IDSM-2 Inline Configuration Setup

Hi ,
Anyone has experience on INLINE configuation for IDSM-2. I have a setup where user vlan (L3) resides in FWSM @ Data Center switch and IDSM resides in another 6509 switch which connects to INTERNET.
Both of these 6509 switch communicates via OSPF.
Any help appreciated.
Thank you
Rama

Hi,
The IDSM is a Layer two bridge. It will install in vlan 1644 like....
vlan 1644 hosts ----->(dataport0/7) IDSM -----> (dataport0/8)vlan 1645 ------>FWSM---->other vlans
the host will be in access port of vlan 1644, while its gateway interface will be configured with the same subnet ip address on other new vlan 1645....
example:
vlan 1645
exit
int vlan 1645
ip add 10.17.168.1 255.255.255.0
exit
intrusion-detection module 1 data-port 1 access-vlan 1644
intrusion-detection module 1 data-port 2 access-vlan 1645
thanks,
Aman

Similar Messages

IDSM-2 inline VLAN pair mode

My customer has voice, video and data VLAN's. Customer wants to inspect only inter VLAN traffic ONLY for data to be inspected by IDSM-2 inline while bypassing other VLAN traffic to FWSM and then to WAN.
Is that possible with Inline VLAN pair mode?
I read the cisco document which states as below
"You can configure IDSM-2 to simultaneously bridge up to 255 VLAN pairs on each data port. IDSM-2 replaces the VLAN ID field in the 802.1q header of each packet with the ID of the VLAN on which the packet is forwarded. It drops any packets received on VLANs that are not assigned to an inline VLAN pair."
The last statement says it will drop all other vlan traffic which are not assigned to any inline vlan pair?
Regards
Vinod

You can bypass analysis engine when inline bypass is activated , allowing traffic to flow through the inline interfaces and inline VLAN pairs without inspection. Inline bypass ensures that packets continue to flow through the sensor when the sensor processes are temporarily stopped for upgrades or when the sensor monitoring processes fail. But not always.

IDSM-2 inline vlan pair mode configs

Dear all,
1. Is it possible to associate 2 vlans( to be paired) on 2 different data ports on IDSM instead of pairing it on single data port on IDSM ?? & configuring these 2 ports on CAT6509 as access ports instead of trunk... Will this thing work ?
2. Since bypass mode is ON by default(AUTO) in IDSM-2 in-line vlan pair mode but when I am testing the bypass its not happening..can any pls. guide what could be the reason for this ?
Regards,
Akhtar

You can bypass analysis engine when inline bypass is activated , allowing traffic to flow through the inline interfaces and inline VLAN pairs without inspection. Inline bypass ensures that packets continue to flow through the sensor when the sensor processes are temporarily stopped for upgrades or when the sensor monitoring processes fail. But not always.

Virtex6:Configuration data download to FPGA was not successful. DONE did not go high, please check your configuration setup and mode settings

