Catalyst 6500 and IPS

I have a catalyst 6500 switch on my network and I know it supports an IDS module.What I am not sure is an IPS.
Could somebody who knows be kind enough to tell me if there is the support of IPS in the Catalyst 6500 switch.

The IDSM-2 module is capable of both IDS (promiscuous mode) AND IPS (inline mode).
So if you need IPS (inline mode) you still just buy the same IDSM-2 but configure it for InLine Interface Pair or InLine Vlan Pair mode instead of configuring for Promiscuous mode.

Similar Messages

  • Dot1q Trunk between Catalyst 6500 and HP Blade Enclosures

    We have a requirement to configure trunks to a 6500 and HP GbE2 interconnect switch in a blade enclosure.
    The interconnect switches and the 6500 are connected as in the attachment.
    The configuration was done using the documentation provided by HP for connecting these trunks to the 6500, but there seems to be some problem with STP.
    All the network remains stable for a time and then falls over, traffic counts on the trunk interfaces shoots up to crazy values.
    The access layer (consisting of 2950s) hanging off the 6500 also falls over and the interfaces on the trunks become err-disabled. This happens eventhough we are not trunking the 102-108 vlans that are trunked to the HP switches to these switches.
    We need to run dot1q trunks to the HP blade switches, because of the requirement to have the servers within the blade enclosure in different VLANS. The vlans were configured as per the document provided by HP and the server ports assigned accordingly.
    Has anyone managed to configure etherchannel trunks (dot1q) to HP blade switches? Any guidelines and findings will help

    Forgot the attachment....

  • IPS 45xx/43xx/42xx appliance and Catalyst 6500 Inline Mode issues

    Hello to everyone!
    We have recently got our new IPS 4510 appliance and for now there is a task to develop a connection scheme to our backbone multilayer switch (Catalyst 6500).
    There are several server's and user's VLANs connected to 6500.
    6500 performs inter-vlan routing.
    The main task is to "insert" IPS appliance between traffic path from any VLAN to server's VLANs.
    The additional task is to provide failover in "fail-open" manner (We have only one 4510 appliance. So if 4510 fails then traffic should continue passing without inspections).
    As I understood from this document https://supportforums.cisco.com/docs/DOC-12206 the only way to implement Inline Mode when using multilayer switch is to "take out" default gateway address for inspected subnet on the other VLAN's SVI.
    If we replace IDSM-2 with IPS appliance I suppose we can use hardware bypass feature as a failover measure (in case if IPS fails then traffic between bridged VLANs will still be forwarded).
    But what if there are several VLANs that should be monitored?
    As I understand in such schema we will need to use addtional interface-inline-pair for each monitored VLAN.
    But what if we have 20 VLANs for servers and 50 VLANs for users?
    Can using of VLAN-group mode handle this problem?
    I am not sure but using of VLAN-groups cannot provide bridging between two different VLANs. Am I right?
    And will using of VLAN-group make hardware-bypass feature useless?
    I tryed to simulate the first scenario in Cisco Packet Tracer (i used a bridge to simulate an IPS appliance in interface-pair inline mode):
    May be this is a bug of Packet Tracer but traffic went through IPS only if it was sent from VLAN 10 to VLAN100.
    The return traffic from VLAN 100 to VLAN 10 went through the Catalyst directly.
    When Catalyst recieved the frame it said:
    "The frame destination MAC address matches the MAC address of the active VLAN interface."
    After that it decapsulates the PDU from the Ethernet frame and send IP packet directly to VLAN 10.
    Does it mean that there is a need to change SVI's mac address?
    Thanks for any advice in advance.

