Good explanation, Alexey, about TCP resets. What exactly happens to the switch port when we add "ingress" option in the monitor destination line? As far as I understand it this setting instructs the switch to send TCP RST back to VLAN 45. Is this the only reason to include VLAN45 in the source line, i.e.
Cat4 monitor session 1 source vlan 45 , 450 Otherwise it wouldn't make sense include VLAN 45 in the sources as the interesting traffic comes from RSPAN VLAN450. Eugene From: [email protected] [mailto:[email protected]] On Behalf Of Alexei Monastyrnyi Sent: Monday, August 06, 2012 4:25 AM To: Matt Hill Cc: CCIE Security Maillist Subject: Re: [OSL | CCIE_Security] Volume 1 3.6 Monitoring Traffic with IDS Matt, I reckon it is just a bit ambiguous wording which led you astray. By saying "traffic between VLAN 4 and 5" they mean traffic crossing VLAN 45. Technically there may be other traffic crossing that VLAN 45, say between VLAN 5 and 24 or some loopback IPs. To the second part of your question, when IDS sends TCP resets it would craft an Ethernet packet towards attacker or victim (or both, depending on signature logic) with a valid source and destination IP addresses, TCP options etc as well as a valid L2 header. Say the IDS intercepts a TCP session coming from VLAN5 behind R5 and destined to VLAN 4.. Source IP in this case is some host in VLAN 5 and dest IP is one in VLAN 4. Source MAC address is a MAC address or R5 interface connected to VLAN 45, dst MAC address is the one of R4 interface connected to VLAN 45. So Ethernet frame encapsulating that TCP RST packet (if sent back to host in VLAN 5) would have a destination MAC address of R5. R5 would make a routing decision, switches in the middle would just switch that Ethernet frame as usual towards the port where R5 MAC address is learned. Hope it makes sense. A. On 8/6/2012 3:30 PM, Matt Hill wrote: Hi Everyone, Another dumb question. The questions asks us to copy traffic from vlans 4 & 5 to the G0/0 on the sensor. Why does the DSG show the source as vlan45? It does say that TCP resets need to be on vlan 45 though, although this (in my view) has rather little to do with the source vlan. Also, would vlan 45 need to be routable to the the target hosts so the IPS can send the resets? I mean if the RST comes in on vlan 45, what does the switch do with it then? I think it would need to be able to be routed to the target. Cheers, Matt CCIE #22386 CCSI #31207 _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
