cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
313
Views
0
Helpful
1
Replies

Switch for multiple VLANs, multiple switches, with TCP Reset

d.beppu
Level 1
Level 1

Hello,

Any recommendations for switch A and switch B below?

What product of Catalyst should we use?

(1)

100Mbps ports (multiple VLANs)

| | |

+----------+

|switch A|

+----------+

| Gigabit SPAN port (monitoring multiple VLANs)

|

| TCP Reset packets from IDS to switch A

|

+----------------------+

|IDS 4235 or 4250|

+----------------------+

(2)

100Mbps ports (multiple VLANs)

| | |

+--------+

|switch A|

+--------+

| Gigabit SPAN port (monitoring multiple VLANs)

|

| Gigabit port

| Gigabit SPAN port

+----------+ +----------------------+

|switch B|---|IDS 4235 or 4250|

+----------+ +----------------------+

| Gigabit port TCP Reset packets from IDS to switch A

|

| Gigabit SPAN port (monitoring multiple VLANs)

+--------+

|switch A|

+--------+

| | |

100Mbps ports (multiple VLANs)

Regards,

Daiichiro Beppu

NTT DATA SECURITY Corporation

Japan

1 Reply 1

marcabal
Cisco Employee
Cisco Employee

A couple of issues to be aware of:

1) The IDS-4235/50 are able to monitor multiple vlans when connected thorugh a dot1q trunk to the switch. But they are not able to do TCP Resets on all vlans of the trunk port. TCP Resets currently only work on the Native Vlan of the trunk port. This is a software limitation. We hope to remedy it in a future version.

2) Connecting 2 switches with a span port over a dot1q trunk port can be tricky. I am not sure if this is officially supported. The supported method would be to use RSPAN. In which case the switches would have to be Cat 4Ks or Cat 6Ks since only those 2 types support RSPAN. Then the switches could be connected through a trunk port containing the RSPAN vlan.

3) I have heard of users who have connected a trunk port between switches and spanned from onw switch to the other, but there were chanegs they had to make to the switch configuration to get it to work, and I don't remember what they were. but in those situations they had to disabled incoming packets on the span port. And in so doing they would prevent any TCP Reset packets coming from the second switch (span destination switch) from coming into the first switch (span source switch). So if you got the span over hte trunk to work somehow, then I dopn't think you would be abelto to do the TCP Resets.

4) TCP Resets also do not work when monitoring using RSPAN. RSPAN changes the vlan membership of the packets, and so the sensor would never be able to send the TCP Reset packets to the right vlan.

So in conclusion, your first option will work using a single switch. For now the Resets would only work on the Native vlan, but may in the future work on the other vlans.

You second option will work and be supported with RSPAN, but TCP Resets will not be able to be used.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: