Re: Switch for multiple VLANs, multiple switches, with TCP Reset
A couple of issues to be aware of:
1) The IDS-4235/50 are able to monitor multiple vlans when connected thorugh a dot1q trunk to the switch. But they are not able to do TCP Resets on all vlans of the trunk port. TCP Resets currently only work on the Native Vlan of the trunk port. This is a software limitation. We hope to remedy it in a future version.
2) Connecting 2 switches with a span port over a dot1q trunk port can be tricky. I am not sure if this is officially supported. The supported method would be to use RSPAN. In which case the switches would have to be Cat 4Ks or Cat 6Ks since only those 2 types support RSPAN. Then the switches could be connected through a trunk port containing the RSPAN vlan.
3) I have heard of users who have connected a trunk port between switches and spanned from onw switch to the other, but there were chanegs they had to make to the switch configuration to get it to work, and I don't remember what they were. but in those situations they had to disabled incoming packets on the span port. And in so doing they would prevent any TCP Reset packets coming from the second switch (span destination switch) from coming into the first switch (span source switch). So if you got the span over hte trunk to work somehow, then I dopn't think you would be abelto to do the TCP Resets.
4) TCP Resets also do not work when monitoring using RSPAN. RSPAN changes the vlan membership of the packets, and so the sensor would never be able to send the TCP Reset packets to the right vlan.
So in conclusion, your first option will work using a single switch. For now the Resets would only work on the Native vlan, but may in the future work on the other vlans.
You second option will work and be supported with RSPAN, but TCP Resets will not be able to be used.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :