IDSM-2 in coreswitch

Similar Messages

• IDSM-2 inline between multible VLAN

  Hi,
  I have a coreswitch 6509 which is include IDSM-2 actully the core switch handle the traffice between the usres VLANs and the server Vlan (vlan 11)
  The users Vlan are (Vlan 2 , 3, 4, 5, 6 and 7). I need to configure the core switch and IDSM to be inline between the Users VLANs and the Server farm Vlan to inspect the traffic comming from the useres.
  as my understanding I can use the ISDM inline mode between multible Vlan but unfortunattly my test to drop the ICMP request to server is faild.
  Kindly advice if that available or it should be only in promisecouse mode.
  also if there any sample of succesfully configuration.
  my configuration is as below:
  Core-SW-RYD#sh run | in intr
  intrusion-detection module 9 data-port 1 trunk allowed-vlan 2-7,11
  intrusion-detection module 9 data-port 2 trunk allowed-vlan 2-7,11
  intrusion-detection module 9 data-port 1 autostate include
  intrusion-detection module 9 data-port 2 autostate include
  intrusion-detection module 9 data-port 1 portfast 1
  intrusion-detection module 9 data-port 2 portfast 1
  VLAN Name                             Status    Ports
  1    default                          active    Gi9/2, Gi9/3, Gi9/4, Gi9/5, Gi9/6
  2    Food-D-VLAN                      active   
  3    Comm-D-VLAN                      active   
  4    Emar-D-VLAN                      active   
  5    Finance-D-VLAN                   active   
  6    Glucose-D-VLAN                   active   
  7    IT-D-VLAN                        active    Gi1/3
  11   servers-Vlan                     active    Gi1/2, Gi1/4, Gi1/5, Gi1/6, Gi1/7, Gi1/8, Gi1/9, Gi1/10, Gi1/12, Gi1/13
                                                  Gi1/14, Gi1/15, Gi1/16, Gi1/17, Gi1/18, Gi1/19, Gi1/20, Gi1/21, Gi1/22
                                                  Gi1/23, Gi1/24, Gi1/25, Gi1/26, Gi1/27, Gi1/28, Gi1/29, Gi1/31, Gi1/32
                                                  Gi1/33, Gi1/34, Gi1/35, Gi1/36, Gi1/37, Gi1/38, Gi1/39, Gi1/41, Gi1/42
                                                  Gi1/43, Gi1/44, Gi1/45, Gi1/46, Gi1/47, Gi1/48, Gi2/10, Gi2/11, Gi2/12
                                                  Gi2/13, Gi2/15, Gi2/16, Gi2/18, Gi2/19, Gi2/20, Gi2/21, Gi2/22, Gi2/23
                                                  Gi2/24, Gi3/1, Gi3/2, Gi3/3, Gi3/4, Gi3/5, Gi3/6, Gi3/7, Gi3/8, Gi3/9, Gi3/10
                                                  Gi3/11, Gi3/12, Gi3/13, Gi3/14, Gi3/15, Gi3/16, Gi3/17, Gi3/18, Gi3/19
                                                  Gi3/20, Gi3/21, Gi3/22, Gi3/23, Gi3/24
  your support will be highly appreciated.
  Best Regards,
  Magdy

  Hi Mohamed.
  with inline mode, you can only bridge vlans in pairs uniquely!. so you can only bridge vlan 11 to another single vlan. and remember since they are bridged, that means the 2 vlans need to have the same ip subnet.
  but looking at your requirements, i'm guess the different vlans are on different ip subnet ranges.
  In that case, you'll need to do promiscuous mode.
  However in promiscuous mode, you can only do acl blocking. and first packet will pass successfully but will trigger the sensor to configure the router to create an acl, and further packets will be dropped.
  However if you redesign a bit you can use promiscuous mode. for example create a new layer 2 vlan (let's say 14), move the servers to this vlan.
  You only need to trunk vlan11 and vlan14 to the idsm module, then create a single vlan-pair on the IPS which bridges vlan11 and vlan 14. then configure the signature to drop packets inline. SInce now for the clients who need to contact the servers need to pass traffic to vlan11, and the idsm is in the middle between vlan 11 and 14, then it should drop pings to the servers.
  Regards,
  Fadi.

• Idsm-2 problem: sensor upgrade from 4.1 to 5 or higher

  Hi all,
  I have a problem with my IDSM-2 module. I'm trying to sensor upgrade from IDS to IPS software (from 4.1 version to 5.x or higher).
  If I do this from sensor under "admin user" and use major patch - IPS-K9-maj-5.0-1e-S149.rpm.pkg then I receive error:
  "Error: idsPackageMgr: digital signature of the update file was not valid, use CCO to replace corrupted file ".
  But file "IPS-K9-maj-5.0-1e-S149.rpm.pkg" is NOT corrupted. I cheked it under "service user" with md5sum utility - checksum is correct.
  If I try to upgrade from maintance mode (ie re-image with wipe all information in application partition) then I receive:
  "Application image upgrade complete. You can boot the image now.
  Partition upgraded successfully"
  Next, I'm reboot IDSM-2 module and receive:
  "000133: Sep 7 15:10:18.622 MSK/MDD: %HA_EM-6-LOG: Mandatory.go_bootup.tcl: GOLD EEM TCL policy for boot up diagnostic
  000134: Sep 7 15:10:18.290 MSK/MDD: %DIAG-SP-3-MAJOR: Module 4: Online Diagnostics detected a Major Error. Please use 'show diagnostic result <target>' to see test results.
  000135: Sep 7 15:10:18.294 MSK/MDD: %CONST_DIAG-SP-3-BOOTUP_TEST_FAIL: Module 4: TestPCLoopback failed on port(s) 3-4
  000136: Sep 7 15:10:19.170 MSK/MDD: %OIR-SP-3-LC_FAILURE: Module 4 has Major online diagnostic failure, Card will be reset to re-run diagnostic. Please check sup-bootflash diaginfo file for previous detailed diagnostic result.
  000137: Sep 7 15:10:19.170 MSK/MDD: %OIR-SP-3-PWRCYCLE: Card in module 4, is being power-cycled 'off (Diagnostic Failure)'
  000138: Sep 7 15:10:19.170 MSK/MDD: %C6KPWR-SP-4-DISABLED: power to module in slot 4 set off (Diagnostic Failure)"
  ie module go to the "PwrDown" state.
  I try to upgrade for next firmware:
  IPS-K9-maj-5.0-1e-S149.rpm.pkg
  IPS-IDSM2-K9-sys-1.1-a-7.0-5a-E4.bin.gz
  IPS-K9-7.0-5a-E4.pkg
  IPS-K9-maj-5.0-1e-S149.rpm.pkg
  WS-SVC-IDSM2-K9-sys-1.1-a-5.0-1.bin.gz
  and did not get success
  chassis - 6509-e, sup - VS-S720-10G + VS-F6K-PFC3C, ios - s72033-adventerprisek9_wan-mz.122-33.SXI6.bin
  maintance software for IDSM-2 module - 3.4(2)m
  Could you please help me? Thanks in advance!

  I have a problem with my IDSM-2 module. I'm trying to sensor upgrade from IDS to IPS software (from 4.1 version to 5.x or higher). If I do this from sensor under "admin user" and use major patch - IPS-K9-maj-5.0-1e-S149.rpm.pkg then I receive error: "Error: idsPackageMgr: digital signature of the update file was not valid, use CCO to replace corrupted file ". But file "IPS-K9-maj-5.0-1e-S149.rpm.pkg" is NOT corrupted. I cheked it under "service user" with md5sum utility - checksum is correct.
  It has been a long time since I've seen a sensor running 4.1 or an upgrade to 5.0(1e) . If I recall correctly, there were some issues with upgrading if you were running a release from the 4.1 train earlier than 4.1(4). Additionally, the upgrade from 4.1 -> 5.0 includes a configuration conversion (due to differences between the software trains), which was prone to failure depending on the presence of certain configuration options.
  Unless you absolutely need to keep the existing configuration, you would save yourself time and effort by simply re-imaging the sensor directly to the desired release. Modern (supported) releases would be either 7.0(5a)E4 or 6.2(3)E4.
  Next, I'm reboot IDSM-2 module and receive:"000133: Sep 7 15:10:18.622 MSK/MDD: %HA_EM-6-LOG: Mandatory.go_bootup.tcl: GOLD EEM TCL policy for boot up diagnostic000134: Sep 7 15:10:18.290 MSK/MDD: %DIAG-SP-3-MAJOR: Module 4: Online Diagnostics detected a Major Error. Please use 'show diagnostic result ' to see test results.000135: Sep 7 15:10:18.294 MSK/MDD: %CONST_DIAG-SP-3-BOOTUP_TEST_FAIL: Module 4: TestPCLoopback failed on port(s) 3-4000136: Sep 7 15:10:19.170 MSK/MDD: %OIR-SP-3-LC_FAILURE: Module 4 has Major online diagnostic failure, Card will be reset to re-run diagnostic. Please check sup-bootflash diaginfo file for previous detailed diagnostic result.000137: Sep 7 15:10:19.170 MSK/MDD: %OIR-SP-3-PWRCYCLE: Card in module 4, is being power-cycled 'off (Diagnostic Failure)'000138: Sep 7 15:10:19.170 MSK/MDD: %C6KPWR-SP-4-DISABLED: power to module in slot 4 set off (Diagnostic Failure)"
  I would try re-imaging the sensor once more using the IPS-IDSM2-K9-sys-1.1-a-7.0-5a-E4.bin.gz System Recovery Image file found here, following the procedure described here. If the module still fails to boot after that (still citing a Diagnostic Failure), try moving it to another slot in the chassis (if possible).
  What color is the IDSM-2 Status LED (on front of module) when it is in this state? An RMA may be necessary to resolve this.

• How can i use IDSM-2 in inline mode for more than two VLANs?

  can i use the IDSM-2 in inline mode to be ips to more than two VLANS
  like this or it isn't
  intrusion-detection module 5 data port 1 access-vlan 10,20,30,40,50
  intrusion-detection module 5 data port 1 access-vlan 100,200
  thank u all for your help

  The IDSM-2 ports need to be configured as trunk ports with multiple vlans rather than as access ports.
  http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00807517eb.html#wp1068377
  And instead of creating an inline interface pair by pairing Gig0/7 with Gig0/8 within the IDSM-2 configuration, you would create inline vlan pairs.
  With an inline vlan pair you pair 2 vlans on the same interface.
  You can have up to 255 inline vlan pairs on each interface (assumining you keep the total traffic from all of the pairs within the IDSM-2s performance limit of around 500Mbps)
  How to create inline vlan pairs:
  http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00807517bb.html#wp1047852
  The other aspect you need to be aware of is that not all IOS versions will support configuring the IDSM-2 data ports as trunk ports for inline vlan pairs.
  Your best bet is to use 12.2(18)SXF4 or a later version on the 12.2(18)SXF train.
  The 12.2(33)SR train does not currently support the trunk feature for the IDSM-2.

• Question on Network and Host Blocking feature of IDSM

  Hi there,
  Is the IDSM capable of blocking host and network by itself through manual blocking. Or is it just capable of sending the blocks to its managed devices. Thanks

  There is a confusion in terms.
  Blocking refers to the sensor's ability to create ACLs or Shun lists on other devices.
  It requires that you setup the sensor to connect to that other device.
  Denying on the other hand refers to the sensor's ability to be deployed InLine and for the sensor itself to drop the offending packets.
  The Host Blocking panel is only for the Blocking feature. The Host Blocking panel does not control what an InLine Sensor will "Deny".
  At this time the sensor does not support the user manually adding IP Addresses to the sensor's Denied Attacker list.
  User's may view the current list, clear counters for the list, or remove attacker ip addresses from the list. But may not manually add addresses to the list.
  Addresses are added to the Denied Attacker list Only when signatures are triggered with one of the deny-attacker-.... event actions.
  You can view the Denied Attacker List through IDM:
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids13/idmguide/dmmntr.htm#wp1029926
  The Deny Actions do require that the sensor be deployed InLine and will not work on sensor's deployed Promiscuously.

