Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
464
Views
1
Helpful
1
Replies

TCP Reset on IDS-4250-SX and Catalyst Switch

a.manosca
Level 4
Level 4

‎06-25-2005 04:06 AM - edited ‎03-10-2019 01:30 AM

I am currently testing the TCP reset on our sensor but was not succesful. In cisco documentation TCP reset port of IDS-4250-SX is located in its sniffing port. My IDS is connected in a switch configured as to span traffic, will the TCP reset will be send on a spanned destination port? Anyone has an idea??

I have came across with a documenation on configuring spanning which states that when you configure a port as a SPAN destination port, it can no longer receive any traffic. When you configure a port as a SPAN destination port, the port is dedicated for use only by the SPAN feature. A SPAN destination port does not forward any traffic except that required for the SPAN session. Please comment on this??

Labels:
0 Helpful
1 Reply 1

marcabal
Cisco Employee
Cisco Employee

‎06-26-2005 09:40 PM

This is very dependant on the particular switch and the switch OS you are running.

Some Cisco switches require an additional parameter like (inpkts enable) to allow incoming packets (i.e. allow incoming TCP Resets).

Other Cisco switches with some IOS versions do Not allow any incoming packets.

The best option is to always read through the switch documentation to see if there is a specific parameter you can add to the span commands. But if there is no option then keep reading below.

With version 4.1, if the switch did not allow incoming packets then TCP Resets would just not work.

With version 5.0, however, we know offer an additional configuration parameter. It was intended specifically for doing TCP Resets when the switch does not allow incoming packets, or when monitoring using a TAP that won't allow incoming packets.

If the sensor has an additional unused sniffing interface (it can not be the command and control interface) then that unused interface can be configured as the Alternate TCP Reset Interface.

Instead of sending the TCP Resets out the interface being monitored, the sensor will sends the TCP Resets out of the alternate interface.

The alternate interface would need to be plugged into the same switch. If packets are being received without 802.1q headers by the sensor on the span port, then the switch port for the alternate reset interface should be configured as an access port for the vlan being monitored. If the packets are being received with 802.1q headers, then the sensor will know the vlan information, and so the switch port for the reset interface should be configured as an 802.1q trunk port and configured to trunk all vlans being monitored.

This link provides a little bit more information:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids11/cliguide/cliinter.htm#wp1032640

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card