cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1702
Views
0
Helpful
8
Replies

HOW TO CONFIGURE IPS 4270 FOR PROMISCOUS MODE

ericohermoso
Level 1
Level 1

I have IPS4270 and I want to configure promiscous mode. I configured my IPS but it is not getting any traffic from vlan. Please how can I configure my IPS for promiscous mode. What would be the configuration ony my switch?

thank you and best regards

Edwin

3 Accepted Solutions

Accepted Solutions

rhermes
Level 7
Level 7

Assuming you would like to gather traffic from intefaces Gi01 thru 20 and send the traffic to yoru 4270 on intergace Gi0/21

monitor session 1 source interface Gi01/ - 20 rx

monitor session 1 destination interface Gi0/21

- Bob

View solution in original post

Hello Edwin,

The SPAN destination interface requires no configuration. The monitor session commands control VLAN tagging.

For  example, to copy all traffic on Gi1/0/1 to Gi1/0/33 and maintain dot1q  tags, you would implement the following configuration:

monitor session 1 source interface Gi1/0/1
monitor session 1 destination interface Gi1/0/33 encapsulation replicate

To filter out all monitored VLAN traffic except for VLAN 55, you would implement the following command:

monitor session 1 filter vlan 55

Here is a good reference for all SPAN can offer:

http://tools.cisco.com/squish/856eE

How are you confirming that traffic is not reaching your IPS?

Do you see the SPAN destination port output packet counter on your switch increasing?

Do you see the Total Packets Received counter on your IPS promiscuous interface increasing?

Thank you,
Blayne Dreier
Cisco TAC IDS Team

**Please check out our Podcast**

TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

View solution in original post

Hello Edwin,

The up/down on the switch is normal for a monitor destination port.

To clean up the config, run the following commands under the SPAN destination interface:

no switchport mode trunk
no switchport trunk encapsulation dot1q

You mentioned that you are now seeing input traffic on your IPS. Is this correct? Can you please verify that you are seeing traffic leave the switch and arrive at the IPS by the "show int" command on each device?

If you are seeing only unidirectional traffic (ICMP replies only for example) run the following command from global configuration mode so that you will see all bidirectional traffic on VLAN 12:

monitor session 1 source vlan 12

It is normal to only see receive traffic on a promiscuous interface, assuming you are not sending TCP resets out of that same interface.

Thank you,
Blayne Dreier
Cisco TAC IDS Team

**Please check out our Podcast**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

View solution in original post

8 Replies 8

rhermes
Level 7
Level 7

Assuming you would like to gather traffic from intefaces Gi01 thru 20 and send the traffic to yoru 4270 on intergace Gi0/21

monitor session 1 source interface Gi01/ - 20 rx

monitor session 1 destination interface Gi0/21

- Bob

Thank you.

Do I need to configure my switch interface where the IPS is connected? I configured the switch interface where the IPS is connected as encapsulation dot1q but still I can get any traffic to my IPS.

thank you.

Hello Edwin,

The SPAN destination interface requires no configuration. The monitor session commands control VLAN tagging.

For  example, to copy all traffic on Gi1/0/1 to Gi1/0/33 and maintain dot1q  tags, you would implement the following configuration:

monitor session 1 source interface Gi1/0/1
monitor session 1 destination interface Gi1/0/33 encapsulation replicate

To filter out all monitored VLAN traffic except for VLAN 55, you would implement the following command:

monitor session 1 filter vlan 55

Here is a good reference for all SPAN can offer:

http://tools.cisco.com/squish/856eE

How are you confirming that traffic is not reaching your IPS?

Do you see the SPAN destination port output packet counter on your switch increasing?

Do you see the Total Packets Received counter on your IPS promiscuous interface increasing?

Thank you,
Blayne Dreier
Cisco TAC IDS Team

**Please check out our Podcast**

TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

Hello,

thanks for the reply.

My command in my switch like this :

monitor session 1 source vlan 12 , 34 rx

monitor session 1 destination interface gi1/0/10 encapsulation dot1q

and I configured my IPS in proper way I guess.

When I issue this comman in IPS :

sh int gi3/0

There is no packet from this two vlan, packets received 0 packets transmit 0.

When I ping devices in vlan 12 check the events status in my IPS i  cannot see the ICMP eventhough I enabled the Sig ID 2004.

thank you

Edwin

Hello Edwin,

Assuming the ICMP on VLAN 12 is flowing through the SPAN session switch and your switch's Gi1/0/10 is directly connected to your IPS's Gi3/0, you should see packet counters increase.

Did you clear the configuration on the destination interface?

If you'd like, you can email me a "show tech"  from your switch and a "show tech" and "show conf" from your IPS. This might provide more insight into what is occurring.

Thank you,
Blayne Dreier

blayne@cisco.com
Cisco TAC IDS Team

**Please check out our Podcast**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

My configuration on my destination interface is (switch):

int gi1/0/10

switchport trunk encapsulation dot1q

switchport mode trunk

no shut

monito session 1 source vlan 12 , 34 rx

monitor session 1 destination int gi1/0/10 encapsulation dot1q

On the switch:

sh ip int bri :

interface up

line protocol down

I can see there is recieved packet but there is no transmit packet int the IPS, Note I use promiscous mode.

Hello Edwin,

The up/down on the switch is normal for a monitor destination port.

To clean up the config, run the following commands under the SPAN destination interface:

no switchport mode trunk
no switchport trunk encapsulation dot1q

You mentioned that you are now seeing input traffic on your IPS. Is this correct? Can you please verify that you are seeing traffic leave the switch and arrive at the IPS by the "show int" command on each device?

If you are seeing only unidirectional traffic (ICMP replies only for example) run the following command from global configuration mode so that you will see all bidirectional traffic on VLAN 12:

monitor session 1 source vlan 12

It is normal to only see receive traffic on a promiscuous interface, assuming you are not sending TCP resets out of that same interface.

Thank you,
Blayne Dreier
Cisco TAC IDS Team

**Please check out our Podcast**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

Hello Blayne,

Thanks,

My IPS is working now. I cleared the configuration, use the :

no monitor session 1 and re-enter again the monitor session 1 configuration. Just followed the Instruction you provided.

thank you and best regards,

Edwin

Review Cisco Networking for a $25 gift card