Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IDS Interface trunking capable?

Hi,

my customer thinks about implementing IDS Appliance Sensors. Because it is some kind of a service Provider (application hosting) he has multiple VLANs. They (and me) want to know if the "sniffing Interface" of the Applicances supports Trunking. Any idea?

Thanks for your answers!

Stefan

1 REPLY
Cisco Employee

Re: IDS Interface trunking capable?

The IDS software supports analysis of dot1q encoded packets.

Things to be aware of:

1) The IDS-4235, and IDS-4250 appliances, and IDS Module for the Cat 6000 have been tested and verified to monitor dot1q trunk packets.

2) The IDS-4210, IDS-4220, and IDS-4230 are known to have problems analyzing large packets that have been dot1q encapsulated. There is an engineering driver for the network interface that can be used to correct this issue. Refer to Active Update Notification #7 for more information on the engineering driver:

http://www.cisco.com/warp/customer/779/largeent/issues/security/idsnws/archive.html

3) Though the sensor can analyze the packets, it does not currently report the Vlan# on which the attack was seen. This is targeted for a future release.

4) The sensor can not TCP Reset connections monitored when the packets are dot1q encoded. This is an issue in the software, and is targeted to be corrected in a future release.

5) To send dot1q encoded packets to the sensor you will have to hardcode the switch port connected to the sensor to be a dot1q trunk port for the vlans being monitored. You will then ALSO have to use Span (or VACL Capture in the Cat 6000) to send copies of the packets to the sensor.

NOTE: Just configuring the trunk is NOT enough; you must also configure Span or VACL Capture.

6) Even though the sensor only monitors dot1q packets, it can still monitor packets that are being passed between switches over ISL trunks. The switch will read in the ISL packets from the other switch, and when it copies it to the Span port of the sensor it will convert it from ISL encapsulation to dot1q encapsulation. So it doesn't matter if the packets enter the switch from standard access ports, dot1q trunks, ISL trunks, or even in most cases from WAN ports.

7) The sensor appliances do not support receiving traffic from a tap made on the connection between switches. The tap results in 2 outputs. One output contains packets coming from one switch/router. The other output contains packets coming from the other switch/router. The sensor to function properly needs to see both outputs so it would need 2 sensing interfaces to see both outputs. Unfortunately the appliances only have a single sensing interface so can not be used to sniff both outputs of the tap.

86
Views
5
Helpful
1
Replies
CreatePlease login to create content