• IDSM comand lines removal from 6509 vss switch

  Hi in our network we have implimented VSS withtwo Cisco 6509 -Eswitches. In these switch I have installed IDS module and following are my IDS configurations.
  intrusion-detection switch 1 module 4 management-port access-vlan 21
  intrusion-detection switch 2 module 4 management-port access-vlan 21
  intrusion-detection switch 1 module 4 data-port 1 trunk allowed-vlan 27,31
  intrusion-detection switch 2 module 4 data-port 1 trunk allowed-vlan 27,31
  intrusion-detection switch 1 module 4 data-port 1 autostate include
  intrusion-detection switch 2 module 4 data-port 1 autostate include
  Whenever I am restarting any node of my VSS the last two lines of the IDS configuration disappears and i need to reenter this manually.
  "intrusion-detection switch 1 module 4 data-port 1 autostate include
  intrusion-detection switch 2 module 4 data-port 1 autostate include"
  Following are my switch details.
  Switch model : WS-C6509-E
  SUP module : VS-S720-10G
  IDS module details : WS-SVC-IDSM-2
  IDS firmware : 7.2(1)
  IDS software : 6.2(3)E4
  I dont understand what causes this problem and during reboot of any VSS node why this configuration is not getting replicated to the othet node?
  Please help me...

  intrusion-detection switch 1 module 4 data-port 1 autostate include portfast
  set this command and check !!!!

• How to power up IDSM-2

  Hi
  I have Cat6509 with IDSM-2 in PwdDown state.
  How can I power up the blade ?
  Thanks in advance for your help

  I believe issuing a reset command to the IDSM-2 from the Catalyst’s CLI will do this.
  The following information was taken from the online installation guide: (http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_installation_and_configuration_guide_chapter09186a008035809d.html)
  Catalyst Software
  To reset the IDSM-2 from the CLI, follow these steps:
  Step 1 Log in to the console.
  Step 2 Enter privileged mode:
  Console> enable
  Step 3 Reset the IDSM-2 to the application partition or the maintenance partition:
  Console> (enable) reset module_number [hdd:1/cf:1]
  Cisco IOS Software
  To reset the IDSM-2 from the CLI, follow these steps:
  Step 1 Log in to the console.
  Step 2 Enter privileged mode:
  Router# configure terminal
  Step 3 Reset the IDSM-2:
  Router# hw-module module module_number reset [hdd:1/cf:1]
  I hope this helps,
  Alex Arndt

• Configuring IDSM in promiscuous mode?

  Hello,
  I have two switch catalyst 6500 in VSS each with a IDSM module, I want monitor four VLANs three of them are vlans of users and one of servers, I am planning use VACLs to capture the traffic.
  My first quetion is how to configure the data ports of IDSM in promiscuous mode, if in the configuration guide say that by default the data ports are in promiscuous mode, so that means that I don't have to make any configuration in the data ports of IDSM?
  Second, if I have two switches 6500 in vss each with a IDSM module, I have to consider other configurations for this situation?
  The configuration of VACL that I will put is:
  ip access-list extended ACL_IPS
    permit ip any any
  vlan access-map VACL_IPS 10
    match ip address ACL_IPS
    action forward
  vlan filter VACL_IPS vlan-list 30 , 40 , 50 , 100
  intrusion-detection switch 1 module 4 data-port 1 capture allowed-vlan 30,40,50,100
  intrusion-detection switch 1 module 4 data-port 1 capture
  intrusion-detection switch 1 module 4 data-port 1 autostate include
  intrusion-detection switch 2 module 4 data-port 1 capture allowed-vlan 30,40,50,100
  intrusion-detection switch 2 module 4 data-port 1 capture
  intrusion-detection switch 2 module 4 data-port 1 autostate include
  Thanks for the help.

