topic Re: IPS VLAN question in Network Security

IPS VLAN question

networker99 — Sun, 10 Mar 2019 12:11:52 GMT

I am configuring an IPS 4260 in promiscious mode, and have a question about VLAN assignment. Does the sensing interface need to be in the same VLAN as the switchport you are spanning? Also does this port need to be a trunk?

Also If you want to log traffic only and not issue resets, do you just leave the default or do I need to switch anything off?

Thanks in advance!

Re: IPS VLAN question

Justin Teixeira — Wed, 01 Dec 2010 16:35:36 GMT

Hi Networker99,

As long as you aren't using the "encapsulate replicate" command on the SPAN session sending the traffic to the sensor, the traffic will be copied without VLAN tagging information and no additional configuration on the IDS side should be necessary.

If you want to prevent TCP resets you should either designate an unused port as an alternate TCP reset interface for the promiscuous sensing interface or, alternatively, create a simple Event Action Filter to remove the "TCP Reset" action from all signatures on the sensor.

Best Regards,

Justin

Re: IPS VLAN question

networker99 — Wed, 01 Dec 2010 16:38:18 GMT

So the port being used as a sensor doesnt need to be a trunk, correct?

Re: IPS VLAN question

Justin Teixeira — Wed, 01 Dec 2010 17:34:23 GMT

Correct. The packets are not tagged with VLAN information when sent out of the SPAN port so the IDS does not need to be configured with any trunking/VLAN awareness information.

-JT