Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1218
Views
0
Helpful
2
Replies

SPAN and TCP RST

Go to solution
ibsenj
Level 1
Level 1

‎01-13-2003 01:33 PM - edited ‎03-09-2019 01:39 AM

I know that a Cisco IDS can inject a TCP RST into a SPAN port in order to kill a connection.

My question is: Will this technique work only when you are SPANing switch ports, or will it also work when SPANing VLANs? I was told that this is not possible. Assume a 6000 series switch.

Regards, Jeff

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marcabal
Cisco Employee
Cisco Employee
In response to bstremp

‎01-17-2003 03:56 PM

Some switches allow you to send TCP Resets in through the Span port and some do not. So TCP Resets through the Span port are very switch dependant, and you should read your switches documentation. (Not all Cisco switches act the same).

IF the switch allows TCP Resets in from the Span port then the Resets should work for both Port and Vlan Span sessions with a few caveats that you can read below.

IF the switch does not allow TCP Resets in from the Span port then TCP Resets will not work regardless of the type of Span session you have.

In a Port Span Session, the port(s) being spanned have to be in the same vlan that is configured for the span destination port for the TCP Resets to get to the proper vlan and work.

If you try to Port Span ports from different vlans, then the sensor will alarm OK, but the TCP Resets will only work on attacks that are seen on the same vlan that is assigned to the span destination port.

Vlan Spans have the same limitations. If you span from a single Vlan and that vlan is assigned to the span destination port, then the TCP Resets will get to the right vlan and should work.

If you span from multiple vlans then the TCP Resets will only work on the same vlan assigned to the span destination port.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
bstremp
Level 2
Level 2

‎01-17-2003 01:01 PM

Most of the documents I could find speal only about SPANing switched ports

"The TCP resets are sent from the sniffing interface of the Sensor. If there is a switch connecting the Sensor interface to the outside interface of the managed router, when you configure using the set span command in the switch"

Hence I do not think VLAN spanning supported

0 Helpful

Go to solution
marcabal
Cisco Employee
Cisco Employee
In response to bstremp

‎01-17-2003 03:56 PM

Some switches allow you to send TCP Resets in through the Span port and some do not. So TCP Resets through the Span port are very switch dependant, and you should read your switches documentation. (Not all Cisco switches act the same).

IF the switch allows TCP Resets in from the Span port then the Resets should work for both Port and Vlan Span sessions with a few caveats that you can read below.

IF the switch does not allow TCP Resets in from the Span port then TCP Resets will not work regardless of the type of Span session you have.

In a Port Span Session, the port(s) being spanned have to be in the same vlan that is configured for the span destination port for the TCP Resets to get to the proper vlan and work.

If you try to Port Span ports from different vlans, then the sensor will alarm OK, but the TCP Resets will only work on attacks that are seen on the same vlan that is assigned to the span destination port.

Vlan Spans have the same limitations. If you span from a single Vlan and that vlan is assigned to the span destination port, then the TCP Resets will get to the right vlan and should work.

If you span from multiple vlans then the TCP Resets will only work on the same vlan assigned to the span destination port.

0 Helpful
Customers Also Viewed These Support Documents