Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : Intrusion Detection System : Capturing with Multiple Sensors and Multiple VLANs

Capturing with Multiple Sensors and Multiple VLANs

Nov 26,2008 by admin

small font medium font large font
image

Capturing with Multiple Sensors and Multiple VLANs

The generic case of multiple sensors capturing traffic from a number of VLANs can be very complex depending on the switch infrastructure. The simplest implementation is when there are many 2900-type switches, and sensors are connected to corresponding switches. In reality, this case is just a multiplied "one VLAN, one sensor" case.

Assume now that we have a Catalyst 6000 with two IDSMs installed and we need to capture VLANs 100 and 200 on the module in slot 5, and VLANs 300 and 400 on the module in slot 6. SPAN-based capture is again simpler to configure:

Switch (enable) set span 100, 200 5/1 rx create
Switch (enable) set span 300, 400 6/1 rx create

Traffic capture using VACLs is more complex in the configuration here, but it also produces the best results, as only interesting traffic is forwarded to monitoring ports of IDSMs:

switch>(enable) set security acl ip WEBCAP permit tcp any any eq 80 capture

switch>(enable) set security acl ip WEBCAP permit tcp any eq 80 any capture
switch>(enable) commit security acl WEBCAP
switch>(enable) set security acl map WEBCAP 100, 200, 300, 400
switch>(enable) set security acl capture-ports 5/1, 6/1

Now we have the same VACL for IP traffic applied to VLANS 100, 200, 300, and 400. Remember that there can be only one VACL for each type of traffic, and captured traffic is forwarded to all designated capture ports. In order to separate the traffic between two IDSMs, we need to set trunking on their monitoring ports: 

switch>(enable)clear trunk 5/1 1-1024
switch>(enable)set trunk 5/1 100, 200
switch>(enable)set vlan 100 5/1
switch>(enable)clear trunk 6/1 1-1024
switch>(enable)set trunk 5/1 300, 400
switch>(enable)set vlan 300 5/1

After you have configured this, the configuration can be changed to the one in the "one VLAN, one sensor" case by simply filtering out VLAN 100—for example, on the corresponding trunk. Thus, you can configure capturing for many VLANs in advance and then filter already captured traffic before it reaches IDSM by using trunking commands (see Figure 9.11).

Click To expand
Figure 9.11: Traffic Capture, with Trunking as an Additional Filter

310 times read

Related news
» Capturing with One Sensor and a Single VLAN
by admin posted on Nov 26,2008
» Configuring VACLs
by admin posted on Nov 26,2008
» Catalyst 4000 Series
by alperen posted on Dec 05,2008
» Using Advanced Capture Methods
by admin posted on Nov 26,2008
» Verifying Trunk Links
by alperen posted on Dec 05,2008
Did you enjoy this article?
1 2 3 4 5
(total 0 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

alperen

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.