    Here is my guess of how to realise my scenario:
    Config on Cat6k should looks something like this:
    ip routing
    interface Ge1/0
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 10-12,110-112
    switchport mode trunk
    switchport nonegotiate
    switchport vlan mapping enable
    switchport vlan mapping 110 10
    switchport vlan mapping 111 11
    switchport vlan mapping 112 12
    interface Ge1/1
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 10-12
    switchport mode trunk
    switchport nonegotiate
    interface vlan 2
    ip address 10.0.2.1 255.255.255.0
    interface vlan 3
    ip address 10.0.3.1 255.255.255.0
    interface Vlan4
    ip address 10.0.4.1 255.255.255.0
    interface Vlan110
    ip address 10.0.10.1 255.255.255.0
    interface Vlan111
    ip address 10.0.11.1 255.255.255.0
    interface Vlan112
    ip address 10.0.12.1 255.255.255.0
    no interface Vlan10
    no interface Vlan11
    no interface Vlan12
    IPS should operate in VLAN-group inline mode. We could separate traffic by VLAN tag to inspect with different virtual sensors or we use one VS for all trunk traffic.
    Traffic routed from any VLAN to VLANs 10-12 should go through IPS.
    In case if IPS gets powered off - hardware-bypass feature should provide bridging between trunk ports.
    In theory it should work.
    Remained to test it in practice
    Thoughts / suggestions?    

  • Configuring the Catalyst 6500 Switch for IPS Inline Operation of the IDSM

    I understand how to configure the Catalyst 6500 switch so that the monitoring ports are access ports in two separate VLAN's for inline operation.
    However, I don't see any documentation that describes how the desired VLAN traffic gets forced through the IPS.
    In promiscuous mode, you can use VACL's to copy/capture and forward the desired traffic to the IDSM for analysis. I'm not seeing how to get the desired traffic through the IPS.
    Note that the host 6500 is running native IOS 12.2(18)SXE.
    Thanks for any assistance.

    A tranparent firewall is a fairly good comparison.
    Let's say you have vlan 10 with 100 PCs and 1 Router for the network.
    If you want to apply a transparent firewall on that vlan you can not simply put one interface of the firewall on vlan 10. Nothing would go through the firewall.
    Instead you have to create a new vlan, let's say 1010. Now you place one interface of the firewall on vlan 10 and the other on vlan 1010. Still nothing is going through the firewall. So now you move that Router from vlan 10 to vlan 1010. All you do is change the vlan, the IP Address and netmask of the router stay the same.
    The transparent firewall bridges vlan 10 and vlan 1010. The PCs on vlan 10 ae still able to communicate to and through the router, but must go through the transparent firewall to do so.
    The firewall is transparent because it does not IP Route between 2 vlans, instead the same IP subnet exists on both vlans and the firewall transparently beidges traffic between the 2 vlans.
    The transparent firewall can do firewalling between the PCs on vlan 10 and the Router on vlan 1010. But is PC A on vlan 10 talks to PC B on vlan 10, then the transparent firewall does not see and can not block that traffic.
    An InLine sensor is very similar to the transparent firewall and will bridge between the 2 vlans. And similarly an InLine sensor is able to InLine monitor traffic between PCs on vlan 10 and the Router on vlan 1010, but will not be able to monitor traffic between 2 PCs on vlan 10.
    Now the router on one vlan and the PCs on the other vlan is a typical deployment for inline sensors, but your vlans do not Have to be divided that way. You could choose to place some servers in one vlan, and desktop PCs in the other vlan. You subdivide the vlans in what ever method makes sense for your deployment.
    Now for monitoring multiple vlans the same principle still applies. You can't monitor traffic between machines on the same vlan. So for each of the vlans you want to monitor you will need to create a new vlan and split the machines between the 2 vlans.
    In your case with Native IOS you are limited to only 1 pair of vlans for InLine monitoring, but your desired deployment would require 20 vlan pairs.
    The 5.1 IPS software has now the capability to handle the 20 pairs, but the Native IOS software does not have the capability to send the 40 vlans (20 pairs) to the IDSM-2.
    The Native IOS changes are in testing right now, but I have not heard a release date for those changes.
    Now Cat OS has already made these changes. So here is a basic breakdown of what you could do in Cat OS and you can use in preparation for a Native IOS deployment when it gets released.
    For vlans 10-20, and 300-310 that you want monitored you will need to break each of those vlans in to 2 vlans.
    Let's say we make it simple and add 500 to each vlan in order to create the new vlan for each pair.
    So you have the following pairs:
    10/510, 11/511, 12/512, etc...
    300/800, 301/801, 302/802, etc....
    You set up the sensor port to trunk all 40 vlans:
    set trunk 5/7 10-20,300-310,510-520,800-810
    (Then clear all other vlans off that trunk to keep things clean)
    In the IDSM-2 configuration create the 20 inline vlan pairs on interface GigabitEthernet0/7
    Nw on each of the 20 original vlans move the default router for each vlan from the original vlan to the 500+ vlan.
    At this point you should ordinarily be good to go. The IDSM-2 won't be monitoring traffic that stays within each of the original 20 vlans, but Would monitor traffic getting routed in and out of each of the 20 vlans.
    Because of a switch bug you may have to have an additional PC moved to the same vlan as the router if the switch/MSFC is being used as the router and you are deploying with an IDSM-2.

