cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Community Designated VIP Class of 2020

2170
Views
0
Helpful
5
Replies
Highlighted
Enthusiast

L4TM Question

Regarding the design, my understanding is that you can place the T1 & T2 interfaces in-line in the network. Is this true? Is see comments on using SPAN ports for this, but the WSA obviuosly can't block non port 80 and 443 with SPAN ports. So, I would like to use the T1->T2 option if you can place the appliance in-line.

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: L4TM Question

Hello,

 

This may help in further understanding the L4TM: http://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/117985-qanda-wsa-00.html

 

The L4TM monitors traffic , commonly via a SPAN (Switch Prot Analyzer) port from a switch, also called port mirroring.

 

In Duplex mode, you only use T1, to monitor the incoming and outgoing traffic. So T1 is connected to a SPAN port that sees both traffic incoming and outgoing.

 

In Simplex mode, you use T1 for the outbound traffic, and T2 for the inbound traffic. So SPAN the outgoing VLAN to a port connected to T1, and SPAN the incoming VLAN to a port connected to T2.

 

Q: What is the difference between L4TM Simplex and duplex modes?
A: There are two modes that the L4TM interfaces can be configured to use: Simplex and Duplex. This can be configured in GUI -> "Network" -> "Interfaces" -> "L4 Traffic Monitor Wiring". 

Duplex mode:
In this mode, both directions of traffic are being spanned to a single L4TM interface (T1/T2) interface. 

Simplex mode:
In this mode, client traffic out is sent to T1 and return traffic to the client is sent to T2.

 

I hope this clarifies the L4TM interfaces usage.

 

Regards,

Eric

View solution in original post

5 REPLIES 5
Cisco Employee

Re: L4TM Question

Hello,

 

This may help in further understanding the L4TM: http://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/117985-qanda-wsa-00.html

 

The L4TM monitors traffic , commonly via a SPAN (Switch Prot Analyzer) port from a switch, also called port mirroring.

 

In Duplex mode, you only use T1, to monitor the incoming and outgoing traffic. So T1 is connected to a SPAN port that sees both traffic incoming and outgoing.

 

In Simplex mode, you use T1 for the outbound traffic, and T2 for the inbound traffic. So SPAN the outgoing VLAN to a port connected to T1, and SPAN the incoming VLAN to a port connected to T2.

 

Q: What is the difference between L4TM Simplex and duplex modes?
A: There are two modes that the L4TM interfaces can be configured to use: Simplex and Duplex. This can be configured in GUI -> "Network" -> "Interfaces" -> "L4 Traffic Monitor Wiring". 

Duplex mode:
In this mode, both directions of traffic are being spanned to a single L4TM interface (T1/T2) interface. 

Simplex mode:
In this mode, client traffic out is sent to T1 and return traffic to the client is sent to T2.

 

I hope this clarifies the L4TM interfaces usage.

 

Regards,

Eric

View solution in original post

Enthusiast

Re: L4TM Question

Eric, thanks so much for the information the link provided the knowledge I was looking for. I do have an additional question though. I am deploying the WSA using WCCP on the ASA. The configuration guide states that the L4TM should be placed ahead of the monitor ports and before NAT (see below). You have any suggestions? I do have a 3750 stack downstream on the ASA but I would need to uprade the images on the stack to do WCCP.Is there some sort of in-line method to use?

It is important that the L4 Traffic Monitor be ‘logically’
connected after the proxy ports and before any device that performs network
address translation (NAT) on client IP addresses.

Cisco Employee

Re: L4TM Question

The idea with L4TM, is to be able to do action on it, like reset.

So you have to make sure that the device can view the traffic source/destination as it can also do the reset action on it, based on source destination and traffic it sees. Otherwise, it can possibly monitor the traffic, see issues with it, but not do the expected acton if not connected to network properly. WSA may act to reset the traffic, but the traffic not get the reset.

I hope this answers your query.

Beginner

Re: L4TM Question

hi,

my problem is I can see the source and destination in the L4TM reports and logs, it is shown as blocked, but it is not bloked ,

I use the switch span prot, and configure the destination port as ingress forwarding to enable the tcp-reset, but it is not blocked.

I use different management and proxy ports on wsa, and use t1 as full duplex port for L4TM

any idea, PLEASE ?

Cisco Employee

Re: L4TM Question

Hello,

Though the T interfaces are used to monitor, the blocking is done, sending the traffic (reset, or icmp unreachable) via the configured proxy port. So the proxy port (either M1 or Px) , needs to also be in the same path as where you are configured for the monitor, and the traffic will use routing table.

You can check by packet capture to see that when the report of L4TM blocking is done for the T interface, that you see the traffic on proxy port configured.

Regards,

Eric

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here