Hello，everyone.
I am using virtex6 FPGA and trying to download mcs file to PROM and have failed.
I download .bit file to FPGA and succeed.
When i try to download .mcs file to PROM XCF128X-FTG64C(BPI Flash) and choose Slave SelectMAP Mode
and the process is about 68% it fails.
The message below the IMapct is as belows:
done.
PROGRESS_END - End Operation.
Elapsed time =      0 sec.
// *** BATCH CMD : identifyMPM
// *** BATCH CMD : assignFile -p 1 -file "C:/Users/Administrator/Desktop/TEST/LED/led.bit"
'1': Loading file 'C:/Users/Administrator/Desktop/TEST/LED/led.bit' ...
done.
INFO:iMPACT:2257 - Startup Clock has been changed to 'JtagClk' in the bitstream stored in memory,
but the original bitstream file remains unchanged.
UserID read from the bitstream file = 0xFFFFFFFF.
INFO:iMPACT:501 - '1': Added Device xc6vlx240t successfully.
INFO:iMPACT - Current time: 2014/3/13 8:48:14
// *** BATCH CMD : Program -p 1
PROGRESS_START - Starting Operation.
Maximum TCK operating frequency for this device chain: 66000000.
Validating chain...
Boundary-scan chain validated successfully.
INFO:iMPACT - 1: Over-temperature condition detected! [ 230.52C > 120.00C]
1: Device Temperature: Current Reading: 230.52 C, Max. Reading: 230.52 C
1: VCCINT Supply: Current Reading:   2.997 V, Max. Reading:   2.997 V
1: VCCAUX Supply: Current Reading:   2.997 V, Max. Reading:   2.997 V
'1': Programming device...
Match_cycle = NoWait.
Match cycle: NoWait
LCK_cycle = NoWait.
LCK cycle: NoWait
done.
INFO:iMPACT:2219 - Status register values:
INFO:iMPACT - 0011 1111 0111 1110 0100 1011 1100 0000
INFO:iMPACT:579 - '1': Completed downloading bit file to device.
INFO:iMPACT:188 - '1': Programming completed successfully.
Match_cycle = NoWait.
Match cycle: NoWait
LCK_cycle = NoWait.
LCK cycle: NoWait
INFO:iMPACT - '1': Checking done pin....done.
'1': Programmed successfully.
PROGRESS_END - End Operation.
Elapsed time =     23 sec.
Selected part: XCF128X
// *** BATCH CMD : attachflash -position 1 -bpi "XCF128X"
// *** BATCH CMD : assignfiletoattachedflash -position 1 -file "C:/Users/Administrator/Desktop/TEST/LED/leda.mcs"
INFO:iMPACT - Current time: 2014/3/13 8:49:32
// *** BATCH CMD : Program -p 1 -dataWidth 16 -rs1 NONE -rs0 NONE -bpionly -e -v -loadfpga
PROGRESS_START - Starting Operation.
Maximum TCK operating frequency for this device chain: 66000000.
Validating chain...
Boundary-scan chain validated successfully.
INFO:iMPACT - 1: Over-temperature condition detected! [ 230.52C > 120.00C]
1: Device Temperature: Current Reading: 230.52 C, Max. Reading: 230.52 C
1: VCCINT Supply: Current Reading:   2.997 V, Max. Reading:   2.997 V
1: VCCAUX Supply: Current Reading:   2.997 V, Max. Reading:   2.997 V
'1': BPI access core not detected. BPI access core will be downloaded to the device to enable operations.
INFO:iMPACT - Downloading core file D:/Xilinx/14.3/ISE_DS/ISE/virtex6/data/xc6vlx240t_jbpi.cor.
'1': Downloading core...
Match_cycle = NoWait.
Match cycle: NoWait
LCK_cycle = NoWait.
LCK cycle: NoWait
done.
INFO:iMPACT:2219 - Status register values:
INFO:iMPACT - 0011 1111 0111 1110 0100 1011 1100 0000
INFO:iMPACT:2492 - '1': Completed downloading core to device.
Current cable speed is set to 6.000 Mhz.
Cable speed is default to 3Mhz or lower for BPI operations.
Current cable speed is set to 3.000 Mhz.
Setting Flash Control Pins ...
Setting Configuration Register ...
Populating BPI common flash interface ...
Common Flash Interface Information Query completed successfully.
INFO:iMPACT - Common Flash Interface Information from Device:
INFO:iMPACT - Verification string: 51 52 59
INFO:iMPACT - Manufacturer ID:        49
INFO:iMPACT - Vendor ID:             01
INFO:iMPACT - Device Code:           18
Setting Flash Control Pins ...
Using x16 mode ...
Setting Flash Control Pins ...
Setting Configuration Register ...
'1': Erasing device...
'1': Start address = 0x00000000, End address = 0x008CE03B.
done.
'1': Erasure completed successfully.
Setting Flash Control Pins ...
Using x16 mode ...
Setting Flash Control Pins ...
Setting Configuration Register ...
INFO:iMPACT - Using Word Programming.
'1': Programming Flash.
done.
Setting Flash Control Pins ...
'1': Flash Programming completed successfully.
Using x16 mode ...
Setting Flash Control Pins ...
Setting Configuration Register ...
'1': Reading device contents...
done.
'1': Verification completed.
Setting Flash Control Pins ...
Current cable speed is resumed to 6.000 Mhz.
'1': Configuration data download to FPGA was not successful. DONE did not go high, please check your configuration setup and mode settings.
`Elapsed time =    814 sec.
and i find many people have met the same thing. But they are spartan series FPGA and i try to low the Resistances of Mode pins,M0 M1 and M2, but the problem does not been solved.
I have read the status Registers and find there is an over-temperature state
and in Impact i could not readback the registers. It is strange.
I am anxious about this problem and have not solved it yet
What reasons may it be?
Hope for your answer, thank you

