Basic configuration IDSM-2

Hello,
I have some experience with sensors but this is my first time configuring a C6500 with IDSM-2, and I have some design questions. The first question is this: can I mix the use of VACL and SPAN to capture traffic in the same configuration?
Customer is actually using VACL to capture traffic from some machines, but he now wants to monitor all the traffic that comes from and external partner through a VPN concentrator, so I assume for this case I should use SPAN to monitor the VPN's port: am I right?
The config that the customer has is more or less the following:
intrusion-detection module 1 data-port 1 capture intrusion-detection module 1 data-port 1 capture allowed-vlan 1 intrusion-detection module 1 data-port 2 capture allowed-vlan 1
vlan access-map ids 10
match ip address in
action forward capture
vlan access-map ids 20
match ip address out
action forward
vlan filter ids vlan-list 1
ip access-list extended in
permit ip any host 192.168.1.1
permit ip host 192.168.1.1 any
ip access-list extended out
permit ip any any
If I want to use SPAN, which is the limitation in the number of source ports I can put in the "monitor session" command?
Should I send this "span" traffic to the sensing interface 8 (data-port 2) or can I still sending it to the data-port 1 (sensing interface 7)?
Why there are two sensing interfaces?
Thanks in advance...
Ruben

Does it mean that I can only monitor completely (both directions)one port per monitoring session?
Correct.
Also, if I'm using data port 1 with VACL and data port 2 as destination for "monitor session 1", I suppose I cannot also use data port 2 as destination for "monitor session 2".
An IDSM-2 Data Port can be the destination port for only a single monitor session.
If this is true, this means that I can only monitor simultaneously rx and tx in a source port per catalyst box running this image.: am I right?
Correct
Does it makes sense to monitor only rx direction for ports connecting with FWs, VPNs and WAN routers or we should monitor both ways?
If you are going to use port span, then you really need to monitor both tx+rx. The promiscuous sensor can be configured to work when monitoring just a single direction (like just rx), but the sensor will be prone to false positives and false negatives. The sensor really needs to see both directions of TCP connections in order to properly monitor them. To monitor single direction you configure the TCP Reassembly mode to be "asym" which is short for asymmetric. It is generally only used when the sensor is deployed in a network with asymmetric routes.
I have noticed that in this case we cannot do what customers wants unless we upgrade customer's IOS to 12.2(18)SXE or later... With these new IOS is possible to have 128 tx or both sources!
I haven't read the Span notes on the latest IOS releases. I am glad to hear that the number of both sources has been increased per session.
Alternatives:
The alternative to using "both" span on a port basis is to use an "rx" vlan span.
But you have to be very carefull with "rx" spans.
If the vlan is strictly layer 2 (no ip address assigned to the switch for that vlan), then an "rx" span for the vlan will work well. All traffic coming IN from a firewall will be seen as "rx" packets on the firewall port. All traffic going OUT to the firewall will be seen as "rx" packets from the other switch port where they are entering the vlan. So all packets IN and OUT of the firewall would be seen.
BUT if the switch itself Does have an IP Address on that vlan, and the switch routes between that vlan and other vlans, then this is no longer true.
The span works well on physical ports, but the switches IP Address is on a Virtual Interface in the vlan. This Virtual Interface does not play well with span in my past experience. The switch has a feature known as MLS (Multi-Layer Switching), The first packets for a TCP connection (the SYN and SYN ACK) are sent through the Virtual Interface for routing. An "rx" vlan span DOES catch these first packets coming from a Virtual Interface. BUT additional packets are affected by MLS. Instead of routing the packets through the Virtual Interface, the MLS kicks in and the packets are Switched in Hardware to the other vlan, and the packet never actually goes through the Virtual Interface. So the packet will NOT be seen by the "rx" span of the vlan.
Most users DO use the switch for routing, and so my recommendation is generally to use both tx+rx with Port Span to get the traffic. BUT if you are NOT routing, then the alternative "rx" span on the Vlan will work as well.

Similar Messages

  • Basic configuration of IDS

    i am having IDSM-2.can anyone give me the basic configuration setting of switch as well as IDSM-2.I donot know what to configure on IDSM-2.
    regadrs
    shivlu

    Following links may help you
    http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a0080459221.html
    http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_installation_guide_chapter09186a0080757a88.html

  • Basic configuration in GRC 10 for portals

    Hi Gurus,
    Could you please tell me the basic configuration details in GRC 10 for portals.
    Thanks,
    Mukesh

    Hi Mukesh,
    You can refer to https://websmp230.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/sno/ui_entry/entry.htm?param=69765F6D6F64653D3030312669765F7361…
    However there is no such guide on Portal integration with GRC, you might need to follow below steps:
    1- Create one HTTP type RFC connection between GRC and Portal system.
    2- Create System Alias in portal system for GRC system
    3- Deploy the GRC Portal content in Portal system
    5-Portal content comes with 5 work-sets and one security role.You can assign the portal role that comes with the Portal content to user in Portal and also GRC roles to the same user in GRC system.
    Hope this helps.
    Regards,
    Ameet

  • Willy introscope issue in Basic Configuration

    Hi Experts,
    I am facing issue with Willy introscope enterprise edition, we are unable to view the installation path in SOLUTION MANAGER 7.1 SP12, Basic configuration in step 3.
    Can any body please through some light on this issue.
    Thanks in advance,
    Jana

    Dear Janarthan, As a pre-requisite to this step you need to perform following first then take it head with basic configuration.
    1. A diagnostics agent needs to be installed and connected to Solman on the Wily EM host.
    2. The operating system user of the diagnostics agent needs to have read write access the Wily EM installation directory. (defaul : /usr/sap/ccms/wilyintroscope).
    Also, You would need to have the Wily EM installed as suggested by Matt to resume the Basic Config at Solman.
    Regards, Amber S | CTS 

  • Several errors during system preparation / basic configuration

    Hello,
    during the basic configuration I get stuck in the process step configure automatically -> setup bw.
    In the slg1 I can see several errors where I don't know if they are related to my bw problem or other probleme. Maybe someone can give me a hint how to solve the issue.
    @5C\QError@     2011/11/10 16:58:07 : DIAGTPL/CONFIG/HANDLER=CL_DIAGLS_ABAP_INST_TECH_SY Item does not exist
    @5C\QError@     Product system DUM has no active standalone product version     @35\QLong text exists@
    @5C\QError@     No detected product instances available for technical system C21     @35\QLong text exists@
    in the Solman_setup I have the problem that
    ESR: Extractor setup is not sucessful!
    Cube 0SM_BPMRH is not active and will now be activated automatically
    System status failed for system
    Could someone please help me to solve some of the problems?
    Thanks a lot, Vanessa

    Hello Vanessa,
    I wouldn't recommend looking at SLG1 at all times and try to find solutions for it, since Solution Manager deals with a huge landscape and in most cases some warning is thrown in the logs for any reason.
    For example, the "CL_DIAGLS_ABAP_INST_TECH_SY Item does not exist" and "no active standalone product version @35\QLong text exists@" can be due to systems coming from SLD to the LMDB with no correct definition. If SLD is not passing this information, it is 99% because the system is not well defined there. Hence it is just a warning.
    Now if you see something in SLG1 and indeed you have issues in this diagnostics system, it must be investigated.
    For your BI problem:
    Please execute the steps as described in section "3.2.1 Activation of
    Info Cube from BI Content" in the Setup BPA Guide.
    1430754 Business Process Analytics: Setup guide
    (https://websmp101.sap-ag.de/~sapdownload/011000358700001210492010E/Setu
    p_Guide_BP_Analytics.pdf)
    Furthermore, I strongly recommend that, for Solution Manager 7.1, you make sure you have the latest SP in ABAP and JAVA. Now we are at ST400 SP03  and LM-SERVICE SP03 patch level 1.
    You must not forward to the next steps if you have a step yellow, red or with Update checked.
    Best regards,
    Guilherme

  • No ''BS: SRM-Portal(Basic Configuration) V1'' in /NWA Deply and Change

    Hi Expert
    i want to integrate SRM7.0 with Portal,
    Enviroment :
                   SRM7.0 AS ABAP
                   ERP 6.0SR3 AS ABAP/AS JAVA
                   BP for SRM7.0 has installed
                   SRM has been added into Trused System in Portal
    and i follow InstGuide > "Guide for Automated Configuration: Connecting Portal Systems u201D
    When i logon Portal with <hostname>:<port>/NWA
                    and click    > Deploy and Change
    there is no "BS: SRM-Portal(Basic Configuration) V1u201D  exist
    i dont know Why,  whether because my NW7.0 patch 14 need to upgrade? Or other reason

    Hi,
    You can also configure portal connection manually. Please check the Configuration Guide in SAP Solution Manager or offline downloaded configuration guide in http://service.sap.com/srm-inst  SAP SRM Server 7.0 -> Configuration Guide for SAP SRM 7.0 -> Business Package for SAP SRM 7.0.
    You can also access SRM via NWBC html in current SRM 7.0 SP06 without Portal. It is called Portal-Independent Navigation Frame.
    Regards,
    Masa