  The IDSM doesn;t need any special commands to inspect traffic in Promiscious mode.
  You'll want to put your IDSM management interfaces on a VLAN to talk with them:
  intrusion-detection module 4 management-port access-vlan 99
  Use the "forward capture" switch:
  vlan access-map VACL_IPS 10
    match ip address ACL_IPS
    action forward capture
  Get rid of the spaces between your VLAN numbers
  vlan filter VACL_IPS vlan-list 30,40,50,100
  If you put two IDSMs in teh same chassis you'll need to decide how to split traffic between them. You can assign different VLANs to each IDSM.
  - Bob

• Configuring the Catalyst 6500 Switch for IPS Inline Operation of the IDSM

  I understand how to configure the Catalyst 6500 switch so that the monitoring ports are access ports in two separate VLAN's for inline operation.
  However, I don't see any documentation that describes how the desired VLAN traffic gets forced through the IPS.
  In promiscuous mode, you can use VACL's to copy/capture and forward the desired traffic to the IDSM for analysis. I'm not seeing how to get the desired traffic through the IPS.
  Note that the host 6500 is running native IOS 12.2(18)SXE.
  Thanks for any assistance.

  A tranparent firewall is a fairly good comparison.
  Let's say you have vlan 10 with 100 PCs and 1 Router for the network.
  If you want to apply a transparent firewall on that vlan you can not simply put one interface of the firewall on vlan 10. Nothing would go through the firewall.
  Instead you have to create a new vlan, let's say 1010. Now you place one interface of the firewall on vlan 10 and the other on vlan 1010. Still nothing is going through the firewall. So now you move that Router from vlan 10 to vlan 1010. All you do is change the vlan, the IP Address and netmask of the router stay the same.
  The transparent firewall bridges vlan 10 and vlan 1010. The PCs on vlan 10 ae still able to communicate to and through the router, but must go through the transparent firewall to do so.
  The firewall is transparent because it does not IP Route between 2 vlans, instead the same IP subnet exists on both vlans and the firewall transparently beidges traffic between the 2 vlans.
  The transparent firewall can do firewalling between the PCs on vlan 10 and the Router on vlan 1010. But is PC A on vlan 10 talks to PC B on vlan 10, then the transparent firewall does not see and can not block that traffic.
  An InLine sensor is very similar to the transparent firewall and will bridge between the 2 vlans. And similarly an InLine sensor is able to InLine monitor traffic between PCs on vlan 10 and the Router on vlan 1010, but will not be able to monitor traffic between 2 PCs on vlan 10.
  Now the router on one vlan and the PCs on the other vlan is a typical deployment for inline sensors, but your vlans do not Have to be divided that way. You could choose to place some servers in one vlan, and desktop PCs in the other vlan. You subdivide the vlans in what ever method makes sense for your deployment.
  Now for monitoring multiple vlans the same principle still applies. You can't monitor traffic between machines on the same vlan. So for each of the vlans you want to monitor you will need to create a new vlan and split the machines between the 2 vlans.
  In your case with Native IOS you are limited to only 1 pair of vlans for InLine monitoring, but your desired deployment would require 20 vlan pairs.
  The 5.1 IPS software has now the capability to handle the 20 pairs, but the Native IOS software does not have the capability to send the 40 vlans (20 pairs) to the IDSM-2.
  The Native IOS changes are in testing right now, but I have not heard a release date for those changes.
  Now Cat OS has already made these changes. So here is a basic breakdown of what you could do in Cat OS and you can use in preparation for a Native IOS deployment when it gets released.
  For vlans 10-20, and 300-310 that you want monitored you will need to break each of those vlans in to 2 vlans.
  Let's say we make it simple and add 500 to each vlan in order to create the new vlan for each pair.
  So you have the following pairs:
  10/510, 11/511, 12/512, etc...
  300/800, 301/801, 302/802, etc....
  You set up the sensor port to trunk all 40 vlans:
  set trunk 5/7 10-20,300-310,510-520,800-810
  (Then clear all other vlans off that trunk to keep things clean)
  In the IDSM-2 configuration create the 20 inline vlan pairs on interface GigabitEthernet0/7
  Nw on each of the 20 original vlans move the default router for each vlan from the original vlan to the 500+ vlan.
  At this point you should ordinarily be good to go. The IDSM-2 won't be monitoring traffic that stays within each of the original 20 vlans, but Would monitor traffic getting routed in and out of each of the 20 vlans.
  Because of a switch bug you may have to have an additional PC moved to the same vlan as the router if the switch/MSFC is being used as the router and you are deploying with an IDSM-2.