Hi~I want to know if you solve the configuration problem for virtex-6?
As I encounter the  same configuration problem, I want to consult  you with some question.
Can I have your email?
gszakacs wrote:
I have measured the VCCINT and find it is 1.0V, not 2.997V;
That is not at all surprising. I always assumed the problem is with reading the XADC (system monitor) block and not with the voltage or temperature.
my Reference board is ML605
That would have been nice to know at the beginning...
It seems that you have selected the correct mode, assuming your jumpers are set as required in the ML605 Hardware User's Guide. See table 1-27, table 1-33 and the note below it about switch S1.
I'm not that familiar with the details of this reference design, but it may be that the slave SelectMap circuitry requires a reset or power cycle to actually configure the FPGA. Have you tried power-cycling to see if the FPGA boots from the flash?
I'd also suggest that you select the V6 in the JTAG chain view, then go to the debug menu of Impact and select Read Device Status (this is from memory, but it's something like that). That will not only show the bits of the configuration status register, but also describe what each bit means. Among other things you can check the state of the FPGA's configuration logic and the Mode pins.

Best practice Forms 10g configuration setup and tuning

Hi,
We are currently depolying forms 10g from 6i client/server version. Users are experiencing Form hangups and hour glasses. This does not happen that often but can happen any time, anywhere in the app (users do inserts, updates and deletes and queries).
Is there a baseline best practice configuration setup anywhere either in the Forms side or the AppServer side of things?
Here is our setup:
Forms 10g (9.0.4)
Reports 10g (9.0.4)
Oracle AppServer 10g (9.0.4)
OS = RedHat Linux
Client Workstations run on Windows 2000 and XP w/ Internet Explorer 6 or higher
Average No. of users = 250
Thanks for all your help

Shutdown applications within the guest.
Either power off from Oracle VM Manager or 'xm shutdown xxx' from the command line
It is possible one or more files could be open when the shutdown is initiated.
Have found at least one case of misconfigured IP which would have resulted in the disk access being via the 'Front End' interface rather than the Back End.
Thanks

Configuration setup forLow Value asset 'Investment support measures'

Hi all
User requested us to enable the u2018investment support measuresu2019 option for low value asset for that if any configuration setup is required to enable the option for low value asset.
Please help us to resolve the above issue and attached screen shot for your reference.
Note: In high value asset user is able to view the u2018investment support measuresu2019 option.
Regards
K.Gunasekar

Thanks
1. Our current requirement is adding new grant book leg to LVC Classs.
2. what will be the impact to our existing assets database?
if not can we follow the below step
we will need to create new LVA class so that grant book leg for LVA can be created. In this case, we will need to transfer assets from the existing LVA class to new LVA class.
Please clarify

Workflow Configuration Setup.

