Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

IDS Blocking with a Switch? Possible?

Is there or will there soon be a way for a network sensor to drop, reset and or log packets using a switch like the 3500 series? This would be great it seems in stopping internal attacks. I think right now all that can happen is notification of an attack. Any words from the IDS gurus out there?

  • Other Security Subjects
1 REPLY
Cisco Employee

Re: IDS Blocking with a Switch? Possible?

Read below for blocking (aka shuns, drops), and tcp resets.

All appliance sensor support logging of the packets regardless of the device it is plugged into.

(The Catalyst 6000 module does not support tcp resets, or packet logging, but this is because of hardware constraints of the module and not an issue with the switch)

This already supported and tested on the following switches when using an IDS Appliance:

Catalyst 6000/6500 running Cat OS on the Supervisor (aka Hybrid).

- The sensor uses Vlan ACLs to block on vlans.

- Switch allows TCP Resets in on the span port (inpkts enable must be used), and on VACL Capture ports.

MSFC1 and MSFC2 for the Catalyst 6000/6500 running IOS

- The sensor uses Router ACLs to block on the Vlan interfaces.

- The Switch allows TCP Resets in on the span port (inpkts enable must be used), and on VACL Capture ports.

Catalyst 6000/6500 running IOS on the Supervisor/MSFC (aka Native IOS).

- The sensor uses Router ACLs to block on both the physical and vlan interfaces.

- I haven't tested resets with Native IOS, but I believe the switch does allow it.

Catalyst 5000 switch running Cat OS

- The sensor can manage the RSM (Router Switch Module) using Router ACLs to block on the vlan interfaces.

- TCP Resets will work on span ports (I believe inpkts enable must be used)

----------------------------

Unfortunately I am not that familiar with the 3500 series switches. But here are some of my thoughts and comments:

If the 3500 switch is running IOS and supports Router ACLs, then it is possible that the sensor may work just fine in creating Router ACLs to block on both the physical and vlan interfaces of the switch. We haven't officially tested it yet, but in most cases if the device is running IOS then the sensor can usually manage it. I've seen several users use the sensor to manage devices that weren't on our official supported list and not have any problem. Just be aware that if a problem results the TAC may not support the senor managing the 3500.

If the 3500 switch is running traditional Cat OS then it will not work at this time. Changes would have to be made to the sensor.

If you would like blocking on the 3500 series to be officially supported, then submit an enhancement request through the TAC (on line email support).

As for TCP Resets, I've heard there were some issues with TCP Resets on some of these switches. I knwo some of the switch teams are looking into it, but I don't know what the results have been. You woudl just need to try it on your specific switch, and if it is not supported then submit an enhancement request.

If anyone else has specific experience deploying IDS with a 3500 series switch then please add to this conversation.

133
Views
5
Helpful
1
Replies