IPS passive mode monitoring diffrent VLAN's on a single port.

dehghan · ‎12-24-2007

Hi

We have three VLAN's which are carried into a 3560. What we want is to be able to monitor these VLAN's with a single interface on a 4255 that runs as a passive device. I also want this device to be able to send tcp reset's from another interface on the same VLAN's the threats are heard from. Is this possible? Would VLAN grouping and trunking of both ports to the IPS work in this scenario?.

Thanks in advance

ovt · ‎12-28-2007

Yes it is possible, but make sure that all packets sent to the SPAN destination port are tagged. Otherwise the sensor will not be able to retrieve the VLAN number from the packet and TCP resets will not work. On this switch platform you probably need to capture packets on the 802.1Q/ISL trunk for the packets to have tag. Capturing on the access port will make the packets untagged (verify this with a sniffer though).

Also, it is not nesessary to configure Alt TCP Reset interface - the sensor can send resets to the SPAN destination port directly, if the "ingress" option is specified when you configure SPAN destination port. And you don't need VLAN groups at all.

dehghan · ‎12-29-2007

Thank you very much.

When responding with TCP resets, does the IPS respond wih tagged frames also?.

ovt · ‎01-08-2008

Yes