Re: Reset TCP session in working with 2950

gchui · ‎12-27-2002

Dear all,

When the sniffing interface is connected to the monitoring port in 2950, the tcp reset feature don't work? Does anyone know what's the problem of it? Accept configuring the monitoring port in 2950, any other configuration is needed to make the tcp reset work? Thanks

Gary

jbohla · ‎01-03-2003

Gary,

Refer to 'Configuring TCP Reset Using IDS Director' at the URL:

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a008009491d.shtml.

Also, take a look at Cisco Intrusion Detection System (Overview Q&A) at:

http://www.cisco.com/en/US/products/hw/vpndevc/ps976/products_qanda_item09186a00800887c2.shtml

marcabal · ‎01-03-2003

Some switches allow packets in on their span port. These work fine with

TCP Reset.

Some switches do not allow packets in on their span port. These do not work with TCP Reset.

Some switches (like the Cat 6000) have special "inpkts enable" command to allow packets in on their span port.

I don't know which category the 2950 fits into.

NOTE: In order for TCP Resets to work, the span port must also be in the same vlan as the connection being reset; or else the reset gets sent to the wrong vlan. NOTE: Future versions of the sensor will allow you to monitor with a span port that is also a trunl port so future versions can reset on each of the vlans being spanned (assuming the swtch allows in packets on the span port)

d.twaddle · ‎01-08-2003

The 2950 will not support the inpkts option for your span port. You will not be able to use TCP Resets. This option is required in order to inject packets into the span port otherwise it is just passive. You would need a higher end switch to support this..

Derek Twaddle