Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : Intrusion Detection System : Capturing with One Sensor and a Single VLAN

Capturing with One Sensor and a Single VLAN

Nov 26,2008 by admin

small font medium font large font
image

Capturing with One Sensor and a Single VLAN

Capturing using one sensor and a single VLAN is the simplest case and should be easy to configure. If you are using an external sensor, simply create a SPAN session, either local or remote, for the VLAN you want to monitor and forward all traffic to the port where the sensor is connected. The same configuration can be used with IDSM, setting port 1 of the IDS module card as the SPAN destination.

The simple local SPAN for a 2900 series switch can be configured in this way (see Figure 9.10):

Click To expand
Figure 9.10: Cisco 2900 Switch with One VLAN and One Sensor 
!
interface FastEthernet3/1
port monitor FastEthernet0/1
port monitor FastEthernet0/2
port monitor FastEthernet0/3
switchport access vlan 100
!
interface FastEthernet0/1
switchport access vlan 100
!
interface FastEthernet0/2
switchport access vlan 100
!
interface FastEthernet0/3
switchport access vlan 100
!

On a Catalyst (with CatOS), similar results can be achieved with just one command:

Switch (enable) set span 100 5/1 rx create

An IOS-based Catalyst requires the following:

Switch(config)# monitor session 1 source vlan 100 rx
Switch(config)# monitor session 1 destination interface Fa5/1

VACL-based capture can be configured as follows: 

switch>(enable) set security acl ip WEBCAP permit tcp any any eq 80 capture

switch>(enable) set security acl ip WEBCAP permit tcp any eq 80 any capture
switch>(enable) commit security acl WEBCAP
switch>(enable) set security acl map WEBCAP 100
switch>(enable) set security acl capture-ports 5/1

VACLs can also be configured on an IOS-based Catalyst switch, as described earlier. It is also worth noting that you can use trunking configuration commands to filter traffic reaching the sensor port of an IDSM. This is more important when using several sensors monitoring multiple VLANs, because it helps distributing traffic. The monitoring interface of an IDSM is set as trunk by default. We will use the following commands to filter traffic from all VLANs but 100:

switch>(enable)clear trunk 5/1 1-1024
switch>(enable)set trunk 5/1 100
switch>(enable)set vlan 100 5/1

190 times read

Related news
» Capturing with Multiple Sensors and Multiple VLANs
by admin posted on Nov 26,2008
» Configuring 2900/3500 Series Switches
by admin posted on Nov 26,2008
» Configuring a 4000/6000 Series IOS-Based Switch
by admin posted on Nov 26,2008
» Catalyst 4000 Series
by alperen posted on Dec 05,2008
» Understanding the Cisco IDSM Sensor
by admin posted on Nov 24,2008
Did you enjoy this article?
1 2 3 4 5
(total 0 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

alperen

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.