IPS passive mode monitoring diffrent VLAN's on a single port.
We have three VLAN's which are carried into a 3560. What we want is to be able to monitor these VLAN's with a single interface on a 4255 that runs as a passive device. I also want this device to be able to send tcp reset's from another interface on the same VLAN's the threats are heard from. Is this possible? Would VLAN grouping and trunking of both ports to the IPS work in this scenario?.
Re: IPS passive mode monitoring diffrent VLAN's on a single port
Yes it is possible, but make sure that all packets sent to the SPAN destination port are tagged. Otherwise the sensor will not be able to retrieve the VLAN number from the packet and TCP resets will not work. On this switch platform you probably need to capture packets on the 802.1Q/ISL trunk for the packets to have tag. Capturing on the access port will make the packets untagged (verify this with a sniffer though).
Also, it is not nesessary to configure Alt TCP Reset interface - the sensor can send resets to the SPAN destination port directly, if the "ingress" option is specified when you configure SPAN destination port. And you don't need VLAN groups at all.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...