Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1313
Views
0
Helpful
3
Replies

IPS VLAN question

networker99
Level 1
Level 1

‎12-01-2010 08:03 AM - edited ‎03-10-2019 05:11 AM

I am configuring an IPS 4260 in promiscious mode, and have a question about VLAN assignment.  Does the sensing interface need to be in the same VLAN as the switchport you are spanning?  Also does this port need to be a trunk?

Also If you want to log traffic only and not issue resets, do you just leave the default or do I need to switch anything off?

Thanks in advance!

Labels:
0 Helpful
3 Replies 3

Justin Teixeira
Level 1
Level 1

‎12-01-2010 08:35 AM

Hi Networker99,

    As long as you aren't using the "encapsulate replicate" command on the SPAN session sending the traffic to the sensor, the traffic will be copied without VLAN tagging information and no additional configuration on the IDS side should be necessary.

If you want to prevent TCP resets you should either designate an unused port as an alternate TCP reset interface for the promiscuous sensing interface or, alternatively, create a simple Event Action Filter to remove the "TCP Reset" action from all signatures on the sensor.

Best Regards,

Justin

0 Helpful

networker99
Level 1
Level 1
In response to Justin Teixeira

‎12-01-2010 08:38 AM

So the port being used as a sensor doesnt need to be a trunk, correct?

0 Helpful

Justin Teixeira
Level 1
Level 1
In response to networker99

‎12-01-2010 09:34 AM

Correct.  The packets are not tagged with VLAN information when sent out of the SPAN port so the IDS does not need to be configured with any trunking/VLAN awareness information.

-JT

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card