Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

4235 IDS Sensor Monitoring Multiple VLANS & TCP Reset (Packet Injection)

I understand that the 4235 sensor can receive traffic SPANned from multiple VLANs that 802.1q tags are have been placed on by the switches (3750's in this case).

I have two questions (given the above statement in correct).

1. Is it possible to inject traffic (eg. reset TCP sessions) in each of the monitored VLANS (i.e. the 4235 would tag the injected packet with correct destination VLAN for the response) or only the native/actual VLAN of the SPAN destination.

2. Is the traffic handled by the 4235 as coming from multiple virtual interfaces (eg. for the purpose IP spoof detection within each VLAN) ?

Many thanks for even reading this far. Any input greatly appriciated.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: 4235 IDS Sensor Monitoring Multiple VLANS & TCP Reset (Packe

On your second question, no the traffic monitored is considered as coming from a single virtual interface. The sensor reads the vlan header on encapsulated packets and includes it with the alarm as well as uses it for TCP Resets. But, you cannot apply signatures to specific VLAN traffic that the sensor is monitoring.

3 REPLIES
Cisco Employee

Re: 4235 IDS Sensor Monitoring Multiple VLANS & TCP Reset (Packe

Hi Sean,

Yes, the 4235 sensor can monitor SPAN traffic with 802.1q encapsulation.

Assuming you've configured one of the sensor's signature actions to be "reset", when the corresponding attack is seen, the sensor will send TCP Reset packets both directions (to the attacker as well as the victim).

The TCP Reset packets that the sensor sends will be encapsulated with the same vlan id that the attack was seen on.

Note that the reset packets will come from the 4235 via its eth0 interface. So, that port on the switch should be trunking all vlans in order for the switch to forward the reset packets properly.

New Member

Re: 4235 IDS Sensor Monitoring Multiple VLANS & TCP Reset (Packe

Thankyou for your quick and concise response.

I have not been able to find any tech documents that come close to summing up the caveats around the '802.1q support' you have just done for me in a few paragraphs.

Probably just one of those things you have to have tried, to know.

Thanks again.

Cisco Employee

Re: 4235 IDS Sensor Monitoring Multiple VLANS & TCP Reset (Packe

On your second question, no the traffic monitored is considered as coming from a single virtual interface. The sensor reads the vlan header on encapsulated packets and includes it with the alarm as well as uses it for TCP Resets. But, you cannot apply signatures to specific VLAN traffic that the sensor is monitoring.

111
Views
0
Helpful
3
Replies
CreatePlease to create content