  • Hi, I have a Catalyst 6500 with X6K-SUP2-2ge, the IOS and bootlader image been wiped out, it starts in ROMmon SP mod end can't switch to RP to start download the IOS using Xmodem, though it shouldn't work in ROMmon SP omde but the xmodem is not gving the

    Hi, I have a Catalyst 6500 with X6K-SUP2-2ge, the IOS and bootlader image been wiped out, it starts in ROMmon SP modw and I can't switch to RP to start download the IOS using Xmodem, though Xmodem shouldn't work in ROMmon SP mode but the it's not gving the
    not executable message, the slot0: and disk0: are not accessable can't see the files inside, when I try the dir slot0: or dir disk0: it says it can't be opened and when I try to boot from them there's noting as well, what can I do to load an IOS image to the booflash: or slot0: ,each time I load the image using Xmodem at the end it gives me *** System received a Software forced crash ***
    signal=0x17, code=0x5, context=0x0
    When I run the command:
    rommom1> boot bootflash:
    boot: cannot determine first file name on deice "bootflash:"
    rommon2> boot slot0:
    boot: cannot open "slot0:"
    boot: cannot dtermine first file name on device "slot0:"
    BTW  System Bootstrap, version 7.1
    I''m looking to format the PCMCIA using a PC and format it to FAT16 and copy the boot image into it and then try to load from the PCMCIA afterward if it works I'll format it using the Supervisor engine 2.
    Any one have another new idea I can use, thanks in advance

    This is a potentially complex issue.
    Is this SUP configured to run as IOS native or CatOS Hybrid?
    While in ROMMON can you do the 'dev' command and see whad drives are recognized. Then 'dir' the drives that the SUP recognizes.
    Can you provide the screen captures as it boots?
    You would be bette served by hacing a TAC case.

  • Catalyst 6500 Stack

    Hi,
    I have heard of Cisco releasing new IOS software that will effectively stack Catalyst 6500 switches. Intitially it was called "Satellite".
    Does anyone know about this and when it will be released? Any ideas on how it works?
    My main reason for this is Multi-Chassis EtherChannel on 6513's.
    Thanks.

    The IDSM-2 module is capable of both IDS (promiscuous mode) AND IPS (inline mode).
    So if you need IPS (inline mode) you still just buy the same IDSM-2 but configure it for InLine Interface Pair or InLine Vlan Pair mode instead of configuring for Promiscuous mode.

  • How to remove the WiSM2 from the Catalyst 6500 series switch?

    Hello, can you explain to me how to safely remove the WiSM2 from the Catalyst 6500 series switch?
    According to the documentation "Catalyst 6500 Series Wireless Services Module 2 Installation and Verification Note":
    To remove the WiSM2, perform these steps:
    Step1     Shut down the module by one of these methods:
    In privileged mode from the router prompt, enter the hw-mod module mod shutdown command. NoteIf you enter this command to shut down the module, you must enter the following commands in global configuration mode to restart (power down, and then power up) the module:
    Router# no power enable module modRouter# power enable module mod
    If the module does not respond to any commands, press the SHUTDOWN button located on the front panel of the module.
    Step2     Verify that the WiSM2 shuts down. Do not remove the module from the switch until the POWER LEDis off.
    But, in the case of Step1 (1st methods) I do not see a option "shutdown"  in the command "hw-mod module 3"...
    All I prompted to enter is:
    c6500#hw-module module 3 ?
    boot           Specify boot options for the module through Power Management Bus control register
    reset          Reset specified component
    simulate  Simulate options for the module
    Is it hidden options? IOS version of c6500 is 12.2(33)SXJ1
    In the case of Step2 (2nd methods) there is not any button on the front panel of the module?
    And yet, it is better to remove the module configuration manually or use the command module clear-config prior to removing the module?

    Good catch.
    Which one is true, will get back to you on this if i've something soon.
    http://www.cisco.com/en/US/docs/wireless/module/wism2/installation/note/WiSM_2.html#wp34727
    The above link is procedure to remove wism2. This procedure doesn’t look like wism2 is hot swapable.
    http://www.cisco.com/en/US/docs/wireless/module/wism2/installation/note/WiSM_2.html#wp34621
    All modules, including the supervisor engine (if you have redundant supervisor engines), support hot swapping. You can add, replace, or remove modules without interrupting the system power or causing other software or interfaces to shut down. For more information about hot-swapping modules, see the Catalyst 6500 Series Switch Module Installation Guide.

  • Connection of LC/APC fiber patch cords to Cisco Catalyst 6500 $ Cisco Access 3750 Switches

    I have an LC/APC fiber patch cord infrastructure and I want to connect it to Cisco Catalyst 6500 & Cisco Access 3750 Switches. what type of transceiver should be used?
    I read a note on Cisco website stating the following for Cisco SFP+ transceivers:
    Note: "Only connections with patch cords with PC or UPC connectors are supported. Patch cords with APC connectors are not supported. All cables and cable assemblies used must be compliant with the standards specified in the standards section"

    Thank you,  but my question is that I have a single mode fiber patch cord with LC/APC connector while cisco stating a note that only use LC/PC or LC/UPC type of connectors with SFP+ transceiver.  
    So what type of transceiver should I use to connect LC/APC patch cord to cisco switches?  Is there another type or SFP+ still can be used? 

  • VPC on Nexus 5000 with Catalyst 6500 (no VSS)

    Hi, I'm pretty new on the Nexus and UCS world so I have some many questions I hope you can help on getting some answers.
    The diagram below is the configuration we are looking to deploy, that way because we do not have VSS on the 6500 switches so we can not create only one  Etherchannel to the 6500s.
    Our blades inserted on the UCS chassis  have INTEL dual port cards, so they do not support full failover.
    Questions I have are.
    - Is this my best deployment choice?
    - vPC highly depend on the management interface on the Nexus 5000 for the keep alive peer monitoring, so what is going to happen if the vPC brakes due to:
         - one of the 6500 goes down
              - STP?
              - What is going to happend with the Etherchannels on the remaining  6500?
         - the Management interface goes down for any other reason
              - which one is going to be the primary NEXUS?
    Below is the list of devices involved and the configuration for the Nexus 5000 and 65000.
    Any help is appreciated.
    Devices
    ·         2  Cisco Catalyst with two WS-SUP720-3B each (no VSS)
    ·         2 Cisco Nexus 5010
    ·         2 Cisco UCS 6120xp
    ·         2 UCS Chassis
         -    4  Cisco  B200-M1 blades (2 each chassis)
              - Dual 10Gb Intel card (1 per blade)
    vPC Configuration on Nexus 5000
    TACSWN01
    TACSWN02
    feature vpc
    vpc domain 5
    reload restore
    reload restore   delay 300
    Peer-keepalive   destination 10.11.3.10
    role priority 10
    !--- Enables vPC, define vPC domain and peer   for keep alive
    int ethernet 1/9-10
    channel-group 50   mode active
    !--- Put Interfaces on Po50
    int port-channel 50
    switchport mode   trunk
    spanning-tree port   type network
    vpc peer-link
    !--- Po50 configured as Peer-Link for vPC
    inter ethernet 1/17-18
    description   UCS6120-A
    switchport mode   trunk
    channel-group 51   mode active
    !--- Associates interfaces to Po51 connected   to UCS6120xp-A  
    int port-channel 51
    swithport mode   trunk
    vpc 51
    spannig-tree port   type edge trunk
    !--- Associates vPC 51 to Po51
    inter ethernet 1/19-20
    description   UCS6120-B
    switchport mode   trunk
    channel-group 52   mode active
    !--- Associates interfaces to Po51 connected   to UCS6120xp-B  
    int port-channel 52
    swithport mode   trunk
    vpc 52
    spannig-tree port   type edge trunk
    !--- Associates vPC 52 to Po52
    !----- CONFIGURATION for Connection to   Catalyst 6506
    Int ethernet 1/1-3
    description   Cat6506-01
    switchport mode   trunk
    channel-group 61   mode active
    !--- Associate interfaces to Po61 connected   to Cat6506-01
    Int port-channel 61
    switchport mode   trunk
    vpc 61
    !--- Associates vPC 61 to Po61
    Int ethernet 1/4-6
    description   Cat6506-02
    switchport mode   trunk
    channel-group 62   mode active
    !--- Associate interfaces to Po62 connected   to Cat6506-02
    Int port-channel 62
    switchport mode   trunk
    vpc 62
    !--- Associates vPC 62 to Po62
    feature vpc
    vpc domain 5
    reload restore
    reload restore   delay 300
    Peer-keepalive   destination 10.11.3.9
    role priority 20
    !--- Enables vPC, define vPC domain and peer   for keep alive
    int ethernet 1/9-10
    channel-group 50   mode active
    !--- Put Interfaces on Po50
    int port-channel 50
    switchport mode   trunk
    spanning-tree port   type network
    vpc peer-link
    !--- Po50 configured as Peer-Link for vPC
    inter ethernet 1/17-18
    description   UCS6120-A
    switchport mode   trunk
    channel-group 51   mode active
    !--- Associates interfaces to Po51 connected   to UCS6120xp-A  
    int port-channel 51
    swithport mode   trunk
    vpc 51
    spannig-tree port   type edge trunk
    !--- Associates vPC 51 to Po51
    inter ethernet 1/19-20
    description   UCS6120-B
    switchport mode   trunk
    channel-group 52   mode active
    !--- Associates interfaces to Po51 connected   to UCS6120xp-B  
    int port-channel 52
    swithport mode   trunk
    vpc 52
    spannig-tree port   type edge trunk
    !--- Associates vPC 52 to Po52
    !----- CONFIGURATION for Connection to   Catalyst 6506
    Int ethernet 1/1-3
    description   Cat6506-01
    switchport mode   trunk
    channel-group 61   mode active
    !--- Associate interfaces to Po61 connected   to Cat6506-01
    Int port-channel 61
    switchport mode   trunk
    vpc 61
    !--- Associates vPC 61 to Po61
    Int ethernet 1/4-6
    description   Cat6506-02
    switchport mode   trunk
    channel-group 62   mode active
    !--- Associate interfaces to Po62 connected   to Cat6506-02
    Int port-channel 62
    switchport mode   trunk
    vpc 62
    !--- Associates vPC 62 to Po62
    vPC Verification
    show vpc consistency-parameters
    !--- show compatibility parameters
    Show feature
    !--- Use it to verify that vpc and lacp features are enabled.
    show vpc brief
    !--- Displays information about vPC Domain
    Etherchannel configuration on TAC 6500s
    TACSWC01
    TACSWC02
    interface range GigabitEthernet2/38 - 43
    description   TACSWN01 (Po61 vPC61)
    switchport
    switchport trunk   encapsulation dot1q
    switchport mode   trunk
    no ip address
    channel-group 61   mode active
    interface range GigabitEthernet2/38 - 43
    description   TACSWN02 (Po62 vPC62)
    switchport
    switchport trunk   encapsulation dot1q
    switchport mode   trunk
    no ip address
    channel-group 62   mode active

