IDSM-2 and inline mode

Similar Messages

• How can i use IDSM-2 in inline mode for more than two VLANs?

  can i use the IDSM-2 in inline mode to be ips to more than two VLANS
  like this or it isn't
  intrusion-detection module 5 data port 1 access-vlan 10,20,30,40,50
  intrusion-detection module 5 data port 1 access-vlan 100,200
  thank u all for your help

  The IDSM-2 ports need to be configured as trunk ports with multiple vlans rather than as access ports.
  http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00807517eb.html#wp1068377
  And instead of creating an inline interface pair by pairing Gig0/7 with Gig0/8 within the IDSM-2 configuration, you would create inline vlan pairs.
  With an inline vlan pair you pair 2 vlans on the same interface.
  You can have up to 255 inline vlan pairs on each interface (assumining you keep the total traffic from all of the pairs within the IDSM-2s performance limit of around 500Mbps)
  How to create inline vlan pairs:
  http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00807517bb.html#wp1047852
  The other aspect you need to be aware of is that not all IOS versions will support configuring the IDSM-2 data ports as trunk ports for inline vlan pairs.
  Your best bet is to use 12.2(18)SXF4 or a later version on the 12.2(18)SXF train.
  The 12.2(33)SR train does not currently support the trunk feature for the IDSM-2.

• Router NME IPS - use promiscuous and inline mode simultaneous

  Hi all,
  we are using the IPS module NME-IPS-K9 on a Cisco 2951 router. We like to use the IPS in promiscuous and inline mode simultaneous. For example traffic from a client to a server should pass through the IPS. But the IPS should only recieve a copy of the VoIP traffic.
  In the interface configuration mode the following command is set.
       ids-service-module monitoring promiscuous access-list 101
  If I try to set a interface to inline mode I get the following message:
       "Only either Inline or Promiscuous
       monitoring is supported on the router at one time.
       Please remove Promiscuous monitoring on all interfaces
       before configuring Inline monitoring. Only either Inline or Promiscuous
       monitoring is supported on the router at one time.
       Please remove Promiscuous monitoring on all interfaces
       before configuring Inline monitoring."
  Is there any way to use promiscuous and inline monitoring at the same time? Is there a firmware update available which includes this feature? Any other idears?
  IOS version of the router: 15.0(1)M4
  IPS version:  7.0(2)E4
  Kind Regards

  In promiscuous mode your sensor doesn't affect the traffic but it only listen and analyze it.
  In inline mode you direct all your traffic on this network segment you want to protect to IPS and it analyze it and block some actions according to your settings.
  It is the main difference. Which mode to prefer must be your decision.

• IDSM-2, inline and Passive mode in same Module?

  Hi,i have a question that it can be strange.in our network we have implemented idsm-2 module in our 6513 Switch in inline mode.without any discution about network design suppose that our network is going beyond IDSM-2 Throughput and then we want to use IDSM-2 for some traffic in Passive mode insted of inline to reduce drop probability in inline mode.i mean before this state we were using idsm-2 data port 1(in vlan pair mode),now can we use data port 2 for this purpus(capturing some traffic on data port 2 for passive operation)? in other word idsm-2 can operate in this way?

  i found my answer in idsm-2 document "You can mix sensing modes on IDSM-2. For example, you can configure one data port for promiscuous mode and the other data port for inline VLAN pair mode. But because IDSM-2 only has two data ports and inline mode requires the use of both data ports as a pair, you cannot mix inline mode with either of the other two modes." but something else,for doing such thing suppos that i have sig 2004 configured for inline traffic to deny attacker inline then this action doesnt make any sense for some data in passive mode and suppos that for that kind of traffic which idsm-2 is operating in passive mode i want to just send an alert. so can i use deferent VS for doing this? thanks.

• IDSM-2 Inline mode

  Hi,
  I am working with the IDSM-2, We have Cisco 6509 with CSM & FWSM, We are planning IDSM-2 in Inline mode and now i want to monitor the traffic which is coming through Outside Interface of the FW context ( Which is nothing but a VLAN A, VLAN B, Vlan C. on MSFC )
  Data flow :-- ISP RTR---INternal RTR---FWSM---IDSM---MSFC---CSM---
  IDSM version is 5.1(4)S257.0,
  This will support only Two VLAN (IN and OUT) on access mode.
  My problem is I don't know how to scan the traffic of 3 numbers of VLAN (A,B,C).
  Cisco 6509 --- Version 12.2(18)SXF7,

  Hi Udaya,
  I am not able to find out any subinterface.
  I think it is available from IPS 5.1 and this one is IPS5.0(2)
  IDSM2CORE2(config-int)# show settin
  physical-interfaces (min: 0, max: 999999999, current: 3)
  name: GigabitEthernet0/2
  media-type: backplane
  description:
  admin-state: enabled
  duplex: auto
  speed: auto
  alt-tcp-reset-interface
  none
  name: GigabitEthernet0/7
  media-type: backplane
  description:
  admin-state: enabled
  duplex: auto
  speed: auto
  alt-tcp-reset-interface
  interface-name: System0/1
  name: GigabitEthernet0/8
  media-type: backplane
  description:
  admin-state: enabled
  duplex: auto
  speed: auto
  alt-tcp-reset-interface
  interface-name: System0/1
  command-control: GigabitEthernet0/2
  inline-interfaces (min: 0, max: 999999999, current: 0)
  bypass-mode: auto
  interface-notifications
  missed-percentage-threshold: 0 percent
  notification-interval: 30 seconds
  idle-interface-delay: 30 seconds

• Idsm 2- Inline Mode Deployment

  I would like to configure an IDSM-2 in inline mode, I am having trouble about the deployment, I have a couple of questions;
  1. If you configure 2 VLANs (existing) as VLAN pairs does this mean the exist connection between the 2 VLANs is broken?
  ie they can only communicate to each other via IPS.
  2. Where is the best place to deploy this type of IPS?

  In an inline VLAN-pair scenario, the IDSM2 will bridge the VLANs together using VLAN tag swapping.  Below is a quick topo sketch of an inline design where this might be used.
  6500 MSFC--VL10--(inside) FWSM (outside)--VLAN 11--IDSM--VLAN 111--RTR--INTERNET
  In the example above, the FWSM outside and RTR inside interfaces sit on the same Layer 3 subnet but different Layer 2 VLANs.  The IDSM is positioned inline using an inline VLAN-pair.  Traffic leaving the FWSM towards the Internet will go into the trunk to the IDSM on VLAN 11.  The IDSM will then swap the VLAN tag to 111 before fowarding the packet down the trunk.  This process allows the traffic to be influenced into the IDSM for inspection.
  http://www.cisco.com/en/US/customer/docs/security/ips/7.0/configuration/guide/cli/cli_interfaces.html#wp1047718

• Can I use IDSM-2 to monitor in inline-mode multiple pair of vlans?

  my customer wants to have IDSM-2 in inline mode for monitoring VLANs that are routed through the PIX firewalls.
  These VLANs are defined on the Cat 6500 switch where the IDSM-2 resides.
  They want to have one external vlan to be paired with 4 internal vlans.
  As far as I know the inline VLAN pairs configuration only support one to one vlan pairing.
  What's the best of doing this?

  Yes, you can very well use the IDSM for monitoring multiple VLANs.
  Refer to the configuration guide of the IDSM for more information
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df92.html

• IDSM2 on 6500-IOS inline mode support?

  Hi,
  I have an IDSM-2 running IPS5.1(1d) software (recently upgraded from 4.x) that is sitting on a 6500 IOS.
  The IPS device manager shows gi0/7 and gi0/8 as both in Promiscuous mode. There is no option to change the mode to inline and pair them.
  Is it so that IDSM-2 currently supports only Promiscuous mode?
  If so, then this module is still acting as an IDS despite running IPS5.1. Isn't it? What is the advantage that I get after upgrading it from 4.x to 5.1?
  -- Vasanth

  There are 2 pieces to the puzzle.
  There is the IDSM-2 version and what it supports, but also the Cat 6K Native IOS version and what it supports.
  IDSM-2 v5.1(1d) supports
  a) Promiscuous mode,
  b) InLine Interface Pair mode (2 interfaces are paired for inline monitoring), and also
  c) InLine Vlan Pair mode (2 vlans on a single interface are paired for inline monitoring, you will also see it called inline-on-a-stick)
  But for these features to be used, the switch code must also support configuring the switch side of the IDSM-2 for each of these 3 features.
  Native IOS Versions prior to 12.2(18)SXE will support only Promiscuous mode on the IDSM-2.
  12.2(18)SXE and later versions will support InLine Interface Pair mode on the IDSM-2.
  No Native IOS versions currently support InLine Vlan Pair mode on the IDSM-2 (a new Native IOS versions with this support is currently in development).
  So to get Inline (IPS) functionality you need to be running a Native IOS version 12.2(18)SXE or later, and on the IDSM-2 run IPS versions 5.1 (or even the older 5.0).
  (NOTE: Cat OS 8.5(1) does support all 3 modes of the IDSM-2. So if you are using Cat OS instead of Native IOS, then run version 8.5(1) to have access to all of the features of IPS 5.1(1) on the IDSM-2)
  If you are running a Native IOS version prior to 12.2(18)SXE then the IDSM-2 can only be operated in Promiscuous mode even if 5.1(1) is loaded on the IDSM-2.
  However, even in promiscuous mode the IPS 5.1(1) software does have a few advantages.
  There are several engines, and engine parameters that are only supported in the 5.1 version and not the 4.0 version. So there are several signatures that are either a) not even created for 4.x sensors, or b) the 4.x signature is not as precise as the 5.x signature in the new engines.
  (These new engines have proved invaluable in writing signatures to detect some of the new attacks that have come out over the past year.)
  There are of course other advantages as well:
  For example:
  1) Risk Rating to better aid in prioritization of alerts.
  2) More flexible fitlering mechanism for alerts that allows for fitlering individual actions
  The 2 features above are just 2 of the new features that have been added in 5.0 and 5.1 that apply to both promiscuous and inline modes.

• IDSM-2 load balancing on inline mode is it possible ..?

  Hi there .. I am currenty working on a project and need to find out as to whether etherchanelling load balancing can be configured between several IDSM-2 running on inline mode. The IPS 5.1 admin guide states that it is possible for IOS based switches having the IDSM-2 configured on promiscuous mode, however I have heard that it might also be possible to configure etherchannelling load balance when the IDSM-2 are on inline mode. Any help .. commments will be appreciated .. any links to refer to will be even better
  Thanks !!!

  To configure EtherChannel load balancing on IDSM-2, you must install Cisco IOS 12.2(18)SXE and have Supervisor Engine 720. Cisco IOS only supports promiscuous IDSM-2 EtherChanneling using VACL capture (not SPAN or monitor). Refer the URL
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df92.html#wp1044800

• IDSM on catalyst 6500 to provide IOS Inline mode support

  I am currently evaluating what kind of method to apply in my 6500. I would like to ask if IOS Version 12.2(33)SXI2a  support inline mode and inline vlan pair mode with IDSM-2???what configuration should be done with the switch in order for the multiple vlan traffic to flow with an inline interface of the IDSM2??? In my case I have 16 user vlans and 1 server vlan on catalyst 6500...The task is to protect the servers from users....The requirement is to configure inline mode to monitor the traffic from these 16 vlans when they access the servers...But as we know the IDSM-2 has only two logical sensing ports...So my question is how will you configure the switch to forward the traffic from these 16 vlans to the IDSM-2 module via only ONE sensing port, since the other sensing port will be configured in the server vlan???  Because as far as i know, when you configure inline mode on IOS,you will have to configure the sensing ports in access mode( While in CatOS, you configure these as TRUNK ports)...But this will work when you have only two vlans...But in my case, I have 16 vlans to monitor in inline mode..Please suggest any solution.
  Any urgent reply will be much grateful...
  Many Thanks in advance

