IDSM-2 inline between multible VLAN

Similar Messages

• IDSM-2 inline VLAN pair mode

  My customer has voice, video and data VLAN's. Customer wants to inspect only inter VLAN traffic ONLY for data to be inspected by IDSM-2 inline while bypassing other VLAN traffic to FWSM and then to WAN.
  Is that possible with Inline VLAN pair mode?
  I read the cisco document which states as below
  "You can configure IDSM-2 to simultaneously bridge up to 255 VLAN pairs on each data port. IDSM-2 replaces the VLAN ID field in the 802.1q header of each packet with the ID of the VLAN on which the packet is forwarded. It drops any packets received on VLANs that are not assigned to an inline VLAN pair."
  The last statement says it will drop all other vlan traffic which are not assigned to any inline vlan pair?
  Regards
  Vinod

  You can bypass analysis engine when inline bypass is activated , allowing traffic to flow through the inline interfaces and inline VLAN pairs without inspection. Inline bypass ensures that packets continue to flow through the sensor when the sensor processes are temporarily stopped for upgrades or when the sensor monitoring processes fail. But not always.

• Idsm 2- Inline Mode Deployment

  I would like to configure an IDSM-2 in inline mode, I am having trouble about the deployment, I have a couple of questions;
  1. If you configure 2 VLANs (existing) as VLAN pairs does this mean the exist connection between the 2 VLANs is broken?
  ie they can only communicate to each other via IPS.
  2. Where is the best place to deploy this type of IPS?

  In an inline VLAN-pair scenario, the IDSM2 will bridge the VLANs together using VLAN tag swapping.  Below is a quick topo sketch of an inline design where this might be used.
  6500 MSFC--VL10--(inside) FWSM (outside)--VLAN 11--IDSM--VLAN 111--RTR--INTERNET
  In the example above, the FWSM outside and RTR inside interfaces sit on the same Layer 3 subnet but different Layer 2 VLANs.  The IDSM is positioned inline using an inline VLAN-pair.  Traffic leaving the FWSM towards the Internet will go into the trunk to the IDSM on VLAN 11.  The IDSM will then swap the VLAN tag to 111 before fowarding the packet down the trunk.  This process allows the traffic to be influenced into the IDSM for inspection.
  http://www.cisco.com/en/US/customer/docs/security/ips/7.0/configuration/guide/cli/cli_interfaces.html#wp1047718

• Communication between 2 vlans on firewall.

  communication between 2 vlans.
  i have 2 vlans
  Vlan 100
  ip add 1.1.1.1
  Vlan 200
  ip add    2.2.2.2
  i want to make communication between 2 vlans on firewall 5520 ASA 8.2.
  Please provide configuration for same.

  You need to follow this guide the configuration which you have pasted has got nothing but the IP. Other parameters are also required to configure ASA firewall.
  http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html
  Thanks
  Ajay

• Whats difference between native vlan and pvid

                     whats difference between native vlan and pvid ?

  Hi,
  a port VLAN ID is the assigned VLAN of an access-port.
  The native VLAN is used in a trunk. A trunk is used to connect another switch or a device which belongs to more than 1 VLAN. Since a standard ethernet frame doesn't provide a field to distinguish VLANs, a special field is inserted, this is called "tagging". Nevertheless, frames belonging to the native VLAN  are transmitted without such a tag (in other words: the ethernet frames are not modified). In this way, traffic forwaring is possible in the native VLAN even when the trunk is not working  correctly.
  In theory, when you would connect a trunkport from one switch to an accessport of another, communication for the native VLAN would be possible. In such a scenario, the native VLAN-ID doesn't have to match the PVID. Hope, this isn't to confusing.
  You can find more details in discussion https://learningnetwork.cisco.com/thread/8721#39225
  Regards,
  Rolf

• IDSM-2 inline vlan pair mode configs

  Dear all,
  1. Is it possible to associate 2 vlans( to be paired) on 2 different data ports on IDSM instead of pairing it on single data port on IDSM ?? & configuring these 2 ports on CAT6509 as access ports instead of trunk... Will this thing work ?
  2. Since bypass mode is ON by default(AUTO) in IDSM-2 in-line vlan pair mode but when I am testing the bypass its not happening..can any pls. guide what could be the reason for this ?
  Regards,
  Akhtar

  You can bypass analysis engine when inline bypass is activated , allowing traffic to flow through the inline interfaces and inline VLAN pairs without inspection. Inline bypass ensures that packets continue to flow through the sensor when the sensor processes are temporarily stopped for upgrades or when the sensor monitoring processes fail. But not always.

• IDSM-2 Inline Vlan Pair - Duplicate Packets

  Dear All
  We have a setup where two IDSM-2 modules are ether-channeled together in a single 6513 Chassis.
  There is an FWSM module also, which acts as the default gateway for all internal VLANs.
  Problem: IDSM show stat virtual-sensor command is showing tons of 'Duplicate Packets'
  show statistics virtual-sensor | inc Duplic
  Duplicate Packets = 2950967
  Inline TCP Tracking Mode: Interface and VLAN
  Topology:
  Assume Client VLAN = 10 and Server VLAN = 60
  IPS Inline VLAN Pairs:
  10 >> 110 (Client VLAN)
  60 >> 160 (Server VLAN)
  Client >> Server Flow: (Layer 2):
  [ClientPC] >>>> Access Switch (VLAN 10) >>>> Core SW >>>> IDSM-2 (VLAN 10--110 Pair) >>>> Core Sw >>>> FWSM VLAN 110 >>>>
  FWSM VLAN 160 >>>> Core Sw >>>> IDSM-2 (VLAN 160--60 Pair) >>>> Server Switch (VLAN 60) >>>> [Server]
  Core Switch IPS Etherchannel Setup:
  Group 5: IDSM(A) and IDSM(B) Port x/7
  Group 6: IDSM(A) and IDSM(B) Port x/8
  Some VLAN Pair(s) are on interface x/7 and others are on x/8
  Because of the above issue, we see a lot of TCP normalization signatures being fired (as the IPS gets confused with duplicate packets seen for the same flow). Specially signatures 1330:12 :17 and :18.
  It is also causing some applications to break (e.g. Veritas Netbackup 6.5). When I removed the DENY action from these signatures, our IPS started having stability issues (This could also be due to E3 upgrade)
  Should we change the Tracking mode to 'VLAN' only, OR any other possible solution?. Should not the 'interface and vlan' setting be sufficient?.
  Regards
  Farrukh

  This will take some traffic analysis to determine what is going wrong.
  You might need to place a sniffer to watch the traffic on the client where the backup software is running at the same time that you capture the traffic on the sensor.
  Look to see if there are any differences in the traffic.
  Look for any anomalies in the traffic.
  Look to see if maybe the backup software is not using a standard TCP connection (is it jumping the tcp sequence numbers in any abnormal way?)
  You might also try some things on the sensor to determine if the sensor itself might have an issue.
  Determine if the connction passes through 2 connections (inline vlan pairs) monitored by the sensor.
  If you can, you might try removing both of the pairs from the virtual sensor. (don't delete the pairs, just remove them from the virtual sensor so they won't be analyzed)
  And see if the backup works.
  If it does then just add in one pair, and see if it keeps working.
  If it has errors with just the one pair, then the problem is likely not because of the connection being monitored twice.
  Something else must be weird about the connection.
  If the problems are only seen when having both pairs in the same virtual sensor, then try placing the pairs in different virtual sensors and see if the problem goes away.
  If the problem goes away when in different virtual sensors, then there may be an error in the inline tcp session tracking code that should track connections separately for each interface/vlan.