    ihernandez81,
    Between the c1-r1 & c1-r2 there are no L2 links, ditto with d6-s1 & d6-s2.  We did have a routed link just to allow orphan traffic.
    All the c1r1 & c1-r2 HSRP communications ( we use GLBP as well ) go from c1-r1 to c1-r2 via the hosp-n5k-s1 & hosp-n5k-s2.  Port channels 203 & 204 carry the exact same vlans.
    The same is the case on the d6-s1 & d6-s2 sides except we converted them to a VSS cluster so we only have po203 with  4 *10 Gb links going to the 5Ks ( 2 from each VSS member to each 5K).
    As you can tell what we were doing was extending VM vlans between 2 data centers prior to arrivals of 7010s and UCS chassis - which  worked quite well.
    If you got on any 5K you would see 2 port channels - 203 & 204  - going to each 6500, again when one pair went to VSS po204 went away.
    I know, I know they are not the same things .... but if you view the 5Ks like a 3750 stack .... how would you hook up a 3750 stack from 2 6500s and if you did why would you run an L2 link between the 6500s ?
    For us using 4 10G ports between 6509s took ports that were too expensive - we had 6704s - so use the 5Ks.
    Our blocking link was on one of the links between site1 & site2.  If we did not have wan connectivty there would have been no blocking or loops.
    Caution .... if you go with 7Ks beware of the inability to do L2/L3 via VPCs.
    better ?
    one of the nice things about working with some of this stuff is as long as you maintain l2 connectivity if you are migrating things they tend to work, unless they really break

  • Installing New network card on a Cisco Catalyst 6500 VSS mode

    Hi All.
    I need to install a new network card on Cisco Catalyst 6500 VSS mode, I need to follow any special procedures or is it only insert the new card and the Catalyst automatically recognizes the card?
    Thank you So mucho. 

    Hi,
    Just insert the blade and the switch should recognize it. For the 6500 series the blades are hot swap able.
    HTH

  • Modules Gbic Catalyst 6500

    I have a peculiar problem with two gbic modules of Catalyst 6500.
    First problem, I have a gbic port in module 7, which was a trunkport to Catalyst 2950, that does not allow conection to switch Catalyst 2950, and besides it harmed the yield of Catalyst 6500. I have to disconnect the optical fiber cable so that everything returned to normality.
    Second problem. A port gbic in module 8, I let work and I disconnect of the network to one of the servants, by such reason I had to connect the fiber cable in another one gbic of he himself I module.
    My question is: is necessary to change I modulate 7 and 8 not to have network problems on watch? or single to change gbic affected in each one of the modules?
    Thank you,

    Failure to get GBIC up during installation could be as a result of system requirements not met, incorrect cable installed, lack of power to the device, configuration errors or hardware failure. Verify that the GBIC cable is connected to another active network device and that the port is not shut down. Replace cable with a known good cable. Make sure GBICs are matched on either side of the connection. Make sure the flow control and port negotiation settings are consistent on both sides of the link. There may be incompatibilities in the implementation of these features if the switches being connected are from different vendors. If in doubt, turn these features off on both switches. Swap GBIC to a different slot. Also, try using a spare GBIC to see if it works. For more information, refer to Troubleshooting link :
    http://www.cisco.com/en/US/products/hw/switches/ps628/products_installation_guide_chapter09186a00800d7681.html

