Only some of the traffic passing through inline vlan pair

Similar Messages

• Black box able to log traffic passing through...

  Hi
  I'm looking for a box able to sniff the tcp/ip traffic (source ip address, destination ip address and ports) passing from it's ingress interface to the egress interface and viceversa (useful the bypass option if this box fails) without any change of the traffic passing through, just logging it and sending this log to a syslog server.
  We need it as solution to be compliant with the new police law against computer criminals where is written that all the internet traffic has to be logged (we offer sometimes transparent internet access to our customers where we do not put any kind of equipment as firewall, proxy or something else, only the router providing the internet access).
  Do you know if Cisco provide something like that ? Other vendors ?
  Any other idea how to be compliant with this request ?
  Thanks
  Pls advise
  Ric

  Cisco Intrusion Prevention System Sensor can be used to log ip traffic. You can manually configure the sensor to capture all IP traffic associated with a host you specify by IP address. You can specify how long you want the IP traffic to be logged, how many packets you want logged, and how many bytes you want logged. The sensor stops logging IP traffic at the first parameter you specify.You can also have the sensor log IP packets every time a particular signature is fired. You can specify how long you want the sensor to log IP traffic and how many packets and bytes you want logged

• Help with inline VLAN Pair and switch configuration

  Hello,
  I'm new to IPS and IDS in general, but I have an IPS-4255 and a couple of Catalyst 2900 switches to experiment with. I'm currently trying to enable an Inline VLAN Pair configuration on the IPS and have a simple setup.
  SW1 and SW2 have vlans 100 and 200 configured. PC1 and PC2 are on the same IP range (no routing). PC1 on vlan 100 connects to Sw1. PC2 on vlan 200 connects to SW2. The IPS connects to a SW2 trunking port, and SW1 and SW2 are connected together on another trunking port.
  I know that my trunking is working because PC1 and PC2 can ping each other whenever they are on the same vlan of either switch. But, they can't ping when on the separate vlans.
  From what I've read, the IPS with an Inline VLAN Pair acts as a bridge between the two vlans and should forward the traffic if it passes inspection. However, the IPS does not appear to see any traffic at all.
  My IPS is configured with inline VLAN pair 100->200 and associated to vs0.
  Have I missed something in my config somewhere? Or am I misunderstanding how inline VLAN Pairs are supposed to work?
  Below are my configs for the switches and the IPS.
  Any help would be appreciated. Thank you!
  IPS Config
  service interface
  physical-interfaces GigabitEthernet0/0
  no description
  admin-state enabled
  duplex auto
  speed auto
  alt-tcp-reset-interface interface-name GigabitEthernet0/3
  subinterface-type inline-vlan-pair
  subinterface 1
  description test
  vlan1 100
  vlan2 200
  exit
  exit
  service analysis-engine
  virtual-sensor vs0
  physical-interface GigabitEthernet0/0 subinterface-number 1
  inline-TCP-session-tracking-mode vlan-only
  exit
  exit
  SW1 and SW2 config
  interface FastEthernet0/1
  switchport access vlan 100
  interface FastEthernet0/9
  switchport access vlan 200
  interface FastEthernet0/18
  switchport trunk encapsulation dot1q
  switchport mode trunk
  interface FastEthernet0/24 (Sw 2 only)
  description IPS port
  switchport trunk encapsulation dot1q
  switchport mode trunk

  It has been awhile since I've dealt with a 2900 switch to I am just trying to guess at what may be wrong with your setup.
  I noticed that neither of your trunk port configuration are specifically stating which vlans are allowed on the trunks.
  It is possible that for the trunk between the 2 switches there may be some protocol negotiation so the switches can determine which vlans to trunk, BUT no such negotiation will happen with the sensor. If I remember right you will need to specifically state which vlans the trunk to the sensor should carry. If I remember right the commmand would be something like:
  switchport trunk allowed-vlan 100,200
  You will want to find the show command on your switch that will show you which vlans are actually being trunked by the port. It might be something like "show switchport trunk"
  And you will want to verify that the switch is actually trunking vlans 100 and 200 to your sensor.
  On your sensor you will want to execute "show interfaces" and look at the statistics for Gig0/0 to see if it is receiving packets on vlan 100 and 200.
  You can also run "packet display GigabitEthernet0/0" to see if any packets are making it to your sensor.
  You will also want to check Link status and make sure your sensor is linking up properly with your switch. A common mistake is to connect the wrong ports, as some sensors do not have the port numbers clearly marked.
  NOTE: If the above doesn't help, then take the additional step of eliminating the second switch. Attach both pcs to the same SW2 switch (1 in each vlan). The second switch isn't necessary to test the inline vlan pair functionality. Connecting both PCs to the same switch will help eliminate any possibility of misconfiguration between the 2 switches.

• Does user traffic pass through Controller and Aironet 1030?

  Hi All,
  I want to beat out some questions that I cannot find exactly guideline in Cisco. I intend to implement 2 Airespace 2000 controller and some 1010s and one 1030 to my main office and branch office. At present, there is a 512kbps WAN link between this two office. So I don't want to let the traffic within the branch office to pass through the WAN link. Therefore, I intend to use the solution that 1 controller stay in main office to serve the 1010s in main office and 1 controller stay in remote office to serve the 1010s in remote office. But the remote site only needs 1 AP, thus I would like to use one 1030 to stay in branch office and 2 controller stay in main office to perform controller's redundancy. I would like to know Does the clients' traffic pass through the link between 1030 and controller as the same as 1010? I does very confuse whether 1030 has this feature because I found some blur instruction of 1030 in Cisco.
  Further, if I place one of the controller in remote office, how can I control the APs in remote office to choose the local controller instead of the controller in main office using Layer 3 discovery method? Does any know? Thanks!
  Jason,
  best regards,

  Hi Jason,
  Hopefully this info will clear this up for you;
  Q. Can I install an access point (AP) at a remote office and install a Cisco WLC at my headquarters? Does the Lightweight AP Protocol (LWAPP) work over a WAN?
  A. Yes, you can have the WLCs across the WAN from the APs. LWAPP works over a WAN. Use Remote Edge AP (REAP) mode. REAP allows the control of an AP by a remote controller that is connected via a WAN link. Traffic is bridged onto the LAN link locally, which avoids the need to unnecessarily send local traffic over the WAN link. This is precisely one of the greatest advantages of having WLCs in your wireless network.
  Note: Not all lightweight APs support REAP. For example, the 1030 AP supports REAP, but the 1010 and 1020 AP do not support REAP. Before you plan to implement REAP, check to determine if the APs support it. Cisco IOS Software APs that have been converted to LWAPP do not support REAP.
  Q. I want to set up the Cisco 1030 Lightweight Access Point (AP) with a Cisco WLC in Remote Edge AP (REAP) mode. In this mode, is all wireless traffic tunneled back to the WLC? Additionally, if the AP cannot contact the WLC, what happens to the wireless clients?
  A. The 1030 AP tunnels all WLC traffic (control and management traffic) to the WLC via Lightweight AP Protocol (LWAPP). All data traffic stays local to the AP. The 1030 REAP can only reside on a single subnet because it cannot perform IEEE 802.1Q VLAN tagging. As such, traffic on each service set identifier (SSID) terminates on the same subnet on the wired network. So, while wireless traffic may be segmented over the air between SSIDs, user traffic is not separated on the wired side. Access to local network resources is maintained throughout WAN outages.
  At times of WAN link outage, all WLANs except the first is decommissioned. Therefore, use WLAN 1 as the primary WLAN and plan security policies accordingly. Cisco recommends that you use a local authentication/encryption method, such as the Wi-Fi Protected Access (WPA) Pre-Shared Key (WPA-PSK), on this first WLAN.
  Note: Wired Equivalent Privacy (WEP) suffices, but this method is not recommended because of known security vulnerabilities.
  If you use WPA-PSK (or WEP), properly configured users are still able to gain access to local network resources even when the WAN link is down.
  From this doc;
  http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a008064a991.shtml
  Hope this helps!
  Rob
  Please remember to rate helpful posts.....

• I downloaded ios 6 for my iPad 2 and some of the upgrades went through but not all. It sounds like I need to reinstall ios 6. How do you do that? Everytime I try to upgrade it says I'm already updated

  I downloaded ios 6 for my iPad 2 and some of the upgrades went through but not all. It sounds like I need to reinstall ios 6. How do you do that? Everytime I try to upgrade it says I'm already updated

  If you mean Siri then that is only on the iPad 3, it is not on the iPad 2 in iOS 6 (possibly because the iPad 2 doesn't have the Audience chip which the iPad 3 does). If there are other things that you think are missing (YouTube has been removed, and Passbooks is iPhone and iPod Touch only) ?

• I recently upgraded from an 80 to 160GB Classic but only some of the artwork in iTunes is synching. There was no problem with the old 80Gb classic. any suggestions?

  I recently upgraded from an 80 to 160GB Classic but only some of the artwork in iTunes is synching. There was no problem with the old 80Gb classic. any suggestions?

  here is an interesting thing: take the iphone and set lock screen to never. Now make an email with siri--be sure to activate her with call button. get to the body and get some text in there. then just stop talking. LOCK SCREEN APPEARS!!!!!! and of course you draft is gone.
  There does seem to be a work around for some--maybe all these issues. Don't use the call button--use the buttons on the phone.
  Siri seems to behave properly with scenerio above---sans call button. She does not go to lock.

• My iPhone does not alert every time I receive a text message, only some of the time.  Anyone else have this problem?

  My iPhone 4S does not alert every single time I receive a text message, only some of the time.  The software is all up to date.  Anyone else have this problem?

  There are a number of different alerts that can be played on the iPhone. Have you turned the mute switch on? That is located on the side of the phone. When it is in the down/on position (the orange is showing) you should not get any sound alerts. Also, it could be an SMS, a voicemail, an email, a 3rd party alert (if you have particiular apps that provide alerts). You would need to check all of those settings, but with the mute switch on you should not get any sound alerts.

• TS3989 Only some of the photos I have taken on my iPhone appear in the photo stream on my iPad even thou they were taken at the same time. Why is this and how can I import the other photos from my iPhone to my iPad?

  Only some of the photos I have taken on my iPhone appear in the photo stream on my iPad even thou they were taken at the same time. Why is this and how can I import the other photos from my iPhone to my iPad?

  If older photos are missing it may be because photo stream photos are only held in iCloud for 30 days.  After that they are removed from iCloud but will remain (up to 1000 photos) on your device until deleted.  Also, only photos taken after enabling photo stream are added to your photo stream, and only when the camera is closed, your device is connected to wifi and you have at least 20% battery life remaining.
  To transfer the missing photos you can either create a shared photo stream containing them and invite yourself to it (see http://help.apple.com/icloud/#mmc0cd7e99), import the photos to your computer and sync them to your iPad, or use an app like PhotoSync to transfer them to your iPad over wifi.

• Only some of the music in my library will synch to my ipad

  I have ripped a number of CD's to my PC music library, but when I try to synch this music to my Ipad only some of the music appears.  Ideas?

  First check what format the music was ripped in, I think that the idevices only support AAC, so you may have to right click and convert.
  Also check and see of you have sync entire library or sync selected library under the device settings when the iPad is connected to iTunes, and then make sure the right checkboxes are seleceted.
  Please ask if you are unsure about what I mean for any of this. Good luck.

• Q-10 Calandar not syncing with Outlook, only some of the appointments show up?

  Anyone know why when I sync my phone with my computer, only some of the appointments from outlook show up on my phone?  this just started happening about a week ago?  Did I turn something off?  any help would be appreciated.
  Tony 

  I do not know why but from what you said it started a week ago so I assume it was working before that.
  Can you remember installing any new apps or updates on your computer or phone around that time.

• I have created a journal on my iPad 2 and shared it on iCloud, it contains screenshots of webpages, but when i try to view the journal on my desktop only some of the images appear...any ideas?

  I have created a journal on my iPad 2 and shared it on iCloud, it contains screenshots of webpages. But when I try to view the journal on my desktop only some of the images appear...any ideas why this is happening?

  Hi there Paula120,
  You may find the troubleshooting steps in the article below helpful.
  iOS: Device not recognized in iTunes for Windows
  http://support.apple.com/kb/ts1538
  -Griff W. 

• I just downloaded iCloud on my Mac, however, only some of the songs I bought on my iPhone synced to my Mac? Any help?

  I just downloaded updated my systems on my Mac, however, only some of the songs I bought on my iPhone synced to my Mac? Any help?

  only some of the songs I bought on my iPhone synced to my Mac?
  On the iPhone tap Settings > Store
  Make sure Music is switched on under Automatic Downloads.

• Filter Traffic using ISDM-2 Inline Mode and Inline VLAN Pairs

  Hi Everyone,
  I have a new ISDM-2 Module (Version 6.0(1)E1) and I?m thinking use Inline VLAN Pairs to bridge two vlans, in my case vlan 100 and vlan 101. Vlan 100 is the vlan used by MSFC and Vlan 101 is the vlan used by the outside of my FWSM . In this way, I think I can monitor all the traffic into and from Internet. My question is: can I choose what traffic I will analyze using this configuration ? Maybye with VACL or another way.
  Thanks in Advanced
  Andre Lomonaco

  If I understand your question correctly, I do not think you have the ability to selectively inspect the traffic with only a single pair of vlans. The IPS module is going to bridge your vlans together and you would want all traffic to go through that bridge...I don't know what mechanism you'd use to selectively direct traffic through some other bridge/route function.
  Within the IPS software you can turn off (disable AND retire) signatures that inspect traffic that you wish to ignore, the IPS will just forward the traffic through, but you don't have a fine level of granularity there.
  Scott

• IDSM-2 Inline Vlan Pair - Duplicate Packets

  Dear All
  We have a setup where two IDSM-2 modules are ether-channeled together in a single 6513 Chassis.
  There is an FWSM module also, which acts as the default gateway for all internal VLANs.
  Problem: IDSM show stat virtual-sensor command is showing tons of 'Duplicate Packets'
  show statistics virtual-sensor | inc Duplic
  Duplicate Packets = 2950967
  Inline TCP Tracking Mode: Interface and VLAN
  Topology:
  Assume Client VLAN = 10 and Server VLAN = 60
  IPS Inline VLAN Pairs:
  10 >> 110 (Client VLAN)
  60 >> 160 (Server VLAN)
  Client >> Server Flow: (Layer 2):
  [ClientPC] >>>> Access Switch (VLAN 10) >>>> Core SW >>>> IDSM-2 (VLAN 10--110 Pair) >>>> Core Sw >>>> FWSM VLAN 110 >>>>
  FWSM VLAN 160 >>>> Core Sw >>>> IDSM-2 (VLAN 160--60 Pair) >>>> Server Switch (VLAN 60) >>>> [Server]
  Core Switch IPS Etherchannel Setup:
  Group 5: IDSM(A) and IDSM(B) Port x/7
  Group 6: IDSM(A) and IDSM(B) Port x/8
  Some VLAN Pair(s) are on interface x/7 and others are on x/8
  Because of the above issue, we see a lot of TCP normalization signatures being fired (as the IPS gets confused with duplicate packets seen for the same flow). Specially signatures 1330:12 :17 and :18.
  It is also causing some applications to break (e.g. Veritas Netbackup 6.5). When I removed the DENY action from these signatures, our IPS started having stability issues (This could also be due to E3 upgrade)
  Should we change the Tracking mode to 'VLAN' only, OR any other possible solution?. Should not the 'interface and vlan' setting be sufficient?.
  Regards
  Farrukh

  This will take some traffic analysis to determine what is going wrong.
  You might need to place a sniffer to watch the traffic on the client where the backup software is running at the same time that you capture the traffic on the sensor.
  Look to see if there are any differences in the traffic.
  Look for any anomalies in the traffic.
  Look to see if maybe the backup software is not using a standard TCP connection (is it jumping the tcp sequence numbers in any abnormal way?)
  You might also try some things on the sensor to determine if the sensor itself might have an issue.
  Determine if the connction passes through 2 connections (inline vlan pairs) monitored by the sensor.
  If you can, you might try removing both of the pairs from the virtual sensor. (don't delete the pairs, just remove them from the virtual sensor so they won't be analyzed)
  And see if the backup works.
  If it does then just add in one pair, and see if it keeps working.
  If it has errors with just the one pair, then the problem is likely not because of the connection being monitored twice.
  Something else must be weird about the connection.
  If the problems are only seen when having both pairs in the same virtual sensor, then try placing the pairs in different virtual sensors and see if the problem goes away.
  If the problem goes away when in different virtual sensors, then there may be an error in the inline tcp session tracking code that should track connections separately for each interface/vlan.

• IDS 4215 Inline VLAN Pair

  I am trying to configure IDS 4215 to do inline vlan pair with a Cisco 3750 Layer 3 switch.
  We have 4 vlans in the 3750, vlan 100 for workstations,vlan 200 for servers, vlan 250 for ip phones and vlan 150 for firewalls.
  All vlans have corresponding SVI with that ip been the default gateway for each vlan.
  interface Vlan1
  no ip address
  interface Vlan100
  description Workstation VLAN
  ip address 192.0.0.5 255.255.255.0 secondary
  ip address 192.0.0.254 255.255.255.0
  interface Vlan150
  description WatchGuard FW VLAN
  ip address 192.168.150.254 255.255.255.0
  interface Vlan200
  description Servers
  ip address 192.168.200.254 255.255.255.0
  interface Vlan250
  description VOICE
  ip address 192.168.250.254 255.255.255.0
  ip helper-address 192.168.200.30
  interface Vlan254
  description Management VLAN
  ip address 192.168.254.254 255.255.255.0
  My question is how do i monitor the traffic going to firewall vlan from server/workstation vlans ?
  I read a quite a bit of old topics here in this forum but could not find anything matching though there were few coming close.
  So my idea is to configure new vlan say 151 and move the firewalls to the new vlan.Then do inline vlan pair on old firewall vlan 150 and new fw vlan 151.
  Any idea its going to work ? or can i simply do 2 vlan inline pairs for fw-server and fw-workstation vlans ? Also i understand that i have to configure trunking on switch ports ?
  would appriciate any comments.

  I would recommend you proceed with your first suggestion of creating vlan 151, moving the firewall ports to vlan 151, and then placing the sensor inline between vlans 150 and 151.
  There are 2 options for placing the sensor between vlans 150 and 151: inline interface pairing, or inline vlan pairing.
  With inline interface pairing you would need the 4FE card in the IDS-4215. Create an inline interface pair using Fe2/0 and Fe2/1.
  Create an access port on vlan 150 of your switch and connect Fe2/0.
  Create an access port on vlan 151 of your switch and connect Fa2/1.
  Allow spanning-tree to run (generally between 30 and 40 seconds).
  With InLine Vlan Pairing you can do this with an IDS-4215 without needing the 4FE card.
  Create an inline vlan pair subinterface on Fe0/1 that will pair vlans 150 and 151.
  Creat an 802.1q trunk port on your switch that will trunk just vlans 150 and 151 (leave the native vlan of the trunk as vlan 1, but do not place vlan 1 in the list of allowed vlans on the trunk)
  Connect Fe0/1 to your trunk port.
  Now this will cause All traffic between your internal networks and the firewall to have to pass through the sensor. This includes your voice traffic that goes through the internet.
  The other option you mentioned of creating inline vlan pairs on your workstation vlan and your server vlans, I would not recommend with IPS 5.1.
  The inline vlan pairs would have to be created similar to the inline vlan pair I described above using vlans 150 and 151.
  You would have to create vlan 101 and pair 100 and 101.
  As well as create 201 and pair 200 and 201.
  If the workstations ONLY have connections out through the Firewall and NOT to the servers then it would be OK.
  BUT if the workstations also have connections to the servers then it will cause problems. The packets will have to pass through both the vlan 100 and 101 pair as well as the vlan 200 and 201 pair.
  When the sensor sees the same packet again after having been routed (by the switch in this case) it causes issues. The sensor sees that the packet has changed and believes that a hacker is modifying packets on the network.
  This is being addressed in IPS version 6.0 (still under development) so that vlan pair 100 and 101 can be monitored independant of vlan pair 200 and 201.
  So until IPS 6.0 is released I would suggest staying with the single vlan pair approach using vlan pair 150 and 151.