SPAN destination port are tagged. Otherwise the sensor will not be able to retrieve the VLAN number from the packet and TCP resets will not work. On this switch platform you probably need to capture packets on the 802.1Q/ISL trunk for the packets to have tag. Capturing on the access port will make the packets untagged (verify this with a sniffer though).

Also, it is not nesessary to configure Alt TCP Reset interface - the sensor can send resets to the SPAN destination port directly, if the "ingress" option is specified when you configure SPAN destination port. And you don't need VLAN groups at all.

New Member

Re: IPS passive mode monitoring diffrent VLAN's on a single port

Thank you very much.

When responding with TCP resets, does the IPS respond wih tagged frames also?.

ovt Bronze
Bronze

Re: IPS passive mode monitoring diffrent VLAN's on a single port

Yes

144
Views
5
Helpful
3
Replies