Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
427
Views
5
Helpful
2
Replies

IDS and Dot1q

Go to solution
bgrove2913
Level 1
Level 1

‎04-30-2005 02:51 AM - edited ‎03-10-2019 01:26 AM

Does IDS understand Dot1q? If it does, is there any configuration needed on IDS when it's sniffing multiple vlans? Does the interface on the switch which connects to the sniffing port of the IDS need to have Dot1q trunking configured?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎05-02-2005 08:44 AM

The sensor is able to interpret 802.1q trunk headers to tell what vlan the packet came in on, and will report the vlan number in the alert.

This feature of the sensor is always on, and no commands are needed.

It is the switch port that would need to be configured as an 802.1q trunk port in order to send trunk packets to the sensor.

For promiscuous mode, making the switch port a trunk port is not enough. In addition the switch would need to be configured to send traffic to the sensor using span (or VACL Capture if it is a Cat 6500).

The span command may contain additional parameters in order to send the spanned packets with trunk headers.

You will need to read your switch's manuals to determine what commands are needed on your switch.

For inline mode, the easiest scenario is to setup your 2 switches (or a switch and a router or firewall etc..) to be connected to each other through an 802.1q trunk port.

Once everything is running fine, then place your sensor between the 2 switches in the middle of that 802.1q trunk port.

The sensor will analyze the packets and pass them on without modification. The vlan header of the packets would be passed through without modification, and the underlying IP packet would be fully analyzed.

View solution in original post

2 Replies 2

Go to solution
sachinraja
Level 9
Level 9

‎05-02-2005 01:26 AM

hello

i dont think there is any requirement of trunks when using ids sniffing port.. it only uses spanning/remote spanning for capturing packets.. it is not going to forward any data traffic/vlan traffic , which negates the use of a trunk.. you can have one sniffing interface for each vlan or mirror all vlan traffic onto an interface..

HTH

Raj

0 Helpful

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎05-02-2005 08:44 AM

The sensor is able to interpret 802.1q trunk headers to tell what vlan the packet came in on, and will report the vlan number in the alert.

This feature of the sensor is always on, and no commands are needed.

It is the switch port that would need to be configured as an 802.1q trunk port in order to send trunk packets to the sensor.

For promiscuous mode, making the switch port a trunk port is not enough. In addition the switch would need to be configured to send traffic to the sensor using span (or VACL Capture if it is a Cat 6500).

The span command may contain additional parameters in order to send the spanned packets with trunk headers.

You will need to read your switch's manuals to determine what commands are needed on your switch.

For inline mode, the easiest scenario is to setup your 2 switches (or a switch and a router or firewall etc..) to be connected to each other through an 802.1q trunk port.

Once everything is running fine, then place your sensor between the 2 switches in the middle of that 802.1q trunk port.

The sensor will analyze the packets and pass them on without modification. The vlan header of the packets would be passed through without modification, and the underlying IP packet would be fully analyzed.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card