02-14-2011 11:00 AM - edited 03-10-2019 05:16 AM
Hello
Can someone please clarify on the below configuration
We use eigrp,bgp, multicast,ipx on the network. can someone please clarify the below config specially the access-list allow_all and the action. The access-list do have ip any any. Since we use eigrp,multicast, ipx we have added the extra lines we think are required. dont want the network to crash after the application of vlan access-list. will this cover all traffic we have?Thanks
vlan access-map IDS_CAPTURE 10
match ip address customized_traffic
action forward capture
vlan access-map IDS_CAPTURE 20
match ip address allow_all
action forward
!
vlan filter IDS_CAPTURE vlan-list 29-30,40,60,90,100
ip access-list extended allow_all
permit ip any any
permit 111 any any (ipx)
permit icmp any any
permit eigrp any any
permit pim any any
ip access-list extended customized_traffic
deny ip 10.10.60.0 0.0.0.255 10.10.40.0 0.0.0.255
deny ip 10.10.40.0 0.0.0.255 10.10.60.0 0.0.0.255
permit ip 10.10.60.0 0.0.0.255 10.10.30.0 0.0.0.255
permit ip 10.10.30.0 0.0.0.255 10.10.60.0 0.0.0.255
permit ip 10.10.30.0 0.0.0.255 10.10.40.0 0.0.0.255
permit ip 10.10.40.0 0.0.0.255 10.10.30.0 0.0.0.255
permit icmp any host 10.10.60.11
permit icmp host 10.10.60.11 any
permit ip any any
02-19-2011 11:25 PM
Hello
Since you have 'permit ip any any' in the first VACL clause, no IP traffic will ever hit the second VACL clause.
Regards
Farrukh
02-21-2011 05:14 AM
Hello
Thanks for the response
ip any any in the customized_traffic has clause with action capture , can you please clarify the second clause with action as forward will not be hit. shouldnt the action capture should only capture the traffic?
my other question about the protocol number ipx (111), eigrp, igmp,pim ,we think its required though we have ip any any permit in the second clause. will can you please enhance on it.
Thanks
02-21-2011 06:27 AM
I got your point because only forwarded packets can be captured
so in my first clause i can have with action forward and capture
permit ip any any
in my second clause i can have only forward and no capture
permit 111 (ipx) any any
permit eigrp any any
permit igmp any any
then i can control which vlans i can add in the filter list to capture traffic
i have a question if you can please answer
MSFCA -vlan10---MSFC vlan20 ---fwsm vlan20. Valns 30,40,50 assigned to vlan fwsm. Valn 10 of msfc connected to ISP
then in caputre list we add vlans20,30,40,50. If a host on the interenet which gets routed via vlan 10 ( can be any ip address) say 4.2.2.16 access an ip address 40.2.2.2. This 40.2.2.2 is vlan 20
so the packet from 4.2.2.16 comes to vlan 10 on msfc for 40.2.2.2 , msfc looks for arp on vlan 20,fwsm has a static for 40.2.2.2 with 192.168.30.2 which is on vlan 30, the packet then goes from vlan 20 with source as 4.2.2.16 and nat to 192.168.30.2 from fwsm to vlan 30 . destination replies back , packet goes from vlan 30, 20 and 10
The question is packet is originated from vlan 10, goes to vlan 20 and then reach 30 and vic versa. but vlan filter and idsm is configured to capture traffic vlan 20,30. will the traffic from source 40.2.2.2 will be captured and if anything malicious will idsm fire an alert
Thanks
02-22-2011 12:37 AM
Hello
If i understand your packet flow correctly; the packet should reach the IDSM-2 in the described scenario.
The best way is to enable the ICMP ECHO/ECHO REPLY signatures and test out the scenario.
Please rate if helpful
Regards, Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide