- Title Page
- Introduction & Preface
- Logging into the FireSIGHT System
- Using Objects and Security Zones
- Managing Devices
- Setting Up an IPS Device
- Setting Up Virtual Switches
- Setting Up Virtual Routers
- Setting Up Aggregate Interfaces
- Setting Up Hybrid Interfaces
- Using Gateway VPNs
- Using NAT Policies
- Getting Started with Access Control Policies
- Blacklisting Using Security Intelligence IP Address Reputation
- Tuning Traffic Flow Using Access Control Rules
- Controlling Traffic with Network-Based Rules
- Controlling Traffic with Reputation-Based Rules
- Controlling Traffic Based on Users
- Controlling Traffic Using Intrusion and File Policies
- Understanding Traffic Decryption
- Getting Started with SSL Policies
- Getting Started with SSL Rules
- Tuning Traffic Decryption Using SSL Rules
- Understanding Intrusion and Network Analysis Policies
- Using Layers in Intrusion and Network Analysis Policies
- Customizing Traffic Preprocessing
- Getting Started with Network Analysis Policies
- Using Application Layer Preprocessors
- Configuring SCADA Preprocessing
- Configuring Transport & Network Layer Preprocessing
- Tuning Preprocessing in Passive Deployments
- Getting Started with Intrusion Policies
- Tuning Intrusion Rules
- Tailoring Intrusion Protection to Your Network Assets
- Detecting Specific Threats
- Limiting Intrusion Event Logging
- Understanding and Writing Intrusion Rules
- Blocking Malware and Prohibited Files
- Logging Connections in Network Traffic
- Working with Connection & Security Intelligence Data
- Analyzing Malware and File Activity
- Working with Intrusion Events
- Handling Incidents
- Configuring External Alerting
- Configuring External Alerting for Intrusion Rules
- Introduction to Network Discovery
- Enhancing Network Discovery
- Configuring Active Scanning
- Using the Network Map
- Using Host Profiles
- Working with Discovery Events
- Configuring Correlation Policies and Rules
- Using the FireSIGHT System as a Compliance Tool
- Creating Traffic Profiles
- Configuring Remediations
- Using Dashboards
- Using the Context Explorer
- Working with Reports
- Understanding and Using Workflows
- Using Custom Tables
- Searching for Events
- Managing Users
- Scheduling Tasks
- Managing System Policies
- Configuring Appliance Settings
- Licensing the FireSIGHT System
- Updating System Software
- Monitoring the System
- Using Health Monitoring
- Auditing the System
- Using Backup and Restore
- Specifying User Preferences
- Importing and Exporting Configurations
- Purging Discovery Data from the Database
- Viewing the Status of Long-Running Tasks
- Command Line Reference
- Security, Internet Access, and Communication Ports
- Third-Party Products
- glossary
Setting Up Virtual Switches
You can configure a managed device in a Layer 2 deployment so that it provides packet switching between two or more networks. In a Layer 2 deployment, you can configure virtual switches on managed devices to operate as standalone broadcast domains, dividing your network into logical segments. A virtual switch uses the media access control (MAC) address from a host to determine where to send packets.
When you configure a virtual switch, the switch initially broadcasts packets through every available port on the switch. Over time, the switch uses tagged return traffic to learn which hosts reside on the networks connected to each port.
A virtual switch must contain two or more switched interfaces to handle traffic. For each virtual switch, traffic becomes limited to the set of ports configured as switched interfaces. For example, if you configure a virtual switch with four switched interfaces, packets sent in through one port for broadcast can only be sent out of the remaining three ports on the switch.
When you configure a physical switched interface, you must assign it to a virtual switch. You can also define additional logical switched interfaces on a physical port as needed. On Series 3 managed devices, you can group multiple physical interfaces into a single logical switched interface called a link aggregation group (LAG). This single aggregate logical link provides higher bandwidth, redundancy, and load-balancing between two endpoints.
See the following sections for more information about configuring a Layer 2 deployment:
Configuring Switched Interfaces
You can set up switched interfaces to have either physical or logical configurations. You can configure physical switched interfaces for handling untagged VLAN traffic. You can also create logical switched interfaces for handling traffic with designated VLAN tags.
In a Layer 2 deployment, the system drops any traffic received on an external physical interface that does not have a switched interface waiting for it. If the system receives a packet with no VLAN tag and you have not configured a physical switched interface for that port, it drops the packet. If the system receives a VLAN-tagged packet and you have not configured a logical switched interface, it also drops the packet.
The system handles traffic that has been received with VLAN tags on switched interfaces by stripping the outermost VLAN tag on ingress before any rules evaluation or forwarding decisions. Packets leaving the device through a VLAN-tagged logical switched interface are encapsulated with the associated VLAN tag on egress.
Note that if you change the parent physical interface to inline or passive, the system deletes all the associated logical interfaces.
See the following sections for more information:
- Configuring Physical Switched Interfaces
- Adding Logical Switched Interfaces
- Deleting Logical Switched Interfaces
Configuring Physical Switched Interfaces
You can configure one or more physical ports on a managed device as switched interfaces. You must assign a physical switched interface to a virtual switch before it can handle traffic.
Caution Changing any (Series 2) or the highest (Series 3) MTU value for a sensing interface or inline set temporarily interrupts traffic inspection on all sensing interfaces on the device, not just the interface you changed, when you apply your changes. Whether traffic drops during this interruption or passes without further inspection depends on the model of the managed device and the interface type. See How Snort Restarts Affect Traffic.
To configure a physical switched interface:
Step 1 Select Devices > Device Management .
The Device Management page appears.
Step 2 Next to the device where you want to configure the switched interface, click the edit icon (
).
Step 3 Next to the interface you want to configure as a switched interface, click the edit icon (
).
The Edit Interface pop-up window appears.
Step 4 Click Switched to display the switched interface options.
Step 5 Optionally, from the Security Zone drop-down list, select an existing security zone or select New to add a new security zone.
Step 6 Optionally, from the Virtual Switch drop-down list, select an existing virtual switch or select New to add a new virtual switch.
Note that if you add a new virtual switch, you must configure it on the Virtual Switches tab of the Device Management page ( Devices > Device Management > Virtual Switches ) after you set up the switched interface. See Adding Virtual Switches.
Step 7 Select the Enabled check box to allow the switched interface to handle traffic.
If you clear the check box, the interface becomes disabled so that users cannot access it for security purposes.
Step 8 From the Mode drop-down list, select an option to designate the link mode or select Autonegotiation to specify that the interface is configured to auto negotiate speed and duplex settings. Note that mode settings are available only for copper interfaces.
Note Interfaces on 8000 Series appliances do not support half-duplex options.
Step 9 From the MDI/MDIX drop-down list, select an option to designate whether the interface is configured for MDI (medium dependent interface), MDIX (medium dependent interface crossover), or Auto-MDIX. Note that MDI/MDIX settings are available only for copper interfaces.
By default, MDI/MDIX is set to Auto-MDIX, which automatically handles switching between MDI and MDIX to attain link.
Step 10 In the MTU field, type a maximum transmission unit (MTU), which designates the largest size packet allowed.
The range within which you can set the MTU can vary depending on the FireSIGHT System device model and the interface type. See MTU Ranges for Managed Devices for more information.
The physical switched interface is configured. Note that your changes do not take effect until you apply the device configuration; see Applying Changes to Devices for more information.
Adding Logical Switched Interfaces
For each physical switched interface, you can add multiple logical switched interfaces. You must associate each logical interface with a VLAN tag to handle traffic received by the physical interface with that specific tag. You must assign a logical switched interface to a virtual switch to handle traffic.
Caution Changing any (Series 2) or the highest (Series 3) MTU value for a sensing interface or inline set temporarily interrupts traffic inspection on all sensing interfaces on the device, not just the interface you changed, when you apply your changes. Whether traffic drops during this interruption or passes without further inspection depends on the model of the managed device and the interface type. See How Snort Restarts Affect Traffic.
To edit an existing logical switched interface, click the edit icon (
) next to the interface.
To add a logical switched interface:
Step 1 Select Devices > Device Management .
The Device Management page appears.
Step 2 Next to the device where you want to add the switched interface, click the edit icon (
).
The Add Interface pop-up window appears.
Step 4 Click Switched to display the switched interface options.
Step 5 From the Interface drop-down list, select the physical interface that will receive the VLAN-tagged traffic.
Step 6 In the VLAN Tag field, type a tag value that gets assigned to inbound and outbound traffic on this interface. The value can be any integer from 1 to 4094.
Step 7 Optionally, from the Security Zone drop-down list, select an existing security zone or select New to add a new security zone.
Step 8 Optionally, from the Virtual Switch drop-down list, select an existing virtual switch or select New to add a new virtual switch.
Note that if you add a new virtual switch, you must configure it on the Device Management page ( Devices > Device Management> Virtual Switches ) after you set up the switched interface. See Adding Virtual Switches.
Step 9 Select the Enabled check box to allow the switched interface to handle traffic.
If you clear the check box, the interface becomes disabled and administratively taken down. If you disable a physical interface, you also disable all of the logical interfaces associated with it.
Step 10 In the MTU field, type a maximum transmission unit (MTU), which designates the largest size packet allowed.
The range within which you can set the MTU can vary depending on the FireSIGHT System device model and the interface type. See MTU Ranges for Managed Devices for more information.
The logical switched interface is added. Note that your changes do not take effect until you apply the device configuration; see Applying Changes to Devices for more information.
Note When a physical interface is disabled, the logical interface(s) associated with the physical interface is also disabled.
Deleting Logical Switched Interfaces
When you delete a logical switched interface, you remove it from the physical interface where it resides, as well as the virtual switch and security zone it is associated with.
To delete a switched interface:
Step 1 Select Devices > Device Management .
The Device Management page appears.
Step 2 Select the managed device that contains the switched interface you want to delete and click the edit icon (
) for that device.
The Interfaces tab for that device appears.
Step 3 Next to the logical switched interface you want to delete, click the delete icon (
).
Step 4 When prompted, confirm that you want to delete the interface.
The interface is deleted. Note that your changes do not take effect until you apply the device configuration; see Applying Changes to Devices for more information.
Configuring Virtual Switches
Before you can use switched interfaces in a Layer 2 deployment, you must configure virtual switches and assign switched interfaces to them. A virtual switch is a group of switched interfaces that process inbound and outbound traffic through your network.
See the following sections for more information about configuring virtual switches:
- Viewing Virtual Switches
- Adding Virtual Switches
- Configuring Advanced Virtual Switch Settings
- Deleting Virtual Switches
Viewing Virtual Switches
The Virtual Switches tab of the Device Management page displays a list of all the virtual switches you have configured on a device. The page includes summary information about each switch, as described in the following table.
Adding Virtual Switches
You can add virtual switches from the Virtual Switches tab of the Device Management page. You can also add switches as you configure switched interfaces.
You can assign only switched interfaces to a virtual switch. If you want to create a virtual switch before you configure the switched interfaces on your managed devices, you can create an empty virtual switch and add interfaces to it later.
Tip To edit an existing virtual switch, click the edit icon () next to the switch.
Step 1 Select Devices > Device Management .
The Device Management page appears.
Step 2 Next to the device where you want to add the virtual switch, click the edit icon (
).
Step 3 Click Virtual Switches .
The Virtual Switches tab appears.
Step 4 Click Add Virtual Switch .
The Add Virtual Switch pop-up window appears.
Step 5 In the Name field, type a name for the virtual switch. You can use alphanumeric characters and spaces.
Step 6 Under Available , select one or more switched interfaces to add to the virtual switch.
Tip Interfaces that you have disabled from the Interfaces tab are not available; disabling an interface after you add it removes it from the configuration.
Step 8 Optionally, from the Hybrid Interface drop-down list, select a hybrid interface that ties the virtual switch to a virtual router. For more information, see Setting Up Hybrid Interfaces.
The virtual switch is added. Note that your changes do not take effect until you apply the device configuration; see Applying Changes to Devices for more information.
Tip To configure advanced settings for the switch, such as static MAC entries and spanning tree protocol, see Configuring Advanced Virtual Switch Settings.
Configuring Advanced Virtual Switch Settings
When adding or editing a virtual switch, you can add static MAC entries, enable Spanning Tree Protocol (STP), drop Bridge Protocol Data Units (BPDU), and enable strict TCP enforcement.
Over time, a virtual switch learns MAC addresses by tagging return traffic from the network. Optionally, you can manually add a static MAC entry, which designates that a MAC address resides on a specific port. Regardless of whether you ever receive traffic from that port, the MAC address remains static in the table. You can specify one or more static MAC addresses for each virtual switch.
STP is a network protocol used to prevent network loops. BPDUs are exchanged through the network, carrying information about network bridges. The protocol uses BPDUs to identify and select the fastest network links, if there are redundant links in the network. If a network link fails, Spanning Tree fails over to an existing alternate link.
If your virtual switch routes traffic between VLANs, similar to a router on a stick, BPDUs enter and exit the device through different logical switched interfaces, but the same physical switched interface. As a result, STP identifies the device as a redundant network loop, which can cause issues in certain Layer 2 deployments. To prevent this, you can configure the virtual switch at the domain level to have the device drop BPDUs when monitoring traffic.
Note Cisco strongly recommends that you enable STP when configuring a virtual switch that you plan to deploy in a device cluster.
To maximize TCP security, you can enable strict enforcement, which blocks connections where the three-way handshake was not completed. Strict enforcement also blocks:
- non-SYN TCP packets for connections where the three-way handshake was not completed
- non-SYN/RST packets from the initiator on a TCP connection before the responder sends the SYN-ACK
- non-SYN-ACK/RST packets from the responder on a TCP connection after the SYN but before the session is established
- SYN packets on an established TCP connection from either the initiator or the responder
Note that if you associate the virtual switch with a logical hybrid interface, the switch uses the same strict TCP enforcement setting as the virtual router associated with the logical hybrid interface. You cannot specify strict TCP enforcement on the switch in this case.
To configure advanced virtual switch settings:
Step 1 Select Devices > Device Management .
The Device Management page appears.
Step 2 Next to the device that contains the virtual switch you want to edit, click the edit icon (
).
Step 3 Click Virtual Switches .
The Virtual Switches tab appears.
Step 4 Next to the virtual switch that you want to edit, click the edit icon (
).
The Edit Virtual Switch pop-up window appears.
Step 6 To add a static MAC entry, click Add .
The Add Static MAC Address pop-up window appears.
Step 7 In the MAC Address field, type the address using the standard format of six groups of two hexadecimal digits separated by colons (for example, 01:23:45:67:89:AB).
Note Broadcast addresses (00:00:00:00:00:00 and FF:FF:FF:FF:FF:FF) cannot be added as static MAC addresses.
Step 8 From the Interface drop-down list, select the interface where you want to assign the MAC address.
The MAC address is added to the Static MAC Entries table.
To edit a MAC address, click the edit icon (
). To delete a MAC address, click the delete icon (
).
Step 10 Optionally, to enable the Spanning Tree Protocol, select Enable Spanning Tree Protocol . Select Enable Spanning Tree Protocol only if your virtual switch switches traffic between multiple network interfaces.
You cannot select Drop BPDUs unless you clear Enable Spanning Tree Protocol .
Step 11 Optionally, select Strict TCP Enforcement to enable strict TCP enforcement.
If you associate the virtual switch with a logical hybrid interface, this option does not appear and the switch uses the same setting as the virtual router associated with the logical hybrid interface.
Step 12 Optionally, select Drop BPDUs to drop BPDUs at the domain level. Select Drop BPDUs only if your virtual switch routes traffic between VLANs on a single physical interface.
You cannot select Enable Spanning Tree Protocol unless you clear Drop BPDUs.
Your changes are saved. Note that your changes do not take effect until you apply the device configuration; see Applying Changes to Devices for more information.
Deleting Virtual Switches
When you delete a virtual switch, any switched interfaces assigned to the switch become available for inclusion in another switch.
Step 1 Select Devices > Device Management .
The Device Management page appears.
Step 2 Select the managed device that contains the virtual switch you want to delete and click the edit icon (
) for that device.
The Interfaces tab for that device appears.
Step 3 Click Virtual Switches .
The Virtual Switches tab appears.
Step 4 Next to the virtual switch that you want to delete, click the delete icon (
).
Step 5 When prompted, confirm that you want to delete the virtual switch.
The virtual switch is deleted. Note that your changes do not take effect until you apply the device configuration; see Applying Changes to Devices for more information.
Feedback