Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

IDS on RSPAN port

I'm new in IDS. I'm planning an IDS installation in a topology requiring to connect an IDS sensor to a RSPAN destination port.

But my understanding is that when the RSPAN source and destination ports are configured as trunks all the frames coming to the IDS sensor are tagged with the same RSPAN VLAN ID.

I.e. the information from which VLAN the original frame comes is lost.

Is this info important for correct IDS working?

Thanks,

Milan

8 REPLIES
Anonymous
N/A

Re: IDS on RSPAN port

Even if this is what happens, you can still point out the specific PC by the Mac address right? This information will not be lost.

Cisco Employee

Re: IDS on RSPAN port

The Cisco IDS does not use vlan ids during analysis.

The vlanids are only reported in the alarm and for sending TCP Resets to the right vlan.

So your alarms won't show the original vlan, and you can't use TCP Resets but the rest of the sensor will work just fine.

Re: IDS on RSPAN port

Thank you for the response. That's exactly what I expected.

But shall I still be able to configure blocking on router interfaces?

There is one thing I don't understand generally:

Is it possible to configure router subinterfaces as blocking interfaces on the router? And what about CAt3550 SVIs?

If yes, how does the IDS know which SVI to block based on the suspicious packet source/destination IP address?

Thanks,

Milan

Cisco Employee

Re: IDS on RSPAN port

But shall I still be able to configure blocking on router interfaces?

- Yes, you can still configure the sensor to do blocking with ACLs on router interfaces.

There is one thing I don't understand generally:

Is it possible to configure router subinterfaces as blocking interfaces on the router?

- If the router supports applying ACLs to subinterfaces then yes. When you configure NAC (V4.x) or managed (v3.x) realize that it will connect to the router, execute "configure terminal" and then execute "interface" followed by the name you gave it. If you give it a subinterface name that works with the "interface" configuration command then you should be fine.

And what about CAt3550 SVIs?

- The Cat 3550 is not specifically supported at this time. You can look at the Config Guide to find the list of supported routers and switches.

With that said, I have heard that some users have gotten this to work. You can try, but realize that this will not be officially supported and you won't be able to talk with the TAC about any problems you experience. You will just need to post questions here to the Forum and see if other users can help you out if you run into problems.

If you try it, then you need to tell the sensor to manage it like an IOS Router. For the interface configuration you would specify the SVIs of the 3550 just like you would specify a physical interface of a router.

If yes, how does the IDS know which SVI to block based on the suspicious packet source/destination IP address?

- Officially NO, but unofficially it might. If you do get it to work then you need to realize that the sensor does not try to match where the alarm was (what vlan or IPs) to determine which interface to block on. Instead NAC or managed will block on ALL of the interfaces you tell it to. So when configuring NAC/managed you have to decide where you want the blocks applied and the same blocks will be applied to all of the interfaces.

Re: IDS on RSPAN port

Thank you again.

I just tried to find the list of supported routers and switches you mentioned but the only one I've found is:

- Cisco Router

- Catalyst 6000 VACL

- PIX Firewall

in http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap3.htm#2076

But Cat3550 is a Cisco router, isn't it?

Regards,

Milan

Cisco Employee

Re: IDS on RSPAN port

Here is a link to the V3.1 docs:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids8/13870_01.htm#xtocid20

I can't find the corresponding section in the 4.x docs.

Re: IDS on RSPAN port

Well, I started my IDS studying with 4.1 manuals. I thought 3.1 were obsolete.

I'll try to configure blocking on 3550 SVIs and will see if it works.

Thanks for your help.

Milan

Cisco Employee

Re: IDS on RSPAN port

I can answer part of your questions. Any interface you can apply an extended access-list acl to, can be a blocking interface. When the sensor blocks, it applies the same block to ALL the devices/interfaces it is managing.

131
Views
5
Helpful
8
Replies