  • Basic configuration guide to set ECC to PI

    Hi Experts,
    I would to set a scenario for BAPI to File.
    Please let me know the basic configuration to be set for ECC and PI.
    Explain in detail as I am totally new to this.
    Thanks
    Sunil

    Hi Sunil,
       the 'TP column' can be seen by using
    TCODE
      SMGW
    on the gatway system that you are registering the <Program ID>.
    Menu option
      GoTo
        -> Logged on Clients
    The 'TP Name' column is the 3rd column.
    Can you advise :
    (1)
    if the RFC destination (created on the ECC) system is working by using the 'Test Connection' option in the SM59 RFC destination?
    (2)
    Is the respective RFC Sender Adapter Communication Channel activated?
    (3) how you are call in the RFC, e.g. ABAP report or SE37?
    Regards
      Kenny

  • SolMan 7.1 Configuration:Basic Configuration -Step 2

    Hi All,
    I completed the upgradation of SolMan 7.1 with SPS04 and did the System preperation and Basic Configuration.(txn:solman_setup)
    In the Basic Configuration at the step #2 - Specify User & Connectivity Data I'm still seeing the yellow simbol(Activity Warnings), but within this step all the sub steps( 2.1 to 2.5) are in Green mode.
    Do you guys know how to remove this yellow symbol on the step#2?
    Thanks,
    Allam

    Hi,
    please follow the sap note
    [Note 1498701 - Yelow status for Create Users when a local BW system is set|https://websmp130.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=1498701] to fix this
    Thanks,
    Jansi

  • Solman 4.0 basic configuration error

    Hi Experts,
    While i'm performing initial configuration part 2 (auto configuration)  in solman 4.0, i'm getting some error. Plz help me to fix
    Basic Configuration Error
    Message no : IMG_FASTCONF015
    Diagnosis
    Solution Manager Basic Configuration Error
    Procedure
    check the messages in application log.
    object: SOLAR
    subobject: SOLMAN_CONFIG
    Thanks
    Ram

    Hi,
    Thanks for your quick reply
    Problem class important------------Basic Configuration error
    Technical Data
    Message type ---------- E (Error)
    Message Class---------- IMG_FASTCONF (IMG Quick Configuration Error Messages)
    Message number-------015
    Message variable 1-------
    Message variable 2-------
    Message variable 3-------
    Message variable 4-------
    Message Attributes
    Level of detail ----------
    Problem class-------- 2 (important)
    Sort criterion ---------
    Number--------------------1
    Thanks
    Ram

  • Basic Configuration and Support Pack Stacks

    Hi everyone,
    Just a general question about the Solution Manager 7 "basic configuration" stuff.
    Are you required to perform the "Basic Configuration" everytime after you apply a new support pack stack to solution manager?
    Or is it a one off, after the initial installation?
    Cheers
    Shaun

    Hello,
    https://websmp109.sap-ag.de/~sapidb/011000358700001927282008E has some information about your question.
    Only some parts of SOLMAN_SETUP must be run everytime, other parts are optional. For an overview please visit the link.
    Best regards,
    Miguel Ariñ

  • Basic configuration AP-Switch problems

    Hello,
    I am having a problem when I try to configure my AP1131 to a port in a WS-C3560-24PS-S. I've always known that the switchort must be configured as a trunk.
    I will try to give a clear explanation of what I've done:
    In the AP.
    1.- ip address
    2.- default gateway
    3.- vlans configuration
    4.- map SSIDs to vlans
    In the switch.
    Only configure the port as a trunk
    interface FastEthernet0/9
    switchport trunk encapsulation dot1q
    switchport mode trunk
    This way I can do everything. Get access to the network, ping, telnet other devices, but not administer nor ping the AP. But if I configure the switchport as an access port:
    interface FastEthernet0/9
    switchport access vlan 10
    switchport mode access
    This way I can ping other devices from the AP, ping and telnet the AP from the wired network (my laptop). I can connect to the SSID but not ping nor telnet AP or other devices.
    I hope that someone give a clue of what I'm doing wrong or forgetting to configure.
    Thanks a lot

    Have you tried going through the Wireless LAN Controller and Lightweight Access Point Basic Configuration Example (Document ID: 69719)?
    http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080665cdf.shtml
    Does this document help?

  • 1751 Basic Configuration required

    At Present I am using No-name VOIP Routers and they are working fine. Now I want to replace them with Cisco Routers to get better results. I tried to configure them with Cisco "ConfigMaker" but I am facing lots of problem. I need help.
    I need a basic Configurations:
    Location-1:
    Cisco 1751V Router, installed with WIC-1NET Card in Slot 0 and VIC-2FXO installed in Slot 1.
    PPPoE Settings ( User Name: chopra Password: 123 Fixed IP Address: 82.x.x.6 Authentication protocol: pap)
    Fixed IP Network Settings: ( IP Address 82.x.x.6 Subnet Mask: 255.0.0.0 Gateway IP address: 82.x.x.46 Pimary DNS Server: 81.x.x.1 Secondary DNS Server: 81.x.x.2)
    PSTN: Country Code: 0049 Area Code: 2331 Phone Number: 400595 and 400596
    Location-2: Cisco 1751 Router, installed with WIC-1NET Card in Slot 0 and VIC-2FXS installed in Slot 1.
    Fixed IP Network Settings: ( IP Address 203.x.x.108 Subnet Mask: 255.255.255.0 Gateway IP address: 203.x.x.98 Pimary DNS Server: 203.x.x.98 Secondary DNS Server: 203.x.x.98 )
    PSTN: Country Code: 0092 Area Code: 85 Phone Number: 77777777 and 88888888
    I want to make calls from Location-2 to Location-1 in PSTN area and the calls from Location-1 should be diverted to Location-2.
    Thanks

    Check out the the Dial peer section in this link :
    http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Technologies:Voice_Call_Routing_Dial_Plans&viewall=true

  • AP1602E - basic configuration guide ..

    Hi
    I bought a new  1602E ap  .. so it comes with no documentation and the only doc that i foudn in the net  it was this:
    http://www.sws.cz/prod_img/cisco/ap1600getstart.pdf
    but  I need the  started guide to the basic configuration ..
    My concern is  because   the AP will be used for a  producction enviroment and    the  point will  be
    what will be the  best  radio configuration  with  open with non security  .. ? 2.4 or 5ghz ..
    is any one know about it  I appretitate your support
    thnks  in advanced
    regards

    Hi,
    do you have AIR-CAP or AIR-SAP
    as AIR-CAP is controller based AP where you need the WLC to get the AP configured. Simply you have to connect the AP with POE.
    AIR-SAP is standalone and below is the doc to configure it:-
    http://www.cisco.com/en/US/docs/wireless/access_point/15_2_4_JA/configuration/guide/scg15.2.4_book.html
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080c0b93c.shtml
    2.4 GHZ or 5GHZ depends on what type of clients you want to connect ? If you have clients with A radio/ N radio then you need 5 GHZ and if your client is having G radio/N radio you can go for 2.4 GHZ.

  • Basic configuration for Wireless AP

    I have been task to configure and deploy 3 access point in three site within our organzation. I need a little help with this task in order to have it complete by Friday.  The model we are using is a Air-Sap1602i-A-K9.  Thank you for your time.

    Please refer to the following links:
    https://supportforums.cisco.com/document/61936/autonomous-ap-and-bridge-basic-configuration-template
    http://www.cisco.com/c/dam/en/us/td/docs/wireless/access_point/15_2_4_JB/configuration/guide/scg15_2_4_JB3a.pdf?mdfid=284366503

  • Portal basic configuration

    hi all
    I'm a student, and an oracle portal beginner. I just got an internship in an IT company, where my first task is to create an portal. There is an application server already installed here, with BI, portal, wireless... I was told that the portal was installed (checked as an option during AS installation) but it is not confugured. Where should I begin and what basic configuration I need to do in order to start building the portal?

    You can check by taking a look at the ports for each component.
    The portal is actually served by several components. Webcache -> Apache -> oracle portal modules
    Take a look at the portlist.ini file in the $ORACLE_HOME/install direcotry. Pay attention to the webcache port, webcache admin port, and apache (oracle http server).
    Portal should be accessable by going to http://<servername>:<webcache port>/pls/portal with an out of the box configuration.
    Also, to get you started, OPMN (oracle proces smanagement and notification) manages the processes for each component. You can type opmnctl from the command line with no parameters to get help on its usage.
    Most management can also be done through the enterprise manager. It is usually on http://<servername>:1156/ you will have to login with the ias_admin account. You can get the port by typing emctl status iasconsole from the command line.
    This is the same info I started with when i first started learning portal a year ago.

Maybe you are looking for