Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8218
Views
5
Helpful
8
Replies

L4 Traffic Monitor question

Go to solution
Colin Higgins
Level 2
Level 2

‎08-09-2012 02:23 PM

In the IronPort web security appliance documentation, it indicates that the L4 traffic monitor ports (T1 and/or T2) should be connected to either a network tap or switch span.

I'm a little confused as to how this is supposed to be set up.

Does it mean that you take 2 ports on a switch, one on the same subnet/vlan as the P1 interface (data) on the IronPort, and the other that is on the subnet/vlan as the firwall (outbound Internet traffic) and create 2 monitor sessions (spans)? If so, where are these sessions pointed to?

Isn't the IronPort supposed to be doing the tapping/inspection?

The whole external tap thing has me confused.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ken Stieers
VIP
VIP

‎08-10-2012 09:26 AM

Colin,

One way to think of it is that the WSA has 2 inspection engines that don't actually talk to one another...

     1. the web proxy, where you're using WCCP to send specific traffic to

     2. the L4TM engine that you send a spanned port to to catch all of the other weird stuff.

The web proxy does all of the user tracking/policy stuff, etc. Watching a specific set of ports.

The L4TM is intended for malware that might be running on your net... sort of like the Botnet Traffic filter that's available on ASA.

That said, you'll use 1 port for P1 on whatever vlan, redirection to that happens via WCCP or explicit proxy. 

For the L4TM tap you can use 1 or 2 ports on the swtich, or none if you use an external tap.  In the Network/Interfaces page, you set whether you want L4TM to use simplex or Duplex.  If you use Duplex, just do a span session off the port the firewall is plugged into to the port that you connect T1 into...

If you use Simplex, you do 2 span sessions off of the port the firewall is connected to... ingress traffic on the port (eg. out of the firewall) to the port T1 is connected to, egress traffic on the port (eg. going to the firewall) spanned to the port T2 is hooked up to. 

If you use an external tap, put it inline between the firewall and the switch, set the WSA for duplex and connect the "monitor" port to T1...

Hope that helps!

Ken

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Ken Stieers
VIP
VIP

‎08-10-2012 09:26 AM

Colin,

One way to think of it is that the WSA has 2 inspection engines that don't actually talk to one another...

     1. the web proxy, where you're using WCCP to send specific traffic to

     2. the L4TM engine that you send a spanned port to to catch all of the other weird stuff.

The web proxy does all of the user tracking/policy stuff, etc. Watching a specific set of ports.

The L4TM is intended for malware that might be running on your net... sort of like the Botnet Traffic filter that's available on ASA.

That said, you'll use 1 port for P1 on whatever vlan, redirection to that happens via WCCP or explicit proxy. 

For the L4TM tap you can use 1 or 2 ports on the swtich, or none if you use an external tap.  In the Network/Interfaces page, you set whether you want L4TM to use simplex or Duplex.  If you use Duplex, just do a span session off the port the firewall is plugged into to the port that you connect T1 into...

If you use Simplex, you do 2 span sessions off of the port the firewall is connected to... ingress traffic on the port (eg. out of the firewall) to the port T1 is connected to, egress traffic on the port (eg. going to the firewall) spanned to the port T2 is hooked up to. 

If you use an external tap, put it inline between the firewall and the switch, set the WSA for duplex and connect the "monitor" port to T1...

Hope that helps!

Ken

0 Helpful

Go to solution
cmcclinton
Level 4
Level 4
In response to Ken Stieers

‎10-11-2012 06:53 AM

Ken

The use of span sessions to direct traffic to T1/2 ports also confuses me slightly.

How does the WSA take any action against rogue trafic that it detects on these ports, as the traffic is just being spanned/copied to the WSA via the spanned ports, while the actual traffic flow continues to pass through the switch?

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to cmcclinton

‎10-11-2012 08:00 AM

If I remember correctly, the proxy port (P1) issues a TCP reset to the client when the L4TM detects a rogue connection.

That supposition is based on the fact that the documentation says:

"If the L4 Traffic Monitor is configured to block, the L4 Traffic Monitor and the Web Proxy must be configured on the same network."

Ken

0 Helpful

Go to solution
cmcclinton
Level 4
Level 4
In response to Ken Stieers

‎10-16-2012 05:27 AM

Ken, if I understand correctly as long as the proxy port (P1) or (M1) has layer 3 connectivity to the client device it will send a TCP reset on behalf of the L4TM engine for rogue inspected via the T1 port?

Also with span/monitor ports is it valid to send monitored traffic from two different source ports on the switch, (each in a different VLAN connected to different inside firewall ports) to a single destination port connected to the Ironport T1.

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to cmcclinton

‎10-16-2012 07:32 AM

Yes, though though its not clear to me if P1 (or M1 if you're using that for proxy) and T1 have to be on the same Layer 2 network or not...(see my quoted section in my post of 10/11/12).  For sure they need to be on the same Layer 3 net...

It should work... the thing you have to watch out for is saturating the T1 port.  If your VLANs are busy, they could overwhelm the T1 port...

0 Helpful

Go to solution
cmcclinton
Level 4
Level 4
In response to Ken Stieers

‎10-16-2012 08:27 AM

Yeah I read the quote you posted and in saw it in the manual, and its ambugity about "being configured on the same network." left me wondering the same thing.... do they mean layer 2 and layer 3, and how would that work for multiple layer 2 networks

0 Helpful

Go to solution
derek-shnosh
Level 1
Level 1
In response to Ken Stieers

‎11-16-2012 11:27 AM

Ken, thanks for your explanation, it helped me understand the function a little better.  This is my first time deploying a web filter of any kind.  Can you provide a configuration example of the monitor sessions for me?

The ASA & S170 are connected to our 3750 stack as follows, with the intention of running the L4 traffic monitor in simplex mode.

ASA > Fa2/0/1

S170 T1 > Fa2/0/43

S170 T2 > Fa2/0/44

I'm having a hard time with the config commands...

monitor session 1 source interface fa2/0/1

monitor session 1 destination interface fa2/0/43 ingress

Am I on the right path?  How do I bring fa2/0/44 into the config mix?

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to derek-shnosh

‎11-16-2012 12:33 PM

I'm not a Catalyst/IOS expert, but I think you want the following:

monitor session 1 source interface fa2/0/1 ingress      <---data into the switch eg. from the firewall

monitor session 1 destination interface fa2/0/43

monitor session 2 source interface fa2/0/1 egress       <---data out of the switch eg. to the firewall

monitor session 2 destination interface fa2/0/44

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents