• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3827
  • Last Modified:

Enabling ingress traffic on a destination span port in Cisco IOS

What is the feature called on a Cisco switch that would allow a span destination port to also receive rst (reset) packets back from an IPS or appliance that is monitoring traffic from that span port?

Websense appliance documentation calls this a bidirectional span port. Maybe that is a generic term for this feature but I believe Cisco may call it "ingress traffic" on a destination span port.

The Websense appliances have two nics so it is probably a more common configuration to connect one nic to the destination span port to monitor interesting traffic and use the other nic to send rst packets out to block/rst undesirable tcp connections. But what if you only want to use one port on the appliance to do both jobs?

I found a few articles on how to enable ingress traffic but I am not sure if that would allow tcp rst packets back into the span port.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2940/software/release/12.1_19_ea1/configuration/guide/swspan.html#wp1218090

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/25ew/configuration/guide/span.html#wp1036989
0
Dragon0x40
Asked:
Dragon0x40
  • 2
  • 2
1 Solution
 
eeRootCommented:
To monitor both the ingress and egress traffic, add the "both" option to the monitor session command.  If your connection is trunked, then you may also have to play with the encapsulation and VLAN options.
0
 
Dragon0x40Author Commented:
thanks eeroot but I think what you are referring to is monitoring and mirroring both egress and ingress of the SOURCE port(s).

what I am asking about is the DESTINATION port.

an ingress keyword on the destination port would allow the tcp rst packets to be sent from the appliance to the client requesting the tcp session and the destination server.

I assume that even with the ingress keyword the destination span port would not be allowed to act as a normal port. IE use the destination span port to manage the appliance.
'
I have not seen an egress keyword in span configurations for Cisco.

I am basically trying to figure out if the ingress keyword would allow the span destination port to allow an IPS appliance to 1.) monitor all traffic sent to the span destination port 2.) send rst packets to break tcp sessions 3.) allow the destination span port to be used to manage the IPS appliance.

This example shows how to configure the destination port for ingress traffic on VLAN 5 by using a security device that does not support 802.1Q encapsulation.

Switch(config)# monitor session 1 destination interface Fa 0/5 ingress vlan 5
This example shows how to configure the destination port for ingress traffic on VLAN 5 by using a security device that supports 802.1Q encapsulation.

Switch(config)# monitor session 1 destination interface Fa 0/5 encapsulation dot1q ingress
vlan 5

http://www.cisco.com/en/US/docs/switches/lan/catalyst2940/software/release/12.1_19_ea1/configuration/guide/swspan.html#wp1218090
0
 
eeRootCommented:
No, the destination port will not transmit any traffic except packets required for the SPAN session.
0
 
Dragon0x40Author Commented:
So a destination span port on a Cisco switch can be configured to RECEIVE traffic from the appliance ex: "tcp resets" but cannot TRANSMIT mgmt traffic out the span destination port to the appliance?

I assume there are some switches made by different manufacturers that do provide both ingress and egress on destination span ports?

Websense calls this type of span destination port a "bidirectional span port".

They also still recommend using two nics on the appliance which negates the need for a bidirectional span port but it is still an option.

I am just curious to know if there are any switches out there that do provide this capability because I can't find any Cisco switches that seem to.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now