Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
232
Views
0
Helpful
1
Replies

IDS load balance

rmulyadi
Level 1
Level 1

‎03-16-2004 11:31 PM - edited ‎03-09-2019 06:46 AM

We are using a Catalyst 6000 to load balance traffic from various switches into several ids sensors.

We span each switches and forward the traffic to ports with different VLANs on the Catalyst 6000 to make sure that the traffic coming in the 1st port won't be forwrded back through the 2nd port. It works fine so far (using VACL and etherchannel on the Catalyst 6000), except that we can't maintain the original VLAN information (that comes from the original switches).

So, we plan to try doing a VACL capture on each switches instead of spanning and trunking both the capture ports and the etherchannel ports on the Catalyst 6000. Our quesiton is, how to make sure the VACL capture port on each switch is in monitoring state (like a dest span port) in order to ensure all incoming traffic is disabled. Thanks in advance!

Labels:
0 Helpful
1 Reply 1

marcabal
Cisco Employee
Cisco Employee

‎03-17-2004 11:02 PM

I don't think you can.

The span destination ports will by default prevent incoming traffic, but I don't think that you can configure a VACL Capture port to prevent incoming traffic.

So if you wind up capturing the same vlan from 2 switches you could wind up causing a bridge loop and flooding all 3 switches.

One possible option to consider:

If the switches being monitored are only using vlans in the 1-999 range then you could try adding 1000 or 2000 to the vlan number for the corresponding vlan in the switch used for IDS monitoring.

For example: If you are spanning vlan 10 traffic from switch A to the IDS switch. On the IDS switch bring that vlan 10 traffic into vlan 1010 (add 1000 to 10).

Then when you span vlan 10 traffic from switch B to the IDS switch, you add 2000 instead of 1000 making it vlan 2010.

So for the vlans in switch A being monitored you add 1000.

For the vlans in switch B being monitored you add 2000.

Your engineers just have to be trained to mentally subtract 1000 or 2000 when they need to know the original vlan.

Limitations:

1) This only works if only vlan 1-999 are being used on the switches being monitored, because you can't add 10000 since the highest vlan number supported is only 4096.

2) You have to assign a range of vlans to each switch being monitored. So you may be limited to only monitoring 3 other switches (vlans 1000-1999 for switch A, vlans 2000-2999 for switch B, and vlans 3000-3999 for switch C, and if you limit the vlans being monitored maybe even vlans 4000-4096 for switch D for a fourth switch)

3) To do this mapping of a vlan in the monitoring switch to a different vlan number in the IDS switch will require that the connecting ports ONLY be access ports assigned to a single vlan. You won't be able to connect the switches using trunk ports.

4) The IDS Switch will have to have been configured in it's own vtp domain so it doesn't try to communicate it's vlan information to the other switches being monitored.

5) It may cause vlan mismatch errors to ocurr on the switches. I have heard that you might be able to do things like turning off spanning tree on these ports to prevent this, but have never tried this myself.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents