Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

VLAN PAIR

Guys I have a little and stupid question.

Is there any problem with TCP when using VLAN Pairs. Does the IPS reset the connections? Problem is that I'm doing a PAIR for example from vlan 50 do VLAN 51 when the trafic is originated from vlan 50 it will inspect the traffic and sent it to VLAN 51 let say that was a SYN packet.

I have my switch configured to route the traffic originated from vlan 50 so the IPS can watch it. But I do not have a route map configured for the returned traffic from VLAN 51.. So the IPS will never see the SYN ACK comming.

Is that a problem?

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: VLAN PAIR

For inline VLAN pairing, if the sensor will not be seeing the full TCP stream, this can be an issue for the sensor as it may determine this is traffic attempting to evade the IDS and in turn deny the traffic.  This can in turn cause the sensor to deny the traffic.

You can instruct the sensor to operate in an asymmetric processing mode which will relax the TCP normalizer as outlined here:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_virtual_sensors.html#wp1038004

Scott

Gold

Re: VLAN PAIR

What is connecting the devices on VLAN 50 to the devices on VLAN 51 in your network?

If the only Layer 2 path between these two VLANs is through your in-line IPS sensor, then the sensor will see all inter-VLAN traffic.

The sensor has some signatures set to drop and some to issue a reset, but you can change those default responses if you desire.

- Bob

2 REPLIES
Cisco Employee

Re: VLAN PAIR

For inline VLAN pairing, if the sensor will not be seeing the full TCP stream, this can be an issue for the sensor as it may determine this is traffic attempting to evade the IDS and in turn deny the traffic.  This can in turn cause the sensor to deny the traffic.

You can instruct the sensor to operate in an asymmetric processing mode which will relax the TCP normalizer as outlined here:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_virtual_sensors.html#wp1038004

Scott

Gold

Re: VLAN PAIR

What is connecting the devices on VLAN 50 to the devices on VLAN 51 in your network?

If the only Layer 2 path between these two VLANs is through your in-line IPS sensor, then the sensor will see all inter-VLAN traffic.

The sensor has some signatures set to drop and some to issue a reset, but you can change those default responses if you desire.

- Bob

342
Views
0
Helpful
2
Replies
CreatePlease to create content