12-01-2010 08:03 AM - edited 03-10-2019 05:11 AM
I am configuring an IPS 4260 in promiscious mode, and have a question about VLAN assignment. Does the sensing interface need to be in the same VLAN as the switchport you are spanning? Also does this port need to be a trunk?
Also If you want to log traffic only and not issue resets, do you just leave the default or do I need to switch anything off?
Thanks in advance!
12-01-2010 08:35 AM
Hi Networker99,
As long as you aren't using the "encapsulate replicate" command on the SPAN session sending the traffic to the sensor, the traffic will be copied without VLAN tagging information and no additional configuration on the IDS side should be necessary.
If you want to prevent TCP resets you should either designate an unused port as an alternate TCP reset interface for the promiscuous sensing interface or, alternatively, create a simple Event Action Filter to remove the "TCP Reset" action from all signatures on the sensor.
Best Regards,
Justin
12-01-2010 08:38 AM
So the port being used as a sensor doesnt need to be a trunk, correct?
12-01-2010 09:34 AM
Correct. The packets are not tagged with VLAN information when sent out of the SPAN port so the IDS does not need to be configured with any trunking/VLAN awareness information.
-JT
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide