IPS 5.X and later/idsm2 : Inline VLAN Pair Mode using CLI and IDM Configuration Example

Similar documents
Configuring Virtual Sensors

Configuring the AIP SSM

Using the Startup Wizard

Working With Configuration Files

Designing Solution with Cisco Intrusion Prevention Systems

Configuring Event Action Rules

Configuring Anomaly Detection

Configuring Event Action Rules

Configuring Anomaly Detection

Logging In to the Sensor

Configuring VLAN ACLs

Configuring Dashboards

Communication Media Module IP Connectivity

Setting Up the Sensor

Fixing Issues with Corporate Directory Lookup from the Cisco IP Phone

Use NAT to Hide the Real IP Address of CTC to Establish a Session with ONS 15454

Configuring EtherChannel Between a Catalyst Switch Running CatOS and a Workstation or Server

NAT Support for Multiple Pools Using Route Maps

Wireless LAN Controller Module Configuration Examples

Wireless LAN Controller and IPS Integration Guide

Products & Services Intrusion Detection System Compatibility Matrix

Configuring EtherChannel Between Catalyst 2900XL/3500XL Switches and CatOS Switches

1 of :22

Table of Contents. isco Configuring 802.1q Trunking Between a Catalyst 3550 and Catalyst Switches Running Integrated Cisco IOS (Nativ

Cisco Firepower Threat Defense for ISR

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM

Configuring SPAN. Understanding SPAN CHAPTER. This chapter describes how to configure Switched Port Analyzer (SPAN) and on the Catalyst 2960 switch.

Configuring IS IS over IPv6

Configuring SPAN and RSPAN

EtherChannel Between a Cisco Catalyst Switch That Runs Cisco IOS and a Workstation or Server Configuration Example

Configuring ISL Trunking Between Catalyst Switches Running CatOS and Cisco IOS System Software

Configuring Catalyst Switches for Polycom Conference Phones

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Chapter 10 - Configure ASA Basic Settings and Firewall using ASDM

Configuring EtherChannel and 802.1Q Trunking Between Catalyst L2 Fixed Configuration Switches and Catalyst Switches Running CatOS

This document provides a sample configuration for X25 Over TCP.

Configuring Transparent Caching on the Content Switch Module

Cisco Discovery Protocol Version 2

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 6.0

Numerics INDEX. 4GE bypass interface card configuration restrictions 5-9 described 5-8 illustration 5-8

Configuring a Cisco 827 Router to Support PPPoE Clients, Terminating on a Cisco 6400 UAC

Chapter 6: IPS. CCNA Security Workbook

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

UCS Uplink Ethernet Connection Configuration Example

Configuring Cisco Performance Monitor

Tune the CTC HEAP Variables on the PC to Improve CTC Performance

Configuring SPAN and RSPAN

Configuring Secure (Router) Mode on the Content Switching Module

Setting Up the Sensor

Using NAT in Overlapping Networks

Port ACLs (PACLs) Prerequisites for PACls CHAPTER

H3C S12500 sflow Configuration Examples

Table of Contents. Cisco WebVPN Capture Tool on the Cisco ASA 5500 Series Adaptive Security Appliance

Configuring IDS TCP Reset Using VMS IDS MC

Understanding Queuing and Scheduling QoS on Catalyst 4000 Supervisor III and IV

Unity Express Voic Storage Limits

Configuring IOS Server Load Balancing with HTTP Probes in the Dispatched Mode

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Cisco CISCO Securing Networks with ASA Advanced. Practice Test. Version

* Knowledge of Adaptive Security Appliance (ASA) firewall, Adaptive Security Device Manager (ASDM).

Web Authentication Proxy on a Wireless LAN Controller Configuration Example

BFD on BDI Interfaces

Upgrading, Downgrading, and Installing System Images

Configuring Storm Control

Auto Register Cisco IP Communicator 8.6 with CUCM 8.x

Understanding Issues Related to Inter VLAN Bridging

Configuring IP Logging

Upgrading, Downgrading, and Installing System Images

Device Management Basics

Understanding and Configuring Switching Database Manager on Catalyst 3750 Series Switches

Upgrading, Downgrading, and Installing System Images

Device Management Basics

Configure CatOS Catalyst Switches to Connect Cisco IP Phones Configuration Example

Cisco Discovery Protocol Version 2

CISCO EXAM QUESTIONS & ANSWERS

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

Port-Shaper and LLQ in the Presence of EFPs

Device Management Basics

Using Switches with a PS Series Group

Configuring Event Action Rules

BFD on BDI Interfaces

Configuring Cisco Prime NAM

Multiple Context Mode

VPN Connection through Zone based Firewall Router Configuration Example

Cisco DSL Router Configuration and Troubleshooting Guide Cisco DSL Router Acting as a PPPoE Client with a Dynamic IP Address

PIX/ASA 7.x and Later : Easy VPN with Split Tunneling ASA 5500 as the Server and Cisco 871 as the Easy VPN Remote Configuration Example

Configuring SPAN and RSPAN

Cisco IOS Classic Firewall/IPS: Configuring Context Based Access Control (CBAC) for Denial of Service Protection

Configuring SPAN and RSPAN

ASA Clientless SSL VPN (WebVPN) Troubleshooting Tech Note

Security Configuration Guide: Unified Threat Defense, Cisco IOS XE Fuji 16.8.x

About This Guide. Document Objectives. Audience

L2 Bridging Across an L3 Network Configuration Example

Configuring Firepower Threat Defense interfaces in Routed mode

Configuring IP SLAs TCP Connect Operations

2.2 Cisco IOS Commands for the Catalyst 4500 Series Switches snmp ifindex clear. This command has no arguments or keywords.

WebView and IIS Connection Timeouts

Configuring IP Logging

IOS/CCP: Dynamic Multipoint VPN using Cisco Configuration Professional Configuration Example

Behavior of Cisco Discovery Protocol between Routers and Switches

Transcription:

IPS 5.X and later/idsm2 : Inline VLAN Pair Mode using CLI and IDM Configuration Example Document ID: 97214 Contents Introduction Prerequisites Requirements Components Used Related Products Conventions VACL Capture Configuration Inline VLAN Pair Mode Configuration CLI Configuration IDM Configuration Troubleshoot Related Information Introduction The association of VLANs in pairs on a physical interface is known as inline VLAN pair mode. Packets received on one of the paired VLANs are analyzed and forwarded to the other VLAN in the pair. Inline VLAN pairs are supported on all sensors that are compatible with Intrusion Prevention System (IPS) 5.1, except NM CIDS, AIP SSM 10, and AIP SSM 20. Inline VLAN pair mode is an active sensing mode where a sensing interface acts as an 802.1q trunk port, and the sensor performs VLAN bridging between pairs of VLANs on the trunk. This means that the switch connected to the sensing interface must be in trunk mode. The sensor inspects the traffic it receives on each VLAN in each pair, and can either forward the packets on the other VLAN in the pair or drop the packet if an intrusion attempt is detected. You can configure an IPS sensor to simultaneously bridge up to 255 VLAN pairs on each sensing interface. The sensor replaces the VLAN ID field in the 802.1q header of each received packet with the ID of the egress VLAN on which the sensor forwards the packet. The sensor drops all packets received on any VLANs that are not assigned to inline VLAN pairs. Note: For IPS 4260, fail open hardware bypass is not supported on inline VLAN pairs. Refer to Hardware Bypass Configuration Restrictions for more information. Prerequisites Requirements There are no specific requirements for this document. Components Used The information in this document is based on Cisco Intrusion Prevention System Sensor that uses the 5.1 and later.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command. Related Products The information in this document is also applicable to the Intrusion Detection System (IDSM 2) Services Module. Conventions Refer to Cisco Technical Tips Conventions for more information on document conventions. VACL Capture Configuration Refer to the Configuring VACL Capture section of Configuring IDSM 2 in order to send traffic to the IDSM on the switch. Inline VLAN Pair Mode Configuration In this section, you are presented with the information to configure the features described in this document. Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section. Use the physical interfaces interface_name command in the service interface submode in order to configure inline VLAN pairs using the CLI. The interface name is FastEthernet or GigabitEthernet. These options apply: admin state {enabled disabled}the administrative link state of the interface, whether the interface is enabled or disabled. Note: On all backplane sensing interfaces on all modules (IDSM 2 NM CIDS, and AIP SSM), admin state is set to enabled and is protected (you cannot change the setting). The admin state has no effect (and is protected) on the command and control interface. It only affects sensing interfaces. The command and control interface does not need to be enabled because it cannot be monitored. defaultsets the value back to the system default setting. descriptionyour description of the inline interface pair. duplexthe duplex setting of the interface. autosets the interface to auto negotiate duplex. fullsets the interface to full duplex. halfsets the interface to half duplex. Note: The duplex option is protected on all modules. noremoves an entry or selection setting. speedthe speed setting of the interface. autosets the interface to auto negotiate speed. 10Sets the interface to 10 MB (for TX interfaces only). 100Sets the interface to 100 MB (for TX interfaces only). 1000Sets the interface to 1 GB (for Gigabit interfaces)

Note: The speed option is protected on all modules. subinterface typespecifies that the interface is a subinterface and what type of subinterface is defined. inline vlan pairlets you define the subinterface as an inline VLAN pair. No subinterfaces defined. subinterfacedefines the subinterface as an inline VLAN pair. vlan1the first VLAN in the inline VLAN pair. vlan2the second VLAN in the inline VLAN pair. CLI Configuration Complete these steps in order to configure the inline VLAN pair settings on the sensor using CLI: 1. Log in to the CLI using an account with administrator privileges. 2. Enter the interface submode: sensor#configure terminal sensor(config)#service interface sensor(config int)# 3. Verify if any inline interfaces exist (the subinterface type should read "" if no inline interfaces have been configured): sensor(config int)#show settings physical interfaces (min: 0, max: 999999999, current: 2) <protected entry> name: GigabitEthernet0/0 <defaulted> media type: tx <protected> description: <defaulted> admin state: disabled <protected> duplex: auto <defaulted> speed: auto <defaulted> alt tcp reset interface subinterface type <protected entry> name: GigabitEthernet0/1 <defaulted> media type: tx <protected> description: <defaulted> admin state: disabled <defaulted> duplex: auto <defaulted> speed: auto <defaulted> alt tcp reset interface

subinterface type <protected entry> name: GigabitEthernet0/2 <defaulted> media type: tx <protected> description: <defaulted> admin state: disabled <defaulted> duplex: auto <defaulted> speed: auto <defaulted> alt tcp reset interface subinterface type <protected entry> name: GigabitEthernet0/3 <defaulted> media type: tx <protected> description: <defaulted> admin state: disabled <defaulted> duplex: auto <defaulted> speed: auto <defaulted> alt tcp reset interface subinterface type <protected entry> name: Management0/0 <defaulted> media type: tx <protected> description: <defaulted> admin state: disabled <protected> duplex: auto <defaulted> speed: auto <defaulted> alt tcp reset interface subinterface type

4. command control: Management0/0 <protected> inline interfaces (min: 0, max: 999999999, current: 0) bypass mode: auto <defaulted> interface notifications missed percentage threshold: 0 percent <defaulted> notification interval: 30 seconds <defaulted> idle interface delay: 30 seconds <defaulted> sensor(config int)# Remove any inline interfaces that use this physical interface: sensor(config int)#no inline interfaces interface_name 5. Display the list of available interfaces: sensor(config int)#physical interfaces? GigabitEthernet0/0 GigabitEthernet0/0 physical interface. GigabitEthernet0/1 GigabitEthernet0/1 physical interface. GigabitEthernet0/2 GigabitEthernet0/2 physical interface. GigabitEthernet0/3 GigabitEthernet0/3 physical interface. Management0/0 Management0/0 physical interface. sensor(config int)#physical interfaces 6. Specify an interface: sensor(config int)#physical interfaces GigabitEthernet0/2 7. Enable the admin state of the interface: sensor(config int phy)#admin state enabled The interface must be assigned to the virtual sensor and enabled in order to monitor traffic. 8. Add a description of this interface: sensor(config int phy)#description INT1 9. Configure the duplex settings: sensor(config int phy)#duplex full This option is not available on modules. 10. Configure the speed: sensor(config int phy)#speed 1000 This option is not available on modules. 11. Set up the inline VLAN pair: 12. sensor(config int phy)#subinterface type inline vlan pair sensor(config int phy inl)#subinterface 1 sensor(config int phy inl sub)#vlan1 52 sensor(config int phy inl sub)#vlan2 53 Add a description for the inline VLAN pair: sensor(config int phy inl sub)#description pairs vlans 52 and 53 13. Verify the inline VLAN pair settings:

14. sensor(config int phy inl sub)#show settings subinterface number: 1 description: VLANpair1 default: vlan1: 52 vlan2: 53 sensor(config int phy inl sub)# Exit the interface submode: sensor(config int phy inl sub)#exit sensor(config int phy inl)#exit sensor(config int phy)#exit sensor(config int)#exit Apply Changes:?[yes]: 15. Press Enter in order to apply the changes, or enter no to discard them. 16. Enter the virtual sensor configuration mode: 17. 18. sensor(config)#service analysis engine sensor(config ana)#virtual sensor vs0 Add the interface to the virtual sensor: sensor(config ana vir)#physical interface GigabitEthernet0/2 subinterface number 1 Exit the virtual sensor submode: sensor(config ana vir)#exit sensor(config ana)#exit Apply Changes:?[yes]: 19. Press Enter in order to apply the changes, or enter no to discard them. IDM Configuration Complete these steps to configure the inline VLAN pair settings on the sensor using IDS Device Manager (IDM): 1. Open your browser and enter https://<management_ip_address_of_ips> to access the IDM on the IPS. 2. Click Download IDM Launcher and Start IDM to download the installer for the application. 3. Go to the Home page in order to view the device information such as Host Name, IP Address, version, and the model., etc.

4. Go to Configuration > Sensor Setup and click Network. Here you can specify the Hostname, IP Address and Default Route. 5. Go to Configuration > Interface Configuration and click Summary. This page shows the configuration summary of the sensing interface.

6. Go to Configuration > Interface Configuration > Interfaces and select the interface name.then, click Enable in order to enable the sensing interface. Also, configure the Duplex, Speed and VLAN information.

7. Go to Configuration > Interface Configuration > VLAN Pairs and click Add in order to create the Inline VLAN Pairs. 8. Enter the Subinterface Number, VLAN A and VLAN B for the sensing interface (GigabitEthernet0/0). You can view the summary of the Inline VLAN Pair Configuration.

9. Go to Configuration > Analysis Engine > Virtual Sensor and click Edit in order to create the new virtual sensor. 10. Assign the Inline VLAN Pair 52 and 53 to the Virtual Sensor vs0.

View the summary of the assigned virtual sensor information.

Troubleshoot There is currently no specific troubleshooting information available for this configuration. Related Information Cisco ASA 5500 Series Adaptive Security Appliances Cisco Intrusion Prevention System Cisco IPS 4200 Series Sensors Technical Support & Documentation Cisco Systems Contacts & Feedback Help Site Map 2013 2014 Cisco Systems, Inc. All rights reserved. Terms & Conditions Privacy Statement Cookie Policy Trademarks of Cisco Systems, Inc. Updated: Jul 02, 2008 Document ID: 97214

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback