Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2860
Views
0
Helpful
5
Replies

L4TM Question

Go to solution
allensurface
Level 4
Level 4

‎04-26-2011 04:36 PM

Regarding the design, my understanding is that you can place the T1 & T2 interfaces in-line in the network. Is this true? Is see comments on using SPAN ports for this, but the WSA obviuosly can't block non port 80 and 443 with SPAN ports. So, I would like to use the T1->T2 option if you can place the appliance in-line.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
edadios
Cisco Employee
Cisco Employee

‎04-26-2011 05:09 PM

Hello,

 

This may help in further understanding the L4TM: http://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/117985-qanda-wsa-00.html

 

The L4TM monitors traffic , commonly via a SPAN (Switch Prot Analyzer) port from a switch, also called port mirroring.

 

In Duplex mode, you only use T1, to monitor the incoming and outgoing traffic. So T1 is connected to a SPAN port that sees both traffic incoming and outgoing.

 

In Simplex mode, you use T1 for the outbound traffic, and T2 for the inbound traffic. So SPAN the outgoing VLAN to a port connected to T1, and SPAN the incoming VLAN to a port connected to T2.

 

Q: What is the difference between L4TM Simplex and duplex modes?
A: There are two modes that the L4TM interfaces can be configured to use: Simplex and Duplex. This can be configured in GUI -> "Network" -> "Interfaces" -> "L4 Traffic Monitor Wiring". 

Duplex mode:
In this mode, both directions of traffic are being spanned to a single L4TM interface (T1/T2) interface. 

Simplex mode:
In this mode, client traffic out is sent to T1 and return traffic to the client is sent to T2.

 

I hope this clarifies the L4TM interfaces usage.

 

Regards,

Eric

View solution in original post

0 Helpful
5 Replies 5

Go to solution
edadios
Cisco Employee
Cisco Employee

‎04-26-2011 05:09 PM

Hello,

 

This may help in further understanding the L4TM: http://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/117985-qanda-wsa-00.html

 

The L4TM monitors traffic , commonly via a SPAN (Switch Prot Analyzer) port from a switch, also called port mirroring.

 

In Duplex mode, you only use T1, to monitor the incoming and outgoing traffic. So T1 is connected to a SPAN port that sees both traffic incoming and outgoing.

 

In Simplex mode, you use T1 for the outbound traffic, and T2 for the inbound traffic. So SPAN the outgoing VLAN to a port connected to T1, and SPAN the incoming VLAN to a port connected to T2.

 

Q: What is the difference between L4TM Simplex and duplex modes?
A: There are two modes that the L4TM interfaces can be configured to use: Simplex and Duplex. This can be configured in GUI -> "Network" -> "Interfaces" -> "L4 Traffic Monitor Wiring". 

Duplex mode:
In this mode, both directions of traffic are being spanned to a single L4TM interface (T1/T2) interface. 

Simplex mode:
In this mode, client traffic out is sent to T1 and return traffic to the client is sent to T2.

 

I hope this clarifies the L4TM interfaces usage.

 

Regards,

Eric

0 Helpful

Go to solution
allensurface
Level 4
Level 4
In response to edadios

‎04-26-2011 05:23 PM

Eric, thanks so much for the information the link provided the knowledge I was looking for. I do have an additional question though. I am deploying the WSA using WCCP on the ASA. The configuration guide states that the L4TM should be placed ahead of the monitor ports and before NAT (see below). You have any suggestions? I do have a 3750 stack downstream on the ASA but I would need to uprade the images on the stack to do WCCP.Is there some sort of in-line method to use?

It is important that the L4 Traffic Monitor be ‘logically’
connected after the proxy ports and before any device that performs network
address translation (NAT) on client IP addresses.

0 Helpful

Go to solution
edadios
Cisco Employee
Cisco Employee
In response to allensurface

‎04-26-2011 06:58 PM

The idea with L4TM, is to be able to do action on it, like reset.

So you have to make sure that the device can view the traffic source/destination as it can also do the reset action on it, based on source destination and traffic it sees. Otherwise, it can possibly monitor the traffic, see issues with it, but not do the expected acton if not connected to network properly. WSA may act to reset the traffic, but the traffic not get the reset.

I hope this answers your query.

0 Helpful

Go to solution
yao yu jiang
Level 1
Level 1
In response to edadios

‎05-02-2011 08:54 AM

hi,

my problem is I can see the source and destination in the L4TM reports and logs, it is shown as blocked, but it is not bloked ,

I use the switch span prot, and configure the destination port as ingress forwarding to enable the tcp-reset, but it is not blocked.

I use different management and proxy ports on wsa, and use t1 as full duplex port for L4TM

any idea, PLEASE ?

0 Helpful

Go to solution
edadios
Cisco Employee
Cisco Employee
In response to yao yu jiang

‎05-02-2011 08:14 PM

Hello,

Though the T interfaces are used to monitor, the blocking is done, sending the traffic (reset, or icmp unreachable) via the configured proxy port. So the proxy port (either M1 or Px) , needs to also be in the same path as where you are configured for the monitor, and the traffic will use routing table.

You can check by packet capture to see that when the report of L4TM blocking is done for the T interface, that you see the traffic on proxy port configured.

Regards,

Eric

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents