Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
577
Views
9
Helpful
5
Replies

TCP Reset Question

ddinh
Level 1
Level 1

‎10-03-2002 01:40 PM - edited ‎03-09-2019 12:33 AM

I tested my TCP reset function and it's not working. My 4230 is monitoring my internet connection using a span port on a 2924 switch.

I found this thread in my IDS-Focus forum; is the following statement true? If so, then what Cisco Switch series support this function?

"if you are spanning off of high-end Cisco switches, you can enable the

"inpkts" option on the span. This will allow for RST functionality."

Thanks

Labels:
0 Helpful
5 Replies 5

Nairi Adamian
Cisco Employee
Cisco Employee

‎10-03-2002 11:34 PM

You do need the "inpkts" option for TCP RST functionality.

"inpkts" option is supported on Catalyst 4000, 5000 and 6000.

For more information:

http://www.cisco.com/warp/public/473/41.html

Hope this helps,

-Nairi

ddinh
Level 1
Level 1
In response to Nairi Adamian

‎10-17-2002 07:33 AM

When was this feature a requirement? The reason I ask is that we tested the tcp reset function on the 2924 spanport switch about a year ago and it worked at that time. Additionally, I performed this in a lab environment when I took the CSIDS 2.0 class from Global Knowledge. We also used low end switches.

Also, in which version of the IDS engine did INPKTS become a requirement?

0 Helpful

marcabal
Cisco Employee
Cisco Employee
In response to ddinh

‎10-17-2002 10:30 AM

It is not an issue with the IDS code, it is an issue with the switch code.

Some switches always allow packets to come in on their SPAN ports. I would presume that the 2924 you mention is this type.

Some switches never allow packets to come in on their SPAN ports. I don't of any specific Cisco models at the moment but other users have mentioned one or two in the past.

Some switches (like the 6500) allow the user to configure if packets should be allowed to come in the SPAN port. This switch configuraiton is "inpkts enable".

Other things to be aware.

Most switchs transmit packets out their span ports as a normal IP packets just like other Access ports on the switch. If the switch transmits these normal packets and allows incoming packets, then TCP Resets should work fine.

Recently, however, I've heard of switches that are encoding the IP Packets inside of dot1q headers (normally used on trunk ports). The sensor code understands dot1q and can alarm properly. (though the IDS-4210, and IDS-4230 models do need a Engineering driver for the larger dot1q packets that result).

However, there is a bug in the sensor code for TCP Resets. The sensor can not TCP Reset a connection if it monitored the connection with dot1q packet headers.

This is a sensor issue and is being worked on by our development team for a future sensor version.

Not applicable
In response to marcabal

‎10-18-2002 07:35 PM

Do Cisco switches running only IOS need or provide inpkts?

I don't see an "inpkts" option on the IOS "monitor session" command on a 6509. This only appears to be support with CATOS.

So, do span destination ports on IOS-controlled switches allow inbound traffic? Is there a way to control it?

0 Helpful

conleya
Level 1
Level 1

‎10-15-2002 01:24 PM

I know the Cat 4000's and 6500's support inpkts on a span port.

0 Helpful
Customers Also Viewed These Support Documents