Int sniff traffic

Similar Questions

• Multicast traffic stops flowing after a while when using IGMP snooping

  Hi all

  I have the following configuration:

  :

  Where host 1 is a multicast traffic source and host 2 is a customer of multicast traffic. IGMP snooping is configured on both switches.
  Host 2 boots and sends an IGMP report, in order to join the multicast host group 1. Given that SW2 does not know where the mrouter from the group, adds port Eth1/1 to the Group of snooping and removes the package, the IGMP packet. Once host 1 starts, it sends an IGMP query (which is flooded by the port channel), and multicast traffic starts to flow to host 2.
  When I ran 'show ip Mattia snooping groups' I've seen the same result on both switches: on the two switches of the groups the Eth1/1 and the channel port, but after a while, the switch connected to the host 2 deleted the channel of the port of the group.
  After consultation with the switch logs and sniff traffic on one of the channel port on SW1 interfaces, I came to the conclusion that happens since SW1 ceases to send queries generated by host 1 and responding to them locally (some proxy or something). I also noticed that IGMP reports generated by host 2 stop arriving on SW1 (since SW2 do not know that there a connected mrouter more across the channel of the port).

  My questions are:

  1. How does SW1 knows he should keep the channel port as part of the group, if it does not IGMP reports coming from SW2 more?

  2. what happens if the host 2 is not interested in multicast traffic, but do not send and IGMP leave message (a behavior that is supported according to the Protocol, to my knowledge)? How SW1 knows he should cease to IGMP sent from host 1 query response?

  Thanks in advance,

  Omer.

  Hello

  The problem is because you have not mrouter port sw1. It is well documented by virtue

  http://www.Cisco.com/c/en/us/support/docs/switches/Catalyst-6500-Series-...

  There are 3 ways you can solve this problem.

  1. enable Pim on Sw1.

  Or

  2. enable ip igmp snooping interrogator on Sw2

  Or

  3. create staitc mrouter port on sw2.

  ip igmp snooping vlan 1 mrouter interface PoX
  
  

• Monitoring of load on IDS

  Hello.

  At present, I am tracking the traffic flowing on the Int inside my firewall. I need to sniff traffic on another INT as well. before you do this activity, I wanted to know my ID 4235 would take the charge or not.

  kindly help me how to measure the current on the IDS.

  Hello

  You can run the following command:

  See the version

  Application partition:

  The Cisco Systems Version 4,0000 S91 Intrusion detection sensor

  2.4.18 - 5smpbigphys-4215 OS version

  Platform: IDS-4215

  Sensor time is 51 days.

  Using 459202560 bytes of available memory (96% of use) 444817408

  With 4.3 G off bytes 17 G of disk space available (27% of use)

  This could give you the status of memory and disk status.

  HTH

• NAC L3 OOB does not not on WAN

  I'll put up proof of lab validation for installation of the NAC.

  I use Cisco Catalyst 3550 and 2950 switches (the real environment is using 3750 and 2960 and 2950 switches) and have defined NAC in Central L3 OOB configuration. In this configuration, I have a SIN and NAM "MAIN_SITE" and then two sites branch "BRANCH1" and "BRANCH2.

  On the main site, the OOB works very well, and when a user logs in, the port is moved from the VLAN authenticated (290) role service VLAN (200) However, in the 'branches' switches do not put the port in the role in function of VLAN, or if a port is in VLAN 200 and a PC is connected to this port don't switch port to 290 of VLAN (unauthenticated).

  Sniff traffic with Wireshark, I see SNMP sets sent by the NAM to the switch to tell it to place the port VLAN 200, but the switch does not.

  My writing strings are configured correctly and the NAM is able to implement initial orders on the switch for the NAC ('mac-added notification of snmp trap' orders for the ports).

  Can we say what is the problem?

  Sachin

  Sachin,

  Must be at least 12.1 (14) EA1

  Visit this link for all the switches you need for OOB and supported codes: http://bit.ly/SwitchSupport

  HTH,

  Faisal

• second Web server on the DMZ not visible outside

  With the help of a PIX 515e

  I have several Web servers in the DMZ, the first web server and the mail server are set up with the port mapping for the PIX outside IP address of the interface.

  The second and third (inside interface) of the Web servers are configured with static mappings and access lists.

  I can see the first n the mail very good server webserver, but I can not see servers in second or third.

  What have I done wrong?

  I suggest you analysze traffic with the command to 'capture' PIX and sniff traffic on the DMZ and outside traffic.

  Check if packets arrive to the external interface, if it reaches the web server and is at - it a response.

  example of

  IP access-list 120 allow any HOST 207.236.60.35

  capture the access-list 120 vpncap OUTSIDE interface

  See the access-list 120 retail vpncap capture

  or

  https://PIX-IP-address/capture/vpncap [/pcap]

  To remove the capture:

  No vpncap capture

  sincerely

  Patrick

• CBAC with several inspection rules

  Hello

  My customer places an ASA/Pix IPsec hub and network spoke to a DMVPN network with 2921/881.

  All the security(ACL/CBAC) will be run on the Cisco 2921 Hub site. I have attached a drawing simplified topology of HUB interfaces:

  

  As you can see in the picture there are 5 active interfaces on the Cisco 2921:

  LAN INT

  DMZ INT

  VIRTUAL INT

  INT TUNNEL

  RE INT

  All interfaces have incoming ACL applied to them in the inbound direction. So, I have the following ACL:

  INSIDE_OUT for LAN internal (management traffic from the LAN to DMZ DMVPN, Internet and VPN clients remote)

  DMVPN_INSIDE_OUT for TUNNEL INT (managing the movement of DMVPN LAN and WAN)

  VIRTUAL_INSIDE_OUT for VIRTUAL INT (manage traffic for remote users VPN DMVPN, LAN and WAN)

  DMZ_INSIDE_OUT for DMZ (open for ICMP to internet and a server on the LAN)

  INSIDE_IN for INT WAN (deny all apart form ICMP; ESP, ISAKMP, etc.)

  Currently, I have the 2 following the rules of CBAC:

  Property intellectual CHECK NAME IN_OUT applied on departing on INT WAN

  IP INSPECT NAME applied to inbound on INT WAN OUT_IN_DMZ (to allow traffic initiated Internet DMZ return form)

  But now, I think all the stateful traffic interface, as in an ASA I have to configure a rule to inspect to inbound on each interface or am I completely wrong?

  For example if I want a LAN Server to communicate with a server on the DMZ, I need to inspect the incoming traffic to the right to allow traffic to DMZ from LAN LAN? Which means I need a third inspection rule, no?

  Kind regards

  Laurent

  Laurent,

  Ideally, you'd inspection on all inbound interfaces.

  However, I think that you try to overcomplicate things, (dare I say).

  Your problem would be solved by adding a dynamic firewall on your design and ending for example remote VPN on it.

  This would substantially reduce the burden of DMVPN routers in the case of PPE or future growth and would you allow to dynamically on a device which was supposed to be with State actually lie real packet filtering.

  I will attach a photo in a moment of what I think off the coast.

  Marcin

  Edit: adding hastly does DIA.

• Can I do this with ESXi?

  Hi I have a project, I hope to find the answer:

  I have a dell server that supports virtualization, 64-bit... everything supports ESXi.

  I have two network adapters, and I want to install 3 virtual machines as if you are using windows server 2008. I'll conect on host, NIC 1 number to a management switch and NIC 2 number to a mirror port to make a capture of packets using Wireshark promiscous mode, or a similar software. the first question is if I can capturepackets a guest promiscous mode?

  The second question: I need each of these clients by using windows server 2008, be able to also have these two network cards installed and available and I want to manage the guest also through the first NETWORK card and do a few packet captures via the second card network.

  Is it possible to link or fill these cards logic on the guest operating system for the network adapters on the host physical? In this way, I would be able to select NIC No.2 on the client using wire shark and watch only the packages that shows my mirror port at NIC 2.

  Thank you.

  You can create a machine virtual portgroup on each vswitch.  vSwitch0 will have networking portgroup and a portgroup VM.  vswitch1 will have the second computer virtual network portgroup.  In the settings of the virtual machine, you will need to have 2 network cards, one for each virtual portgroup computer.  Assuming that each VM Network portgroup is on different IP subnets, it is just a matter of choosing what IP you have access to the guests by.  There are a few other caveats network when connecting networks, especially if they are already elsewhere, just so beware of that that you configure the systems.

  The extent of the sniffing the network...  If you activate the "Promiscuous" mode on the vswitch, which only allows you to sniff traffic on this vswitch.  Switches based on upstream equipment will have to be configured the same way if you want to sniff all traffic on them, too.

  I hope that helps to answer questions...

• DNS server records to monitor traffic.

  I do not understand much about it so I hope someone can explain to me.

  I have a server configured with a DNS server running successfully on my mac mini (dns primary server for the House).

  I was wondering if there is a way to capture the DNS server logs and monitor visited Web sites of specific host ips/name?

  I don't have an example to make immediately available, and I expect that it will be the analysis or an output channel created manually or otherwise searching the DNS server connects.

  If your firewall blocks all outgoing DNS traffic except for DNS queries on the server (this is to avoid without entering the DNS server, register via VPN or other), you can turn on extra logging through the command line, and then check the DNS server logs.

  This configuration is probably more commonly implemented with either a network sniffer I look for DNS queries arriving at your server, or perhaps a web proxy server, as this proxy server gets you the customer information and the target host information, as it won't be all kinds of activities related to the web-is in the DNS for a typical client newspapers.

  Activity network Apps, app updates (various which may seem HTTPS traffic, too), multiple streams of data, etc.

  HTTPS and VPN can throw a key in these listening and data collection activities, unfortunately.  They can hide the access or hide the DNS query, according to the monitored computers.

  There are approaches especially here, including the firewall of filtering (or notation) and the mechanisms of OS X such as Parental controls, depending on the specific details of your needs here.    There are examples posted around the network to use Wireshark or tcpdump to acquire the DNS of your network data, as well.

  Details on the management of the BIND 9 command line - i.e. when there is hair - are available in the ISC BIND documentation, such as 9.10.  Find statement grammar and record the setting up an output channel, as a starting point.

  For recent versions of OS X Server, BIND configuration files are under/Library/Server.  (See this discussion, as well.)

  Changes to the configuration files can sometimes fail.app, unfortunately.   Close.app, make the changes to a copy of the file, then restart.app (and I hope Server.app don't spill or undo your changes).

• Wireless - C6180 network traffic

  Product: Photosmart C6180 all-in-one

  The printer has been set up wireless to share among 5 computers and works very well.  My concern is that the amount of traffic network the printer generates.

  I analyzed the network traffic generated by my computer using Wireshark Analyzer (packet sniffer) network protocol.  Traffic is presented as a series of SNMP (from the computer) requests to the printer and the answers SNMP from the printer to the computer.  This status of probable reports in near real-time.

  This isn't a problem, but I would like to discuss the volume of network traffic.  I see on request 20 and 20 responses per second for a single computer.  Request/responses start a port 1026 (sending a request and get an answer) then increment to the next port 1027 (request / response), increment to the port 1028 and continue.  This continues until it hits port 5000 then begins to port 1026.  About, through 4000 ports every 3 minutes.  Each request and response being about 100 bytes of information.

  This traffic volume is normal?  It can be reduced?

  I looked in the printer and the software congifurations to see if it can be reduced to a minimum and can not see a framework to reduce the traffic.

  Well, I expected someone to complain about this. Also, I think that it is rare as well.

  What you see, is the HP SW on each computer to the printer for admission to the status of vote. I think that changes of the PC port with each SNMP request but you should see that all SNMP packets going to port 161 printer and that the printer meets the port 161 originally PC port...

  You'll also see shows SLP in 427 on the printer port as well (most used ARP and NETBIOS stuff).

  To my dismay, this is normal (an old design in fact) and we are changing. Yes, it's a chatty Protocol but the bandwidth network should not be significant (using your numbers – I thought the refresh frequency was 1/3 Hz):

  5 computers * (20 packets/SNMP-s) = 100 packets/SNMP-sec * 200 bytes/SNMP-package (estimated) = 20000 bytes/s.

  (Is this a lot on a 11g wireless network has a bandwidth of?)

  The real problem occurs when you have a wireless network. Because UDP is not reliable, the SNMP get s/SNMP-response may be lost, especially on the airwaves. When this happens, the SW will attempt the request again, and after a series of delays, the HP SW will think the printer is offline.

  Now to answer your original question: you can remove the most background traffic by disabling the HP printer services. You will still be able to print but the scan will not work. Another option is to uninstall the HP SW and manually add the printer in Control Panel. Unfortunately, this also gives you printing without analyzing.

• How Sniffer work

  Hello.

  Have are questions about the use of Snort.

  Found in the admin following information guide:

  "" A Sniffer capture raw packets of web traffic its tap the points of passage on the network or the instrumented browser pages. ". Sniffers "decode, decrypt and analyze packets." »

  I'm interesting, Sniffer captures all web traffic and save to archive, but in the Console of the FMS only filtered show basic information on parameters such as tracking the IP addresses, Ports monitored, etc...

  Or parameters to monitor the IP addresses, Ports, monitors, etc. present the parameters for Sniffer and web traffic what do not equate to that settings do not capture Sniffer and record archiving?

  I think this can help.
  http://eDOCS.quest.com/Foglight/5611/doc/wwhelp/wwhimpl/common/HTML/frameset.htm?context=cartridgeAPM&file=RUECartridge-Admin/ConfiguringTrafficCapture.02.php&single=true

  Filter by IP address

  Clear (default) to capture Web traffic for all IP addresses in the monitored environment. Select this option to capture only traffic to and from web servers whose IP addresses are listed on the dashboard to track IP addresses. For more information, see Manage IP addresses monitored. Council in most cases, the sniffer consumes less CPU and memory resources when filtering by IP address.

  So the default value is to capture all, you can check the filter by IP address to get specific traffic for IP addresses only.
  Don't forget that a sniffer has a certain ability to capture 'everything' may require several "sniffers".

  I hope this helps.

  Golan

• IDS 4215, good place for an interface sniff (LAN or DMZ)

  I have this sensor with two interfaces only at work, I was asked to check that

  See the IDSWORK version #.

  Application partition:

  The Cisco Systems Version 1.0000 S47 Intrusion detection sensor

  2.4.18 - 5smpbigphys-4215 OS version

  Platform: IDS-4215

  an interface that is Ethernet 0 connected to switch in the DMZ, and 1 Ethernet connected to switch 4005, logically I have to monitor DMZ not switch box 4005 (since I had only two interfaces, my case), I'm right?

  That means that ethernet 0 should be to sniff (surveillance) since it is connected to the DMZ and interface 1 for command and control, since it is connected to switch 4005, but according to cisco specifications

  http://Cisco.com/en/us/products/HW/vpndevc/PS4077/products_configuration_guide_chapter09186a008055df7d.html#wp1051279

  Table 5-2

  FastEthernet0/0: Interfaces supporting VLAN pairs Inline (port detection)

  FastEthernet0/1: Interfaces do not support Inline (command and control Port)

  Note: Cisco has mentioned FastEthernet, one I had Ethernet, makes all the difference?

  Because I did not have this configuration, he made by another, should I change this?

  It seems that your credentials are equipped with the basic ports (2 x Ethernet) with E0 C & C port, while E1 is followed by port.

  BTW, Ethernet/FastEthernet ports are in fact the same.

  To monitor your DMZ segment, then place the E1 in this segment, as E0 on inside segment where in addition to directing the Manager of its web management or CLI interface box, you probably can use basic VMS that comes free with it.

  And since you have dedicated switch to host the entire DMZ segment, you can easily monitor box (SPAN) all and send all traffic to the IDS.

  If you need to change the configuration, you may need to test at least to verify signatures is enabled/disabled and pc/mgt host is allowed to access the box and so on. But it is a good practice for audit and review the new config/setup, as it is a security zone, you need to do to monitor trust and you talk about all the possible threats, attacks or violations.

  HTH

  AK

• STP traffic flow

  All,

  Got a facility below I'm looking for confirmation his works, your entries please

  SW1 - core <------------------- trunk="" -----------="" -----------------="">core sw2

  !                                                                                                          !

  !                                                                                                            !

  !                                                                                                             !

  Distribution L3 switch1 - not back to back connection - Distribution L3 switch2

  !                                                               !

  trunk                                                trunk

  !                                                              !

  access layer switch sw1 - connection to distribution switches trunk

  (1) I have (SW1 and SW2) basic switches connected to distribution switches (SW1 and SW2 L3 Distribution) the port configured with trunk and L3 interface vlan 40, the vlan 40 forming EIGRP neighbor ship with distribution, so ports switches using L2 and L3. also HSRP vlan 40 configured assets (sw1) standby time (sw2)

  (2) distribution switches - connected to basic with chest & int switches vlan 40 forming EIGRP neighbor ship with two basic switches - no VLANs hsrp 40 configured on the distribution switches

  (4) access layer switch - connected to the distribution and L2 switches vlan trunk 40 allowed. the gateway to this switch is now based on the HSRP active switches vlan 40 FT

  (5) to access switch the connected port Distribution sw1 - State PLEASE FWD, the other port in State BLK

  I would like to check with you, if connection made closed between the access to the distribution of switch 1 switch, STP removes the second port of State BLK and put in forwarding State &

  traffic will hit the sw2 basis and reach the gateway IP active HSRP to Core sw1

  I would say that he must work very well as long as the path EIGRP cost is in line with your bridge ID switch to designated paths. If you are under equal-cost path and default bridge ID, it can cause some strange paths by default so I think it is your primary consideration.

• ASA 5505 transparent mode dosnt pass traffic

  Hi all

  need help

  ASA 5505 do not pass traffic as a cordon of brewing, how do you get traffic?

  ciscoasa # sh ver

  Cisco Adaptive Security Appliance Version 8.2 software (5)

  Version 6.4 Device Manager (5)

  Updated Saturday, May 20, 11 16:00 by manufacturers

  System image file is "disk0: / asa825 - k8.bin.

  The configuration file to the startup was "startup-config '.

  ciscoasa until 55 minutes 31 seconds

  Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor

  Internal ATA Compact Flash, 128 MB

  BIOS Flash Firmware Hub @ 0xffe00000, 1024 KB

  Hardware encryption device: Cisco ASA-5505 Accelerator Board (revision 0 x 0)

  Start firmware: CN1000-MC-BOOT - 2.00

  SSL/IKE firmware: CNLite-MC-Smls-PLUS - 2.03

  Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.05

  0: Int: internal-Data0/0: the address is e4d3.f193.9486, irq 11

  1: Ext: Ethernet0/0: the address is e4d3.f193.947e, irq 255

  2: Ext: Ethernet0/1: the address is e4d3.f193.947f, irq 255

  3: Ext: Ethernet0/2: the address is e4d3.f193.9480, irq 255

  4: Ext: Ethernet0/3: the address is e4d3.f193.9481, irq 255

  5: Ext: Ethernet0/4: the address is e4d3.f193.9482, irq 255

  6: Ext: Ethernet0/5: the address is e4d3.f193.9483, irq 255

  7: Ext: Ethernet0/6: the address is e4d3.f193.9484, irq 255

  8: Ext: Ethernet0/7: the address is e4d3.f193.9485, irq 255

  9: Int: internal-Data0/1: the address is 0000.0003.0002, irq 255

  10: Int: not used: irq 255

  11: Int: not used: irq 255

  The devices allowed for this platform:

  The maximum physical Interfaces: 8

  VLAN: 3, restricted DMZ

  Internal guests: 10

  Failover: disabled

  VPN - A: enabled

  VPN-3DES-AES: enabled

  SSL VPN peers: 2

  The VPN peers total: 10

  Double ISP: disabled

  Junction ports VLAN: 0

  Sharing license: disabled

  AnyConnect for Mobile: disabled

  AnyConnect Cisco VPN phone: disabled

  AnyConnect Essentials: disabled

  Assessment of Advanced endpoint: disabled

  Proxy sessions for the UC phone: 2

  Total number of Sessions of Proxy UC: 2

  Botnet traffic filter: disabled

  This platform includes a basic license.

  Registry configuration is 0x1

  Modified configuration of enable_15 to 20:34:47.689 UTC Wednesday 5 December 2012

  ciscoasa #.

  ciscoasa #.

  ciscoasa # sh run

  : Saved

  :

  ASA Version 8.2 (5)

  !

  transparent firewall

  ciscoasa hostname

  activate 8eeGnt0NEFObbH6U encrypted password

  2KFQnbNIdI.2KYOU encrypted passwd

  names of

  !

  I haventerface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  Shutdown

  !

  interface Ethernet0/3

  Shutdown

  !

  interface Ethernet0/4

  Shutdown

  !

  interface Ethernet0/5

  Shutdown

  !

  interface Ethernet0/6

  Shutdown

  !

  interface Ethernet0/7

  Shutdown

  !

  interface Vlan1

  nameif inside

  security-level 100

  !

  interface Vlan2

  nameif outside

  security-level 0

  !

  passive FTP mode

  outs_in of access allowed any ip an extended list

  outs_in list extended access permit icmp any one

  pager lines 24

  Within 1500 MTU

  Outside 1500 MTU

  no ip address

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  outs_in access to the interface inside group

  Access-group outs_in in interface outside

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  Cryptochecksum:234e9b9c6c9c941a89e37011325b6d5e

  : end

  ciscoasa #.

  ciscoasa #.

  ciscoasa #.

  ciscoasa # sh - access list

  access cached list the ACL log stream: total 0, 0 (deny-flow-max 4096) denied

  alert interval 300

  outs_in list of access; 2 elements; hash name: 0xd6c65ba5

  permit for access list 1 outs_in line ip scope any a (hitcnt = 0) 0x7d210842

  allowed to Access-list outs_in line 2 extended icmp any a (hitcnt = 0) 0x5532fcc5

  ciscoasa #.

  Hello

  Exactly... Good to know it works now.

  Do you know why he needs the IP address (such as a transparent firewall)?

  The ASA will act as a transparent layer 2 on the right device to the network, but what happens when the ASA does not have a particular destination mac address... What would be the source ip address of the package? Ip address of the ASA. So that's the main reason why we need that.

  We use it also for traffic management and for AAA services (if authentication is used the ASA will send the AAA authentication request to the server) with the IP address of this source.

  Please check the question as answered, so future users can pull of this

  Julio Carvajal

  Costa Rica

• Traffic is not through the JOINT-2 module in 6509

  Hello

  I have a similar issue when you set up the JOINT-2 in inline mode. My scenario is that I want to deploy mode inline JOINT-2 between two VLANs (vlan 20 and vlan 30). When traffic to vlan 20 vlan 30 and vice versa so I should be spending applied the JOINT-2. I have configured the module time unit (6500 and JOINT-2) according to the cisco configuration guide, but unfortunately it does not work. I don't get the newspaper in the action of JOINT-2 configured on JOINT-2.

  For information and review, I enclose all the config with the snapshots of the IDM.

  config on 6509 switch:

  intrusion detection module 1 management access port - vlan 90

  intrusion detection module 1 data-1 access port - vlan 20

  intrusion detection module 1 data-2 access port - vlan 30

  int vlan 20

  10.20.1.1 Add IP 255.255.255.0

  int vlan 30

  10.30.1.1 Add IP 255.255.255.0

  int vlan 90

  10.90.1.1 Add IP 255.255.255.0

  Please advise.

  Thank you

  Aman

  JOINT is a connection device

  You have configured a different IP subnet on two interfaces VLAN level 3. You must have the same IP subnet on two VLANs (inside the JOINT and METHOD) outside.

  Normally, you will have a layer 3 VLAN for the first VLAN and the second VIRTUAL LAN will not all layer 3 VIRTUAL LAN interfaces, and this is where you put your servers. Traffic would be as such:

  Server 10.20.1.2 (default gateway 10.20.1.1) - VLAN 30 - JOINT - VLAN 20 - SVI VLAN 20 10.20.1.1

  If you need to pass traffic through JOINT between two L3 Lass, you need separate L3 in two VRF Lass, and the two Lass must be in the same IP subnet.

• GANYMEDE + traffic over the public Internet

  Hi all

  We have the network devices that do not have intranet/VPN connections on internal Central GANYMEDE + servers behind firewalls corp, I wonder what an acceptable practice to send the traffic of GANYMEDE + on the public Internet? GANYMEDE + payload is encrypted, but the attacker can always say that a package is the package GANYMEDE + with a sniffer.

  Thank you

  GANYMEDE servers + are available from Internet sources? (basically, it's a combination of if there is a static address for GANYMEDE servers + public address translation, and whether it is on the firewall devices Internet access policies to initiate traffic to the servers GANYMEDE +). If the answer to any of these conditions, it is not, there is no point in considering the possibility of sending the traffic of GANYMEDE + on the Internet because it would not succeed. If these conditions are met, then the traffic GANYMEDE + could be transmitted.

  And if the traffic could be passed then it becomes a question of what the company towards risk Internet access. The good news is that GANYMEDE data + encrypted so an attacker will not observe the data ID or password of the user. But the bad news is that you have now opened an attack vector to critical network devices. Only one person knowing the business position risk can determine if the benefit of GANYMEDE + for remote sites is worth the risk.

  HTH

  Rick