  Hi Mubin,
     If you're looking to monitor all the traffic from the user VLANs to the server VLANs then the simplest way to configure the IDSM-2 would be inline on the server VLAN segment.  All traffic destined to the servers (from the users or anywhere else) has to traverse that VLAN.  Assuming you have something like this to start:
  VLAN 100-120 (users) ====== Switch ------ VLAN 200 (servers)
  you'd drop the IDSM-2 inline on VLAN 200 by using a helper VLAN:
  VLAN 100-120 (users) ====== Switch ----- VLAN 201 (server gateway) ----- IDSM-2 (bridging 201 to 200) ----- VLAN 200 (servers)
  To do this you'll need to perform the following steps:
  1.  Designate a new VLAN to use as a helper VLAN for your current server VLAN.  I'll use 201 for this example and assume your current server VLAN is 200.
  Create the helper VLAN on the switch:
  switch# conf t
  switch(config)# vlan 201
  2.  Configure the IDSM-2 to bridge the helper VLAN and the server VLAN (200-201)
  sensor# conf t
  sensor(config)# service interface
  sensor(config-int)# phsyical-interface GigabitEthernet0/7
  sensor(config-int-phy)# admin-state enabled
  sensor(config-int-phy)# subinterface-type inline-vlan-pair
  sensor(config-int-phy-inl)# subinterface 1
  sensor(config-int-phy-inl-sub)# vlan1 200
  sensor(config-int-phy-inl-sub)# vlan2 201
  sensor(config-int-phy-inl-sub)# description Server-Helper pair
  sensor(config-int-phy-inl-sub)# exit
  sensor(config-int-phy-inl)# exit
  sensor(config-int-phy)# exit
  sensor(config-int)# exit
  Apply Changes:?[yes]:
  3.  Configure the switch to trunk the helper and server VLANs to the IDSM-2 module.  I assume the module is in slot 5 in the example.  Replace the 5 with the correct slot for your deployment:
  switch# conf t
  switch(config)# intrusion-detection module 5 data-port 1 trunk allowed-vlan 200,201
  switch(config)# intrusion-detection module 5 data-port 1 autostate include
  *Warning! This next step may cause an outage if everything is configured correctly.  You'll probably want to schedule a window to do this.*
  4.  Finally, force the traffic from the server VLAN through the IDSM-2 by moving the server VLAN gateway from VLAN 200 (where it is currently) to the helper VLAN you created.  To do this, remove the SVI from VLAN 200 and apply the same IP address to VLAN 201.  I assume the current server gateway is 192.168.1.1/24
  switch# conf t
  switch(config)#int vlan 200
  switch(config-int)#no ip addr
  switch(config-int)#int vlan 201
  switch(config-int)#ip addr 192.168.1.1 255.255.255.0
  switch(config-int)#exit
  switch(config)#exit
  switch# wr mem
  Now, when the servers try to contact 192.168.1.1 (their gateway) they'll have to be bridged through the IDSM-2 to reach VLAN 201 and in the process all traffic destined to them or sourced from them will be inspected.  Do not put any hosts or servers in the helper VLAN (201) or they will not be inspected.
  Best Regards,
  Justin

• Compatible 6500 IOS version to support IDSM-2 Inline mode

  The 6500 model WS-SUP720-3BXL with IOS version 12.2(18)SXD4,
  and IDS card WS-SVC-IDSM-2 with sw 5.0(2)is compatible to run on inline mode.
  Regards,
  Viraj

  Good day,
  Hi, You need minimum sup-bootdisk:s3223-advipservicesk9_wan-mz.122-18.SXF7.bin IOS to enable INLINE mode on 6500 series.
  as per my knowledge,
  the latest IOS is
  sup-bootdisk:s3223-adventerprisek9_wan-mz.122-18.SXF13.bin.
  for IDSM-2, if u upgrade to Engine 2 IOS, U can get update with E2 signatures and also U can manage from New Management Console like Cisco IPS manager Express 6.1.
  I hope this will satisfy.

• IPS 45xx/43xx/42xx appliance and Catalyst 6500 Inline Mode issues

  Hello to everyone!
  We have recently got our new IPS 4510 appliance and for now there is a task to develop a connection scheme to our backbone multilayer switch (Catalyst 6500).
  There are several server's and user's VLANs connected to 6500.
  6500 performs inter-vlan routing.
  The main task is to "insert" IPS appliance between traffic path from any VLAN to server's VLANs.
  The additional task is to provide failover in "fail-open" manner (We have only one 4510 appliance. So if 4510 fails then traffic should continue passing without inspections).
  As I understood from this document https://supportforums.cisco.com/docs/DOC-12206 the only way to implement Inline Mode when using multilayer switch is to "take out" default gateway address for inspected subnet on the other VLAN's SVI.
  If we replace IDSM-2 with IPS appliance I suppose we can use hardware bypass feature as a failover measure (in case if IPS fails then traffic between bridged VLANs will still be forwarded).
  But what if there are several VLANs that should be monitored?
  As I understand in such schema we will need to use addtional interface-inline-pair for each monitored VLAN.
  But what if we have 20 VLANs for servers and 50 VLANs for users?
  Can using of VLAN-group mode handle this problem?
  I am not sure but using of VLAN-groups cannot provide bridging between two different VLANs. Am I right?
  And will using of VLAN-group make hardware-bypass feature useless?
  I tryed to simulate the first scenario in Cisco Packet Tracer (i used a bridge to simulate an IPS appliance in interface-pair inline mode):
  May be this is a bug of Packet Tracer but traffic went through IPS only if it was sent from VLAN 10 to VLAN100.
  The return traffic from VLAN 100 to VLAN 10 went through the Catalyst directly.
  When Catalyst recieved the frame it said:
  "The frame destination MAC address matches the MAC address of the active VLAN interface."
  After that it decapsulates the PDU from the Ethernet frame and send IP packet directly to VLAN 10.
  Does it mean that there is a need to change SVI's mac address?
  Thanks for any advice in advance.

  Here is my guess of how to realise my scenario:
  Config on Cat6k should looks something like this:
  ip routing
  interface Ge1/0
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10-12,110-112
  switchport mode trunk
  switchport nonegotiate
  switchport vlan mapping enable
  switchport vlan mapping 110 10
  switchport vlan mapping 111 11
  switchport vlan mapping 112 12
  interface Ge1/1
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10-12
  switchport mode trunk
  switchport nonegotiate
  interface vlan 2
  ip address 10.0.2.1 255.255.255.0
  interface vlan 3
  ip address 10.0.3.1 255.255.255.0
  interface Vlan4
  ip address 10.0.4.1 255.255.255.0
  interface Vlan110
  ip address 10.0.10.1 255.255.255.0
  interface Vlan111
  ip address 10.0.11.1 255.255.255.0
  interface Vlan112
  ip address 10.0.12.1 255.255.255.0
  no interface Vlan10
  no interface Vlan11
  no interface Vlan12
  IPS should operate in VLAN-group inline mode. We could separate traffic by VLAN tag to inspect with different virtual sensors or we use one VS for all trunk traffic.
  Traffic routed from any VLAN to VLANs 10-12 should go through IPS.
  In case if IPS gets powered off - hardware-bypass feature should provide bridging between trunk ports.
  In theory it should work.
  Remained to test it in practice
  Thoughts / suggestions?    

• IDSM-2(5.0)inline mode- Pair Status=down??

  I have trouble with configuring idsm-2 inline mode(5.0).
  it seems that traffic doesn't go through idsm.
  I chechked it on command: sh interfac gi0/7(idsm mode)
  the 'pair Status=down'(below) shows that, i think.
  moreover, total packet received doesn't increase.
  how do i solve it?
  Please help!
  xxsystems# sh int gigabitEthernet0/7
  MAC statistics from interface GigabitEthernet0/7
  Media Type = backplane
  Missed Packet Percentage = 0
  Inline Mode = Paired with interface GigabitEthernet0/8
  Pair Status = Down
  Link Status = Up
  Link Speed = Auto_1000
  Link Duplex = Auto_Full
  Total Packets Received = 38
  Total Bytes Received = 2584
  Total Multicast Packets Received = 38
  Total Broadcast Packets Received = 0
  Total Jumbo Packets Received = 0
  Total Undersize Packets Received = 0
  Total Receive Errors = 0
  Total Receive FIFO Overruns = 0
  Total Packets Transmitted = 12
  Total Bytes Transmitted = 1152
  Total Multicast Packets Transmitted = 0
  Total Broadcast Packets Transmitted = 12
  Total Jumbo Packets Transmitted = 0
  Total Undersize Packets Transmitted = 0
  Total Transmit Errors = 0
  Total Transmit FIFO Overruns = 0

  You can only pair interfaces on your sensor if your sensor is capable of inline monitoring.
  http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_installation_and_configuration_guide_chapter09186a00803eb069.html

• IDSM-2 Inline mode operation - cat6000 Hybrid

  Hello, is the inline mode operation on the IDSM-2 IPS 5.1 only supported with catos 8.4(1)?
  Thanks!

  I agree, the IPS 5.1 release notes http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps4077/prod_release_note09186a0080574954.html#wp1068104 says it requires 8.5(1) go figure.

• IDSM SPAN and filter on destination

  Greetings
  When I set up a SPAN session with a regular TP interface as a destination I am able to allow specific VLANs on the destination trunk port. This does not work for me when I try the same setup with the IDSM data port as the destination. Has anyone got this working?
  I have IOS 12.2SXF5 on the 6513 and 6.0(4)E1 on the IDSM.
  Regards
  Fredrik

  This does not work for the IDMS-2.
  The trunk configuration of the IDSM-2 does NOT work in conjunction with setting the IDSM-2 as a span destination port.
  The trunk setting of the IDSM-2 is only used when configuring the IDSM-2 for InLine Vlan Pairs.
  For Span monitoring the IDSM-2 needs to be configured for Promiscuous mode and so the Trunk configuration is not used.