  • IDSM on catalyst 6500 to provide IOS Inline mode support

    I am currently evaluating what kind of method to apply in my 6500. I would like to ask if IOS Version 12.2(33)SXI2a  support inline mode and inline vlan pair mode with IDSM-2???what configuration should be done with the switch in order for the multiple vlan traffic to flow with an inline interface of the IDSM2??? In my case I have 16 user vlans and 1 server vlan on catalyst 6500...The task is to protect the servers from users....The requirement is to configure inline mode to monitor the traffic from these 16 vlans when they access the servers...But as we know the IDSM-2 has only two logical sensing ports...So my question is how will you configure the switch to forward the traffic from these 16 vlans to the IDSM-2 module via only ONE sensing port, since the other sensing port will be configured in the server vlan???  Because as far as i know, when you configure inline mode on IOS,you will have to configure the sensing ports in access mode( While in CatOS, you configure these as TRUNK ports)...But this will work when you have only two vlans...But in my case, I have 16 vlans to monitor in inline mode..Please suggest any solution.
    Any urgent reply will be much grateful...
    Many Thanks in advance

    Hi Mubin,
       If you're looking to monitor all the traffic from the user VLANs to the server VLANs then the simplest way to configure the IDSM-2 would be inline on the server VLAN segment.  All traffic destined to the servers (from the users or anywhere else) has to traverse that VLAN.  Assuming you have something like this to start:
    VLAN 100-120 (users) ====== Switch ------ VLAN 200 (servers)
    you'd drop the IDSM-2 inline on VLAN 200 by using a helper VLAN:
    VLAN 100-120 (users) ====== Switch ----- VLAN 201 (server gateway) ----- IDSM-2 (bridging 201 to 200) ----- VLAN 200 (servers)
    To do this you'll need to perform the following steps:
    1.  Designate a new VLAN to use as a helper VLAN for your current server VLAN.  I'll use 201 for this example and assume your current server VLAN is 200.
    Create the helper VLAN on the switch:
    switch# conf t
    switch(config)# vlan 201
    2.  Configure the IDSM-2 to bridge the helper VLAN and the server VLAN (200-201)
    sensor# conf t
    sensor(config)# service interface
    sensor(config-int)# phsyical-interface GigabitEthernet0/7
    sensor(config-int-phy)# admin-state enabled
    sensor(config-int-phy)# subinterface-type inline-vlan-pair
    sensor(config-int-phy-inl)# subinterface 1
    sensor(config-int-phy-inl-sub)# vlan1 200
    sensor(config-int-phy-inl-sub)# vlan2 201
    sensor(config-int-phy-inl-sub)# description Server-Helper pair
    sensor(config-int-phy-inl-sub)# exit
    sensor(config-int-phy-inl)# exit
    sensor(config-int-phy)# exit
    sensor(config-int)# exit
    Apply Changes:?[yes]:
    3.  Configure the switch to trunk the helper and server VLANs to the IDSM-2 module.  I assume the module is in slot 5 in the example.  Replace the 5 with the correct slot for your deployment:
    switch# conf t
    switch(config)# intrusion-detection module 5 data-port 1 trunk allowed-vlan 200,201
    switch(config)# intrusion-detection module 5 data-port 1 autostate include
    *Warning! This next step may cause an outage if everything is configured correctly.  You'll probably want to schedule a window to do this.*
    4.  Finally, force the traffic from the server VLAN through the IDSM-2 by moving the server VLAN gateway from VLAN 200 (where it is currently) to the helper VLAN you created.  To do this, remove the SVI from VLAN 200 and apply the same IP address to VLAN 201.  I assume the current server gateway is 192.168.1.1/24
    switch# conf t
    switch(config)#int vlan 200
    switch(config-int)#no ip addr
    switch(config-int)#int vlan 201
    switch(config-int)#ip addr 192.168.1.1 255.255.255.0
    switch(config-int)#exit
    switch(config)#exit
    switch# wr mem
    Now, when the servers try to contact 192.168.1.1 (their gateway) they'll have to be bridged through the IDSM-2 to reach VLAN 201 and in the process all traffic destined to them or sourced from them will be inspected.  Do not put any hosts or servers in the helper VLAN (201) or they will not be inspected.
    Best Regards,
    Justin

  • Replacement catalyst 6500 switches under redundancy environment

    Hi everyone,
    I plan to replace old core catalyst 6500 switches with new ones for the purpose of reinforcement.
    Now two core catalyst 6500 switches are working under redundancy environment.
    There are many catalyst 6500 switches as distribution switch connect to each core catalyst
    6500 switches as attached.
    I think there are two ways to replace core catalyst 6500 switches.
    [One]
    Replacing one core catalyst 6500 switches first, then one week later, replacing another core
    catalyst 6500 switch. And all traffic will be handled another core catalyst 6500 switch automatically
    by EIGRP routing during replacement.
    Advantage:
    One another core catalyst 6500 switch continues operating even if the replacement fail.
    Disadvantage:
    Two core catalyst 6500 switches will operate in a different version (CatOS, MSFC IOS) for one week.
    Any problem might be happened due to this issue.
    [Two]
    Replacing both core catalyst 6500 switches at the same time.
    Advantage:
    Replacement will be finished at one time
    Disadvantage:
    If the replacement fail, whole network goes to down and it cause critical situation.
    I have to replace successfully so I would like know good information about this, such as
    best practice, case study and so on.
    Your information would be greatly appreciated.
    Best regards,

    Hi,
    If I were you, I will go for option 1.
    This option will give us the time to observe the traffic pattern, time to get the network and EIGRP to stabilize and even to check for any issues on the IOS part.
    This will give you time frame to work out for any issue if it happens in between the weeks time.This will gibe you tha time to see for any imcompatibilty issues as such.
    HTH, Please rate if it does.
    -amit singh

  • 15.1(2)SY1 on Catalyst 6500

    Hi,
    We are planning to upgrade two of our Catalyst 6500 switches to version 15.1(2)SY1 Advanced IP Services.
    The switches have dual supervisors and are currently running version 12.2(33)SXI11, but we have faced some issues and also would also like to enable some new features (e.g. BFD). The switches are running a fairly simple configuration with OSPF, MPLS and MP-BGP with about 30 VRFs.
    Are you aware of any major issues with 15.1(2)SY1 and would discourage the planned upgrade? I am aware that the version was only released in December, but since there are many bug fixes I thought this version might be better than e.g. 15.1(2)SY.
    Thanks in advance for your help!
    Best regards,
    Harry

    We replaced all (~ x20) our Sup720 (SXI4a) with Sup2T during late 2012 & running with Advance Enterprise 15.0(1)SY image. We did not have any issues with that code & still many of our distribution switches running on that code.
    Then we upgraded two core switches with 15.1(1)SY mid last year another two core switches to 15.1(2)SY late last year to accomodate WS-X6904-40G. With both of these new code we had couple of bugs still not proper fix
    CSCue58955: sup2t: LC file systems are not destroyed in Active upon reset"%SNMP-3-INPUT_QFULL_ERR: Packet dropped
    There is workaround for this, but that will impact netflow data if you are using that.
    For me 15.0(1)SY, is much better for Enterprise environment (based on my experience) compare to the two latest. But due to certain limitation we have to go for this newer codes whether you like it or not.
    These bugs may be not related to you if you are not runing Sup2T, anyway just thought to share this experience
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • Catalyst 6500 with CatOS ISCSI

    Hi, I'm configuring a Catalyst 6500 with for ISCSI.
    Following the recommendations I have to configure: portfast, jumbo frames, flow control and disable unicast storm control
    - Portfast: on the server and ISCSI SAN ports
        >
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Tabla normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin-top:0cm;
    mso-para-margin-right:0cm;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0cm;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}
    set spantree portfast
    - Jumbo frames: Set port jumbo
    - Flow Control:
         > set port flow control receive desired
    Questions:
    1. Where I have to configure flow control? only on the SAN ports and NIC servers? or server ports too?
    2. Unicast Storm control: how can i configure this option?
    Thanks

    We are having the same exact problem. We've done what you've tried with no luck also. Strange thing is that in another building we have the same setup but only with a 6148V blade and that Tandberg has no issues. We're using a 6148AF with the one we're having problems with. We've tried with a 6348 blade and it works fine. I'm thinking it's something with the 6148AF firmware (ver. 8.2(2)).
    Were you able to solve your problem?

Maybe you are looking for