• 6509 - IDSM-2 inline vlan pair mode at layer 3

  I am a little green, so be nice.
  wondering how to get an IDSM-2 module inline on a 6509. my issue is that the traffic comes into the 6509 at layer3 (routed) so I'm not sure how the config works. (e.g. do I use a trunk, or do I have to add a in a hop somehow)
  6509 conf snippet:
  intrusion-detection module 7 data-port 1 trunk allowed-vlan 3127,3128
  vlan 3127
  name FIREWALL-IPS
  vlan 3128
  name FIREWALL
  interface Port-channel2
  description CAB2
  ip address 10.30.2.2 255.255.255.0
  ip helper-address 10.10.20.11
  ip helper-address 10.10.20.13
  ip helper-address 10.30.123.11
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  glbp 2 ip 10.30.2.1
  glbp 2 timers msec 250 msec 750
  glbp 2 priority 120
  glbp 2 preempt delay minimum 60
  glbp 2 load-balancing weighted
  glbp 2 weighting track 89 decrement 50
  glbp 2 weighting track 99 decrement 50
  glbp 2 forwarder preempt delay minimum 60
  interface GigabitEthernet1/9
  description FIREWALL
  switchport
  switchport access vlan 3128
  switchport mode access
  no ip address
  interface GigabitEthernet8/9
  description CAB2SW1-Gi1/0/49
  no ip address
  channel-group 2 mode on
  interface GigabitEthernet9/9
  description CAB2SW1-Gi1/0/50
  no ip address
  channel-group 2 mode on
  interface Vlan3128
  description FIREWALL
  ip address 10.30.128.2 255.255.255.0
  no ip redirects
  no ip unreachables
  ip flow ingress
  no ip igmp snooping
  glbp 128 ip 10.30.128.1
  glbp 128 timers msec 250 msec 750
  glbp 128 priority 120
  glbp 128 preempt delay minimum 60
  glbp 128 load-balancing weighted
  glbp 128 forwarder preempt delay minimum 60
  IDSM-2 conf snippet:
  service interface
  physical-interfaces GigabitEthernet0/7
  description data-port 1
  subinterface-type inline-vlan-pair
  subinterface 1
  description FIREWALL VLAN3127<->VLAN3128
  vlan1 3127
  vlan2 3128

  A colleague of mine explained how to do this and it mostly makes sense. My only confusion is that once you remove the access vlan (3128) from the interface that gets monitored and replace it with 3127, how does traffic still traverse the 3128 vlan? What is the mechanism that controls this, is it the command "intrusion-detection module 7 data-port 1 trunk allowed-vlan 3127,3128" ??

• Hybrid 6500 IDSM-2 inline vlan pair mode

  I am having a problem understanding how a packet is going to know that it needs to get evaluated by the IDSM if it is being sent to a host on a different vlan. First lets say that the server is on a vlan that is being pair and the server host is configured with the GW address of the paired vlan. So if a different host on a different vlan sent a packet to that server how does the MSFC know to sent the packet to the paried vlan to get routed to the servers vlan instead of routing it directly to the servers vlan that is attached to it(msfc). FYI. I followed the admin guides to set this up and it does not cover design or operation packet flows.

  Cisco CatOS on the Cisco Catalyst 6500 Series with optional Cisco IOS Software on the Multilayer Switching Feature Card (MSFC) provides Layer 2/3/4 functionality for the Cisco Catalyst 6500 by integrating two operating systems. A switch running CatOS only on the Supervisor Engine is a Layer 2 forwarding device with Layer 2/3/4 functionality for QoS, security, multicast, and network management of the Policy Feature Card (PFC), but does not have any routing capabilities. Layer 3 routing functionality is provided via a Cisco IOS Software image on the MSFC routing engine (optional in Supervisor 1A and 2, and integrated within Supervisor 32 and 720.) In this paper, the combination of CatOS on the Supervisor Engine and Cisco IOS Software on the MSFC is referred to as the "hybrid" OS; two operating systems work together to provide complete Layer 2/3/4 system functionality.

• IDSM-2 Inline VLAN configuration issue

  The SVR is on VL60, the PC is on VL80.
  So, PC(.25--VL81--GE0/7--VL80--SVI 80--SVI60--VL60--SVR(.10)
  Sensor interface GigabitEthernet0/7 is assigned to trunk all Vlans 1-4094
  CAT65K-PODX#sh ru | in intrusion
  intrusion-detection module 6 management-port access-vlan 99 intrusion-detection module 6 data-port 1 trunk allowed-vlan 1-4094 CAT65K-PODX#
  The interface is assigned to vs0.
  All I am seeing is "unknown 802.1d" when I look at the interface instead of the continuous ping I have from the PC to the SVR. (80.25 to 60.10)
  CAT65K-PODX#ses sl 6 pr 1
  The default escape character is Ctrl-^, then x.
  You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.61 ... Open
  login: cisco
  Password:
  Last login: Mon Oct 23 18:16:06 from 127.0.0.51
  ***NOTICE***
  This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to [email protected].
  ***LICENSE NOTICE***
  There is no license key installed on the system.
  The system will continue to operate with the currently installed signature set. A valid license must be obtained in order to apply signature updates. Please go to http://www.cisco.com/go/license to obtain a new license or install a license.
  IDSM2-PODX# pack disp gi
  gigabitEthernet0/2 gigabitEthernet0/7 gigabitEthernet0/8 IDSM2-PODX# pack disp gigabitEthernet0/7
  Warning: This command will cause significant performance degradation
  tcpdump: WARNING: ge0_7: no IPv4 address assigned
  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ge0_7, link-type EN10MB (Ethernet), capture size 65535 bytes
  18:35:17.968178 802.1d unknown version
  0x0000: 0180 c200 0000 0016 9dab 3346 8100 e001 ..........3F....
  0x0010: 0079 4242 0300 0003 027c 1000 000f f863 .yBB.....|.....c
  0x0020: 8400 0000 0000 1000 000f f863 8400 8287 ...........c....
  0x0030: 0000 1400 0200 0f00 0000 5000 6369 7363 ..........P.cisc
  0x0040: 6f00 0000 0000 0000 0000 0000 0000 0000 o...............
  0x0050: 0000 0000 0000 0000 0000 0000 0001 46b6 ..............F.
  0x0060: c0ce 9a01 9392 94e2 dcc9 ca1b 3291 0000 ............2...
  0x0070: 0000 1000 000f f863 8400 147c 80 .......c...|.
  18:35:19.968666 802.1d unknown version
  0x0000: 0180 c200 0000 0016 9dab 3346 8100 e001 ..........3F....
  0x0010: 0079 4242 0300 0003 027c 1000 000f f863 .yBB.....|.....c
  0x0020: 8400 0000 0000 1000 000f f863 8400 8287 ...........c....
  0x0030: 0000 1400 0200 0f00 0000 5000 6369 7363 ..........P.cisc
  0x0040: 6f00 0000 0000 0000 0000 0000 0000 0000 o...............
  0x0050: 0000 0000 0000 0000 0000 0000 0001 46b6 ..............F.
  0x0060: c0ce 9a01 9392 94e2 dcc9 ca1b 3291 0000 ............2...
  0x0070: 0000 1000 000f f863 8400 147c 80 .......c...|.
  2 packets captured
  2 packets received by filter
  0 packets dropped by kernel
  IDSM2-PODX#

  exit
  signatures 60000 0
  alert-severity medium
  sig-fidelity-rating 75
  sig-description
  sig-name BadICMP
  sig-string-info BadICMP
  sig-comment BadICMP
  exit
  engine atomic-ip
  event-action produce-alert|log-attacker-packets
  specify-l4-protocol yes
  l4-protocol icmp
  specify-icmp-code yes
  icmp-code 8
  exit
  exit
  exit
  specify-ip-addr-options yes
  ip-addr-options ip-addr
  specify-src-ip-addr yes
  src-ip-addr 10.1.80.25
  exit
  exit
  exit
  exit
  exit
  signatures 60001 0
  alert-severity high
  sig-fidelity-rating 75
  sig-description
  sig-name Block BadICMP
  sig-string-info Block BadICMP
  sig-comment Block BadICMP
  exit
  engine atomic-ip
  event-action produce-alert|request-block-host
  specify-l4-protocol yes
  l4-protocol icmp
  specify-icmp-seq no
  specify-icmp-type no
  specify-icmp-code yes
  icmp-code 0
  exit
  specify-icmp-id no
  specify-icmp-total-length no
  exit
  specify-payload-inspection no
  exit
  specify-ip-payload-length no
  specify-ip-header-length no
  specify-ip-tos no
  specify-ip-ttl no
  specify-ip-version no
  specify-ip-id no
  specify-ip-total-length no
  specify-ip-option-inspection no
  specify-ip-addr-options yes
  ip-addr-options ip-addr
  specify-src-ip-addr yes
  src-ip-addr 10.1.80.25
  exit
  specify-dst-ip-addr no
  exit
  exit
  exit
  event-counter
  specify-alert-interval no
  exit
  alert-frequency
  summary-mode summarize
  specify-global-summary-threshold no
  exit
  exit
  status
  enabled false
  exit
  exit
  signatures 60002 0
  alert-severity high
  sig-fidelity-rating 75
  sig-description
  sig-name WatchHTTP
  sig-string-info WatchHTTP
  sig-comment WatchHTTP
  exit
  engine service-http
  service-ports 80,443
  exit
  status
  enabled false
  exit
  exit
  signatures 60003 0
  alert-severity high
  sig-fidelity-rating 75
  sig-description
  sig-name LogICMP
  sig-string-info BadICMP
  sig-comment BadICMP
  exit
  engine atomic-ip
  event-action produce-alert|log-pair-packets
  specify-l4-protocol yes
  l4-protocol icmp
  specify-icmp-seq no
  specify-icmp-type no
  specify-icmp-code no
  specify-icmp-id no
  specify-icmp-total-length no
  exit
  specify-payload-inspection no
  exit
  specify-ip-payload-length no
  specify-ip-header-length no
  specify-ip-tos no
  specify-ip-ttl no
  specify-ip-version no
  specify-ip-id no
  specify-ip-total-length no
  specify-ip-option-inspection no
  specify-ip-addr-options yes
  ip-addr-options ip-addr
  specify-src-ip-addr yes
  src-ip-addr 10.1.80.25
  exit
  specify-dst-ip-addr no
  exit
  exit
  exit
  event-counter
  specify-alert-interval no
  exit
  alert-frequency
  summary-mode summarize
  specify-global-summary-threshold no
  exit
  exit
  status
  enabled false
  exit
  exit
  exit
  service ssh-known-hosts
  rsa1-keys 10.1.80.1
  length 512
  exponent 65537
  modulus 991855327191948068336083262027767630211536570646048046207473086001594287
  45731517042852081906588402062478059658578012089704942074191546123977278518597538
  73
  exit
  exit
  service trusted-certificates
  exit
  service web-server
  port 443
  exit
  IDSM2-PODX#

• IDSM-2 Inline mode

  Hi,
  I am working with the IDSM-2, We have Cisco 6509 with CSM & FWSM, We are planning IDSM-2 in Inline mode and now i want to monitor the traffic which is coming through Outside Interface of the FW context ( Which is nothing but a VLAN A, VLAN B, Vlan C. on MSFC )
  Data flow :-- ISP RTR---INternal RTR---FWSM---IDSM---MSFC---CSM---
  IDSM version is 5.1(4)S257.0,
  This will support only Two VLAN (IN and OUT) on access mode.
  My problem is I don't know how to scan the traffic of 3 numbers of VLAN (A,B,C).
  Cisco 6509 --- Version 12.2(18)SXF7,

  Hi Udaya,
  I am not able to find out any subinterface.
  I think it is available from IPS 5.1 and this one is IPS5.0(2)
  IDSM2CORE2(config-int)# show settin
  physical-interfaces (min: 0, max: 999999999, current: 3)
  name: GigabitEthernet0/2
  media-type: backplane
  description:
  admin-state: enabled
  duplex: auto
  speed: auto
  alt-tcp-reset-interface
  none
  name: GigabitEthernet0/7
  media-type: backplane
  description:
  admin-state: enabled
  duplex: auto
  speed: auto
  alt-tcp-reset-interface
  interface-name: System0/1
  name: GigabitEthernet0/8
  media-type: backplane
  description:
  admin-state: enabled
  duplex: auto
  speed: auto
  alt-tcp-reset-interface
  interface-name: System0/1
  command-control: GigabitEthernet0/2
  inline-interfaces (min: 0, max: 999999999, current: 0)
  bypass-mode: auto
  interface-notifications
  missed-percentage-threshold: 0 percent
  notification-interval: 30 seconds
  idle-interface-delay: 30 seconds

• IDSM with inline pairs causing mac move

  Hello,
  I´ve just added the IDSM-2 blades on a 6500 and configured it but it did not work as I planned.
  This picture is a little scale what I tried to do, actually I had more vlans on the inspection. 
  I have 2 cores and a portchannel trunk in between them and for redundancy I´m using HSRP as the config shows.
  After I congfigured I´ve got these msgs and I could not figure out how to stop it:
  Core1
  %MAC_MOVE-SP-4-NOTIF: Host 001a.a2e4.e800 in vlan 6 is flapping between port Gi6/d1 and port Po1
  %MAC_MOVE-SP-4-NOTIF: Host 001a.a2e4.e800 in vlan 7 is flapping between port Gi6/d1 and port Po1
  MAC 001a.a2e4.e800 is from Core2
  Core2
  %MAC_MOVE-SP-4-NOTIF: Host 0022.557b.c340 in vlan 6 is flapping between port  and port Po1
  %MAC_MOVE-SP-4-NOTIF: Host 0022.557b.c340 in vlan 7 is flapping between port Po1 and port
  Mac 0022.557b.c340 is from Core1
  There was only one VLAN pair that did not have this problem, which was the VLAN L2 for the ISP router and the VLAN Outside for the FWSM . It also was the only VLAN that did not have HSRP working, I dont know if it has something to do.
  The Core 1 is the STP Root with priority of Zero and the Core 2 is the Backup Root with priority 4096
  Any guesses ?

  I see this log message frequently when using a switch to feed an IPS sensor if the same Ethernet frame is entering the same VLAN on two different interfaces. I can;t tell how your traffic is flowing but I think you have the same issue.
  In my case it was not anything to worry about so I just ignored the messages.
  - Bob

• IDSM-2 Inline Configuration Setup

  Hi ,
  Anyone has experience on INLINE configuation for IDSM-2. I have a setup where user vlan (L3) resides in FWSM @ Data Center switch and IDSM resides in another 6509 switch which connects to INTERNET.
  Both of these 6509 switch communicates via OSPF.
  Any help appreciated.
  Thank you
  Rama

  Hi,
  The IDSM is a Layer two bridge. It will install in vlan 1644 like....
  vlan 1644 hosts ----->(dataport0/7) IDSM -----> (dataport0/8)vlan 1645 ------>FWSM---->other vlans
  the host will be in access port of vlan 1644, while its gateway interface will be configured with the same subnet ip address on other new vlan 1645....
  example:
  vlan 1645
  exit
  int vlan 1645
  ip add 10.17.168.1 255.255.255.0
  exit
  intrusion-detection module 1 data-port 1 access-vlan 1644
  intrusion-detection module 1 data-port 2 access-vlan 1645
  thanks,
  Aman

• Diverting traffic to IDSM for inline IPS mode

  I have a catalyst 6500 swtich containing FWSM and IDSM-2 module. Vlan 1000 is the outside interface for the fwsm to which all bussiness servers are mapped (vlan 900, inside interface of fwsm).
  I want to inline IPS all the traffic going to these bussiness servers.
  I have no issue with IPS configuration.
  Could you please guide me with a configuration for 6500 switch for diverting this traffic.
  I can provide 6500 configs if required.
  An example would be appreciated.

  I'm not sure if this is relevant to your situation, but here is how I have a gateway 6K switch set up with an external 4255 IPS device. You should be able to substitute the IDMS2 though.
  Internet -> port 1/2 Vlan 5 -> port 3/1 Vlan 5 -> 4255 vlan pair to -> port 3/2 Vlan 2 -> MSFC Route Module -> rest of vlans internal...
  What I am doing in bringing my uplink in on a physical port that is in Vlan 5. I put one side of my IPS sensor into Vlan 5. These two ports are the only ports in Vlan 5. The IPS sensor port is vlan paired through the sensor to a port in Vlan 2. From this point, my MSFC route module has virtual interfaces for Vlan 2 and all of the rest of my internal Vlans. There is no route entry for Vlan 5, it is a pure switching vlan.
  What I like about this setup is that the IPS is transparent. If I have a problem with my IPS device or if I am doing an image upgrade, I can move the vlan for port 1/2 into Vlan 2 and logically bypass the IPS device...taking it out of inline without having to change anything else in the switch config and only having to wait for the spanning tree to converge.
  For the IDSM2, since the ports are trunk ports, you'd want to set the native vlan to the target vlan of each port and set the allowed vlans to just the target vlan of each port (ports 7 & 8).
  Hope this is useful,
  Scott

• IDSM-2, inline and Passive mode in same Module?

  Hi,i have a question that it can be strange.in our network we have implemented idsm-2 module in our 6513 Switch in inline mode.without any discution about network design suppose that our network is going beyond IDSM-2 Throughput and then we want to use IDSM-2 for some traffic in Passive mode insted of inline to reduce drop probability in inline mode.i mean before this state we were using idsm-2 data port 1(in vlan pair mode),now can we use data port 2 for this purpus(capturing some traffic on data port 2 for passive operation)? in other word idsm-2 can operate in this way?

  i found my answer in idsm-2 document "You can mix sensing modes on IDSM-2. For example, you can configure one data port for promiscuous mode and the other data port for inline VLAN pair mode. But because IDSM-2 only has two data ports and inline mode requires the use of both data ports as a pair, you cannot mix inline mode with either of the other two modes." but something else,for doing such thing suppos that i have sig 2004 configured for inline traffic to deny attacker inline then this action doesnt make any sense for some data in passive mode and suppos that for that kind of traffic which idsm-2 is operating in passive mode i want to just send an alert. so can i use deferent VS for doing this? thanks.