6 Replies Latest reply on Sep 3, 2015 12:16 AM by hagarwal

    Intrushields in a virtualised environment

    c4c

      Hey Guys,

      Thought I'd share a setup we've used to get our Intrushields to scan Vlans in our virtualised environment.

      Our issues is we've got multiple hosts on different vlans within our VMware infrastructure that we wanted to scan with our IPSs. (We use Cisco 6500s for our core network).

      We initially came up with a solution that uses one physical connection per network we wanted to scan - but we needs to scan lots of Vlans...

      issue.gif

      Our solution used the cisco Vlan translation feature. So we pass a trunk out of the core to the IPS, scan the traffic, pass it back to the core - but translate it onto another vlan (then we can route/firewall knowing the traffic has been cleaned).

      translation.gif

       

       

       

      This allows an 802.1q trunk of vlans to be scanned by the IPS, the switch ports have effectively been bridged now – so some extra commands are required to make this work:

       

      • only one of the ports, the one where the VLAN translation is performed, needs the command "switchport vlan mapping enable". (Interface 1 above)
      • On the translation port (Interface1), the following command is needed to specify each VLAN translation:"switchport vlan mapping <VLAN-id-of-VLAN-on-trunk>><<VLAN-id-of-VLAN-internal-to-chassis>>" (e.g. "switchport vlan mapping 1 101"). This will cause the same command to appear on all other ports within the block of 12-ports. E.g 1-12, 13-24 etc.
      • The "switchport trunk allowed vlan xxx" command is required on the translation port (Interface 1) to permit: the VLAN id's within the 6500 chassis that are allowed to pass between the chassis's backplane and the individual translation port itself. This command does NOT filter the VLAN ID's of the VLAN's accepted to be received from the external trunk, or sent to the external trunk. This is because for frames leaving the chassis, the VLAN-translation occurs after the "allowed" statement has been applied. (the VLAN translation on this port makes for non-typical behaviour of the "trunk allowed" command)
      • the "switchport trunk allowed vlan xxx" command is required in a typical-fashion on the non-translation port (Interface 2) to allow only the correct VLAN ID's to be received from the trunk, and only the correct VLAN id's to be sent onto the trunk.
      • by default on the 6500 VTP (VLAN trunking protocol) pruning is on by default on all ports. Therefore VTP will attempt to "prune" a VLAN from a trunk port if it is not needed. This creates an issue for a port performing a VLAN translation, because VTP will prune a VLAN that is still required on the trunk. To solve this issue, the VLAN id of the chassis-side VLAN (i.e. not the VLAN id of the VLAN on the trunk, but the translate VLAN within the chassis) needs to be prevented from being pruned on the vlan translation port. The reason it's the chassis ID that needs to be prevented from being pruned is that the VLAN translation occurs AFTER the pruning allowed filter is applied as frames leave the chassis. The VLANs can be prevented from being pruned by the command "no switchport trunk pruning vlan XXX" (SUMMARY: the value of XXX needs to be the ID of the VLAN that is INSIDE the switch, and NOT the VLAN ID that is on the trunk. XXX is also the SAME as the ID used in the "trunk allowed vlan" statement on the same interface)
      • pruning also needs to be prevented on the non-translation port (Interface 2) to make sure that traffic for that VLAN is allowed on the trunk, and never pruned. E.g. "no switchport trunk pruning vlan YYY". (NOTE: "YYY" is the VLAN IDof the VLAN that is allowed on the trunk". The VLAN IDs used in the"no switching trunk pruning vlan YYY" statements applied to the non-trunking port are the same VLAN IDs used in the "trunk allowed" statement on that port (Interface 2)
      • Speed and duplex settings have no direct relationship to the vlan translation setup
      • CDP has no effect on these commands

       

       

       

       

      This is what it looks like when you put all that together (note the "switchport vlanmapping enable" command is only used once and the "switchport vlanmapping 1 101" commands are only entered once but appear on the block of 12 ports)

       

      !

       

       

      interface GigabitEthernet1/1

      descriptionTranslation Port

      switchport

      switchporttrunk encapsulation dot1q

      switchporttrunk allowed vlan 101, 102, 103

      switchporttrunk pruning vlan 2-101,104-600

      switchporttrunk pruning vlan add 601-1001

      switchport mode trunk

      switchport vlanmapping enable

      switchport vlanmapping 1 101

      switchport vlanmapping 2 102

      switchport vlanmapping 3 103

      end

       

      interface GigabitEthernet1/2

      descriptionTrunk port

      switchport

      switchporttrunk encapsulation dot1q

      switchporttrunk allowed vlan 1, 2, 3

      switchporttrunk pruning vlan 4-600

      switchporttrunk pruning vlan add 601-1001

      switchport mode trunk

      switchport vlanmapping 1 101

      switchport vlanmapping 2 102

      switchport vlanmapping 3 103

      speed 1000

      duplex full

      no cdp enable

      end

       

       

       

      The Benefits…

      Although this may require some work to setup thebenefits are obvious.

      • Physical network simplicity – the IPS is now “on-a-stick” - requiring only one physical switch
      • Networks can now be added/removed from the IPS on the fly – if a new threat is identified and a new network needs to be scanned it can be added instantly. If performance issues are identified passing traffic through the IPS it can be quickly removed from the trunks (set to be directly routed on the core).
      • Combining this setup with Virtual Firewall modules on a 6500 and with virtual servers it gives network administrators even greater flexibility for security.
      • Simplifying the network reduced devices in the datacentre – resulting in higher availability.

       

       

       

      Hope someone gets some benefits from this - it was a bit of fun getting it working...

        • 1. Re: Intrushields in a virtualised environment
          gooru4speed

          C4C, in first place thanks very much to share your experience it was a hard work for sure to put that configuration to work as you need it. By the way If you were used VLAN Bridging in the IPS instead of VLAN Translation in the Cisco switch. Would you had been gotten the same results?

           

          Regards,

          • 2. Re: Intrushields in a virtualised environment
            c4c

            Hey Gooru4speed

                 "You can configure VLAN Bridging only on M-series Sensors."

            We're using I-Series (we've had them for a while now).

             

            I'd be interested to know if vlan pruning is an issue for the M-series when used in this configuration (that was the issue we ran into during our deployment).

             

             

             

            Cheers

            C4C

             

            (McAfee Documents ID PD22456/PD20596 for reference.)

            • 3. Re: Intrushields in a virtualised environment
              gooru4speed

              Hi C4C, I've never had to face an scenario with VLAN pruning and Cisco switches. BTW I don't have a complete picture of your network and requirements but if you are considering to change to M series I'm almost sure you can have the same results if you apply VLAN Bridging on the IPS and you forget about any vlan pruning issue.

               

              Now let me ask you about IPS configuration:

               

              1) Did you use VIPS/VIDS VLAN based and you applied different policies based on this configuration?

              2) If response to question number one is Yes, are you monitoring VLANs 1, 2 and 3 or VLAN 101, 102, and 103?

              3) How did you set up port settings on 1A-1B regarding if they are conected to INSIDE or OUTSIDE network?

               

              Thanks!

              • 4. Re: Intrushields in a virtualised environment
                c4c

                Hey gooru4speed,

                 

                1) Did you use VIPS/VIDS VLAN based and you applied different policies basedon this configuration?

                Yes – we have lots of VLANs created with different policies applied as required.

                2) If response to question number one is Yes, are you monitoring VLANs 1, 2and 3 or VLAN 101, 102, and 103?

                We monitor on VLANS 1, 2, 3 etc, the IPS never sees VLANS 101, 102, 103 (we only allow vlans 1, 2, 3 on the trunk on int g1/2)

                3) How did you set up port settings on 1A-1B regarding if they are conectedto INSIDE or OUTSIDE network?

                This will depend on how you assign the VLANs, for us the higher value (101, 102 etc) are treated as clean, so they are the inside connection (1A) – which is port g1/1 in this case.

                 

                In our environment we also run a mirrored copy of this configurations with another IPS at our backup DR site, this allows spanning tree too automatically failover in the event of a failure of the Primary IPS.

                 

                I should also mention the error that we received when setting this up (requiring the Vlan pruning commands) – everything would work correctly for several hours, then pruning would kick in and we would lose connectivity to one vlan, then another, then another… resetting the interface would bring it back up – for a few hours.

                • 5. Re: Intrushields in a virtualised environment
                  matbaran

                  HI c4c

                   

                  I have similar problem in our network.

                  We have two IPSes, one IPS per one DC. L2 is stretched beetween them.

                  I have a question to You.

                  Do You have the same config on both DataCenters (in meaning one translated port, and one trunk port)

                  like this setup in picture:

                  vlan_mapping_ips_1.jpg

                   

                  Could You confirm is this should work?

                   

                   

                  I've configured another setup on trunks whitout vlan mapping, but vlan bridging on IPSes, but it doesn't work. We have L2 loop.

                   

                  Thanks in advance

                  Mateusz

                  • 6. Re: Intrushields in a virtualised environment

                    Hi All,

                     

                    I know this is very old post however, I have a same scenario as mentioned by matbaran and getting the same issue.


                    Please let me know if anyone found out the root cause for it?

                     

                    Thanks in advance