Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

SPAN and TCP RST

I know that a Cisco IDS can inject a TCP RST into a SPAN port in order to kill a connection.

My question is: Will this technique work only when you are SPANing switch ports, or will it also work when SPANing VLANs? I was told that this is not possible. Assume a 6000 series switch.

Regards, Jeff

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: SPAN and TCP RST

Some switches allow you to send TCP Resets in through the Span port and some do not. So TCP Resets through the Span port are very switch dependant, and you should read your switches documentation. (Not all Cisco switches act the same).

IF the switch allows TCP Resets in from the Span port then the Resets should work for both Port and Vlan Span sessions with a few caveats that you can read below.

IF the switch does not allow TCP Resets in from the Span port then TCP Resets will not work regardless of the type of Span session you have.

In a Port Span Session, the port(s) being spanned have to be in the same vlan that is configured for the span destination port for the TCP Resets to get to the proper vlan and work.

If you try to Port Span ports from different vlans, then the sensor will alarm OK, but the TCP Resets will only work on attacks that are seen on the same vlan that is assigned to the span destination port.

Vlan Spans have the same limitations. If you span from a single Vlan and that vlan is assigned to the span destination port, then the TCP Resets will get to the right vlan and should work.

If you span from multiple vlans then the TCP Resets will only work on the same vlan assigned to the span destination port.

2 REPLIES
Community Member

Re: SPAN and TCP RST

Most of the documents I could find speal only about SPANing switched ports

"The TCP resets are sent from the sniffing interface of the Sensor. If there is a switch connecting the Sensor interface to the outside interface of the managed router, when you configure using the set span command in the switch"

Hence I do not think VLAN spanning supported

Cisco Employee

Re: SPAN and TCP RST

Some switches allow you to send TCP Resets in through the Span port and some do not. So TCP Resets through the Span port are very switch dependant, and you should read your switches documentation. (Not all Cisco switches act the same).

IF the switch allows TCP Resets in from the Span port then the Resets should work for both Port and Vlan Span sessions with a few caveats that you can read below.

IF the switch does not allow TCP Resets in from the Span port then TCP Resets will not work regardless of the type of Span session you have.

In a Port Span Session, the port(s) being spanned have to be in the same vlan that is configured for the span destination port for the TCP Resets to get to the proper vlan and work.

If you try to Port Span ports from different vlans, then the sensor will alarm OK, but the TCP Resets will only work on attacks that are seen on the same vlan that is assigned to the span destination port.

Vlan Spans have the same limitations. If you span from a single Vlan and that vlan is assigned to the span destination port, then the TCP Resets will get to the right vlan and should work.

If you span from multiple vlans then the TCP Resets will only work on the same vlan assigned to the span destination port.

439
Views
0
Helpful
2
Replies
CreatePlease to create content