• IDSM-2 load balancing on inline mode is it possible ..?

  Hi there .. I am currenty working on a project and need to find out as to whether etherchanelling load balancing can be configured between several IDSM-2 running on inline mode. The IPS 5.1 admin guide states that it is possible for IOS based switches having the IDSM-2 configured on promiscuous mode, however I have heard that it might also be possible to configure etherchannelling load balance when the IDSM-2 are on inline mode. Any help .. commments will be appreciated .. any links to refer to will be even better
  Thanks !!!

  To configure EtherChannel load balancing on IDSM-2, you must install Cisco IOS 12.2(18)SXE and have Supervisor Engine 720. Cisco IOS only supports promiscuous IDSM-2 EtherChanneling using VACL capture (not SPAN or monitor). Refer the URL
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df92.html#wp1044800

• Setting the access-list on a IDSM blade

  I have a IDSM blade for a 6500 series switch. I need to modify the administrative access-list from the CLI so I can get into it remotely and with CME
  I see in the config entries like this
  access-list 192.168.100.10/32
  I assume this is the section for authorized hosts to access the IDSM
  but I can't figure out how to add an entry?
  any advice would be great

  on the console you can add entries the following way:
  in conf-mode:
  service host
  network-settings
  access-list 10.10.10.0/24 ! or whatever you want to add
  exit
  exit
  answer "yes" to apply changes
  exit
  !(ready)
  Sent from Cisco Technical Support iPad App

• IDSM should protect serverfarm on FWSM form outside/inside threats

  Hi all,
  We have 6509 with FWSM and IDSM.All vlans (servers,voice,users etc) are homed directly on the FWSM.We need to protect the serverfarm vlan from attacks originating from both inside and outside. All traffic comming from outside and headed for the servers as well as traffic from user vlans needs to be intercepted.So i am planning to put IDSM in inline vlan pair mode.Also i want the internet traffic first to hit fwsm and then idsm.
  Single digit vlan exist on MSFC, double digit vlans pushed to FWSM. Bridging done by IDSM
  MSFC
  vlan 2
  name SERVER-IDSM
  vlan 3
  name INTERNET-IDSM
  vlan 4
  name USER-IDSM
  vlan 22
  name SERVER-FWSM
  vlan 33
  name INTERNET-FWSM
  vlan 44
  name USER-FWSM
  intrusion-detection module 4 data-port 1 trunk allowed-vlan 3,4
  // Here vlan 3 (Internet) goes into IDSM and then FWSM. But i want traffic from internet to go to FWSM and then IDSM
  interface g2/3
  switchport
  switchport mode access
  switchport access vlan 3
  description INTERNET
  IDSM
  conf t
  service interface
  physical-interfaces g0/2
  admin-state enabled
  description INTERNET
  duplex full
  speed 1000
  subinterface-type inline-vlan-pair
  subinterface 1
  vlan1 4 //bridging
  vlan2 44
  description INSPECT-USER-TRAFFIC
  subinterface 2
  vlan1 3 //briding
  vlan 33
  description INSTECT-INTERNET-TRAFFIC
  service analysis-engine
  virtual-sensor
  physical-interface g0/2 subinterface-number 1
  physical-interface g0/2 subinterface-number 2
  My primary aim is :-
  1) All user traffic should first go to FWSM and then to IDSM and then if OK to servers
  2) All internet traffic (from outside) headed to servers should first go to FWSM and then IDSM and then if OK to servers
  How can this be achieved? I think the configuration posted above places IDSM in front of FWSM which is opposite of what i want
  Regards.
  Sonu,

  By deploying the FWSM in front of the server farm, security is provided both to and from the server farm and between each server farm tier. I think the config you have provided will work.

• How to recover IDSM-2 password (without know any password)

  Hi,
  We have a IDSM-2 system card in 6500 system. Unfortunately, we lost tracking the login/password. I have read Cisco doc# 13837. It req to know either admin username/password or service username/password to do password recovery. I do not have those info (and tried). The last method suggested is to re-image IDSM-2 (IOS). I am wondering there is a better way to recover password like other switch..(such as hold mode to reboot switch) without re-image. Here is the card info:
  "WS-SVC-IDSM-2 8 ports Intrusion Detection System Rev. 6.1"
  Any help would be greatly appreciated.
  gy

  A "re-image" is necessary, but it is not a standard re-image.
  Instead there is a special image file that ONLY sets the cisco password back to the default "cisco". It doesn't change anything else on the system.
  Download the password recovery image file WS-SVC-IDSM2-K9-a-6.1-password-recovery.bin.gz from:
  http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=6.1%281%29E1&mdfid=277997776&sftType=Intrusion+Prevention+System+%28IPS%29+System+Software&optPlat=&nodecount=29&edesignator=null&modelName=Cisco+Catalyst+6500+Series+Intrusion+Detection+System+%28IDSM-2%29+Services+Module&treeMdfId=268438162&modifmdfid=null&imname=&treeName=Security&hybrid=Y&imst=N
  To "install" this special password recovery file you will follow the System Re-Image instructions, but use this special file instead of the standard System Image file.
  http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_system_images.html#wp1031426
  This is discussed very briefly in the CLI guide:
  http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_troubleshooting.html#wp1139735

• Authentication on an IDSM-2?

  I have a requirement to have Authentication on our network devices using RSA Secure tokens or restrict it's mgmt interface from the network.
  So far I am using AAA through the ACS to accomplish this but I can find nothing about AAA for the IDSM-2.
  Does AAA exist for the IDSM-2 or does anyone have another suggestion for said devices?
  Thanks!
  (Current HW setup. Will be upgrading to 720's soon but my security deadline is looming sooner.)
  Mod Slot Ports Module-Type Model Sub Status
  1 1 2 1000BaseX Supervisor WS-X6K-SUP2-2GE yes ok
  15 1 1 Multilayer Switch Feature WS-F6K-MSFC2 no ok
  2 2 16 1000BaseX Ethernet WS-X6516-GBIC no ok
  3 3 16 10/100/1000BaseT Ethernet WS-X6516-GE-TX no ok
  4 4 16 10/100/1000BaseT Ethernet WS-X6516-GE-TX no ok
  13 13 8 Intrusion Detection Mod WS-SVC-IDSM-2 yes ok

  Cisco Traffic Anomaly Detector Module:
  Authentication, Authorization, and Accounting (AAA) Support
  Integrates with AAA through TACACS+
  Privilege-level and command-level authorization and accounting
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_data_sheet0900aecd80220a6e.html

• IDSM-2 Mode - Best Practice

  Hi All,
  I'm gonna deploy two 6500 switches with FWSM, IDSM and ACE modules. My network consist of Voice vlan, Server vlan, Application vlan and some user vlans. I will also have other devices like CSMAR, ACS etc.
  My question is which IDSM mode (promiscuous/inline) should i configure in my scanerio and also which mode is suitable for voice because i've read somewhere that inline mode add delay in traffic.
  Waiting your feedback
  Regards

  Hi,
     Go through these links :
  http://help.sap.com/saphelp_nw2004s/helpdata/en/e7/47dd1613d14c449ce2a3f1461d8c87/content.htm
  http://help.sap.com/saphelp_dm40/helpdata/en/8b/4ffd9b07474279b3bbee75a60db41f/content.htm
  Regards
  Suvarna