Hello,
I need to carry out the initial Workflow Configuration setup for Workflow on the development box.
Need some help.
1. List of steps that I need to execute to setup workflow configuration.
2. User Roles that my sap userid should have to execute Workflow COnfiguraiton setup. for example for automatic configuration.
Thanks

As far as I am aware I am fully complying to forum guidelines.
I did not attack
I did not use abusive language
I did search before I posted
And I did not insult.
I did give an opinion and I did ask a question.
It's up to you to answer that question in the affirmative, negative or even refrain from answering at all.
Your choice.
I, as a professional have been frequenting this forum for quite some time AND have been giving some of my vast knowledge and experience back tot this otherwise wonderful community. (see questions:answers ratio )
It might be my problem but whenever someone decides to post a question in a forum I project my own professionalism and ethics and read the post as if I could have posted it.
Call me arrogant but the very least I expect is that the questioner has put some effort into trying to find the answer for him-, or herself before posting a question.
And I hazard to guess that that is the gist that the other Rob is hinting at.
Cheers, have a wonderful life and always endeavor to be the best,
Rob Dielemans

Withholding configuration setup at receipt from customer level

Hi
This is regarding the WHT configuration setup
when customer deduct TCS and pay the amount, i have configured all the necessary steps
while invoice level, WHT function is working, but not at receipt entry level
suggest me on this what suppose to do
Regards
Govind
Edited by: Govinda Avula on Apr 29, 2008 3:16 PM

Hi,
Generally you can use the same tax types and codes for customers as the vendor. But i would advice you to have the tax codes seperate so that when you assign accounts for posting, you can assign different GL accounts as per the tax codes.
Note: one issue i faced in using withholding taxes for customers were the differences in the tax deducted by SAP and the tax deducted by the customer. In SAP we might round it off but the customer might not do so. Then you have a problem trying to reconcile the right amount especially when the customer makes a payment against more than one invoice.
Hope this helps.
Thanks and Regards,
Anit

Standard Configuration setup stalled...

So my standard configuration setup seems to be stuck.
I've tried rebooting and it makes me go through the quick setup again. Though it won't ever finish. Is there a way to skip this part or should I just do ANOTHER clean install?

Just ended up doing another fresh install. Don't mess with the machine while it's finishing the setup.

Reg:Configuration&Setup guide

Hi,
In our troupe we have implemented one Application (Java/ Oracle) for clients.
And we need to prepare configuration/setup guide for this application
So What information i need to mention in that guide.
could you please help me in this..

Rajakumar,
There are almost an infinite number of ways to configure IM, depending on the business processes your client intends to implement.
Start with SAP Best practices config guide for [Materials Management|http://help.sap.com/bp_bl603/BBLibrary/Documentation/104_BB_ConfigGuide_EN_IN.doc].
Other BP guides at [Best Practices (India)|http://help.sap.com/bp_bl603/BBLibrary/Content_Library_BL_EN_IN.htm]
Rgds,
DB49

HT1430 how long does the configure setup take when u first turn on the IPAD? mine seems stuck at the language choice. HELP

How long does the configure setup take when u first turn on the IPAD? Mine seems to be stuck in the language choice. Help!

It should not be stuck at the language choice. Is there a "Next" button in the upper right corner? Or a blue arrow pointing to the right?

Diff between BPELConsole and BPELAdmin (Configuration setup)?

What is the difference between the Configuration setup in BPELConsole und BPELAdmin?
Which one has priority?
Peter

Configuration section in the BPEL Console is used to configure that particular domain for example logging level of that domain whereas BPELAdmin is for managing the domains, like creating a domain, deleting a domain, etc. Hth.

IDSM-2 Inline VLAN configuration issue

The SVR is on VL60, the PC is on VL80.
So, PC(.25--VL81--GE0/7--VL80--SVI 80--SVI60--VL60--SVR(.10)
Sensor interface GigabitEthernet0/7 is assigned to trunk all Vlans 1-4094
CAT65K-PODX#sh ru | in intrusion
intrusion-detection module 6 management-port access-vlan 99 intrusion-detection module 6 data-port 1 trunk allowed-vlan 1-4094 CAT65K-PODX#
The interface is assigned to vs0.
All I am seeing is "unknown 802.1d" when I look at the interface instead of the continuous ping I have from the PC to the SVR. (80.25 to 60.10)
CAT65K-PODX#ses sl 6 pr 1
The default escape character is Ctrl-^, then x.
You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.61 ... Open
login: cisco
Password:
Last login: Mon Oct 23 18:16:06 from 127.0.0.51
***NOTICE***
This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to [email protected].
***LICENSE NOTICE***
There is no license key installed on the system.
The system will continue to operate with the currently installed signature set. A valid license must be obtained in order to apply signature updates. Please go to http://www.cisco.com/go/license to obtain a new license or install a license.
IDSM2-PODX# pack disp gi
gigabitEthernet0/2 gigabitEthernet0/7 gigabitEthernet0/8 IDSM2-PODX# pack disp gigabitEthernet0/7
Warning: This command will cause significant performance degradation
tcpdump: WARNING: ge0_7: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ge0_7, link-type EN10MB (Ethernet), capture size 65535 bytes
18:35:17.968178 802.1d unknown version
0x0000: 0180 c200 0000 0016 9dab 3346 8100 e001 ..........3F....
0x0010: 0079 4242 0300 0003 027c 1000 000f f863 .yBB.....|.....c
0x0020: 8400 0000 0000 1000 000f f863 8400 8287 ...........c....
0x0030: 0000 1400 0200 0f00 0000 5000 6369 7363 ..........P.cisc
0x0040: 6f00 0000 0000 0000 0000 0000 0000 0000 o...............
0x0050: 0000 0000 0000 0000 0000 0000 0001 46b6 ..............F.
0x0060: c0ce 9a01 9392 94e2 dcc9 ca1b 3291 0000 ............2...
0x0070: 0000 1000 000f f863 8400 147c 80 .......c...|.
18:35:19.968666 802.1d unknown version
0x0000: 0180 c200 0000 0016 9dab 3346 8100 e001 ..........3F....
0x0010: 0079 4242 0300 0003 027c 1000 000f f863 .yBB.....|.....c
0x0020: 8400 0000 0000 1000 000f f863 8400 8287 ...........c....
0x0030: 0000 1400 0200 0f00 0000 5000 6369 7363 ..........P.cisc
0x0040: 6f00 0000 0000 0000 0000 0000 0000 0000 o...............
0x0050: 0000 0000 0000 0000 0000 0000 0001 46b6 ..............F.
0x0060: c0ce 9a01 9392 94e2 dcc9 ca1b 3291 0000 ............2...
0x0070: 0000 1000 000f f863 8400 147c 80 .......c...|.
2 packets captured
2 packets received by filter
0 packets dropped by kernel
IDSM2-PODX#

exit
signatures 60000 0
alert-severity medium
sig-fidelity-rating 75
sig-description
sig-name BadICMP
sig-string-info BadICMP
sig-comment BadICMP
exit
engine atomic-ip
event-action produce-alert|log-attacker-packets
specify-l4-protocol yes
l4-protocol icmp
specify-icmp-code yes
icmp-code 8
exit
exit
exit
specify-ip-addr-options yes
ip-addr-options ip-addr
specify-src-ip-addr yes
src-ip-addr 10.1.80.25
exit
exit
exit
exit
exit
signatures 60001 0
alert-severity high
sig-fidelity-rating 75
sig-description
sig-name Block BadICMP
sig-string-info Block BadICMP
sig-comment Block BadICMP
exit
engine atomic-ip
event-action produce-alert|request-block-host
specify-l4-protocol yes
l4-protocol icmp
specify-icmp-seq no
specify-icmp-type no
specify-icmp-code yes
icmp-code 0
exit
specify-icmp-id no
specify-icmp-total-length no
exit
specify-payload-inspection no
exit
specify-ip-payload-length no
specify-ip-header-length no
specify-ip-tos no
specify-ip-ttl no
specify-ip-version no
specify-ip-id no
specify-ip-total-length no
specify-ip-option-inspection no
specify-ip-addr-options yes
ip-addr-options ip-addr
specify-src-ip-addr yes
src-ip-addr 10.1.80.25
exit
specify-dst-ip-addr no
exit
exit
exit
event-counter
specify-alert-interval no
exit
alert-frequency
summary-mode summarize
specify-global-summary-threshold no
exit
exit
status
enabled false
exit
exit
signatures 60002 0
alert-severity high
sig-fidelity-rating 75
sig-description
sig-name WatchHTTP
sig-string-info WatchHTTP
sig-comment WatchHTTP
exit
engine service-http
service-ports 80,443
exit
status
enabled false
exit
exit
signatures 60003 0
alert-severity high
sig-fidelity-rating 75
sig-description
sig-name LogICMP
sig-string-info BadICMP
sig-comment BadICMP
exit
engine atomic-ip
event-action produce-alert|log-pair-packets
specify-l4-protocol yes
l4-protocol icmp
specify-icmp-seq no
specify-icmp-type no
specify-icmp-code no
specify-icmp-id no
specify-icmp-total-length no
exit
specify-payload-inspection no
exit
specify-ip-payload-length no
specify-ip-header-length no
specify-ip-tos no
specify-ip-ttl no
specify-ip-version no
specify-ip-id no
specify-ip-total-length no
specify-ip-option-inspection no
specify-ip-addr-options yes
ip-addr-options ip-addr
specify-src-ip-addr yes
src-ip-addr 10.1.80.25
exit
specify-dst-ip-addr no
exit
exit
exit
event-counter
specify-alert-interval no
exit
alert-frequency
summary-mode summarize
specify-global-summary-threshold no
exit
exit
status
enabled false
exit
exit
exit
service ssh-known-hosts
rsa1-keys 10.1.80.1
length 512
exponent 65537
modulus 991855327191948068336083262027767630211536570646048046207473086001594287
45731517042852081906588402062478059658578012089704942074191546123977278518597538
73
exit
exit
service trusted-certificates
exit
service web-server
port 443
exit
IDSM2-PODX#

IDSM-2 capture configuration

Hi friends,
I have enabled capture on the IDSM data-port 1 (Gig0/7). Now, i want to use data port 2 (Gig 0/8) also to capture another segment.
A snippet of my current config is as follows:
ip access-list extended MATCHALL
permit ip any any
vlan access-map CAPTUREALL 10
match address MATCHALL
action forward capture
vlan-filter CAPTUREALL vlan-list x
intrusion-detection module 3 management-port access-vlan 5
intrusion-detection module 3 data-port 1 capture
intrusion-detection module 3 data-port 1 capture allowed-vlan 1-4094
intrusion-detection module 3 data-port 1 autostate include
intrusion-detection module 3 data-port 1 portfast enable
My question is:
If i enable data port 2, then how do i bind a VACL to data port 2 only?
Thanks a lot
Gautam

You can't bind a VACL to a particular data port.
You can only tell a capture port what vlans to monitor. The capture port will monitor all captured packets from those vlans regardless of what VACL was used to mark those packets as capture packets.
Your data-port 1 is already monitoring all 4094 vlans so there are no additional vlans that data-port 2 would need to capture packets for.
If your switch does routing then your configuration is correct. Even though the VACL is applied to a limited set of a vlan-list X, the packets marked for capture could wind up being routed to any vlan and so all vlans have to be monitored.
NOW you could add additional vlans to your exising vlan-list, or even create another VACL and apply it to a separate vlan list. BUT in either case your data-port 1 would already be configured for monitoring them.
If your switch is NOT doing routing (pretty rare these days), then you do have an alternative. You can change the "capture allowed-vlan" list for data-port 1 to be the same "vlan-list X" that your VACL is assigned to. Then you can create a new VACL and assign it to a list Y, and configure data-port 2 to be a capture port for allowed-vlan list Y.
But this really doesn't gain you a whole lot. You could just simply add vlan list Y to data-port 1 and still monitor everything with data-port 1.
Data-port 2 doesn't really gain you much as you as a 2nd capture port.
Where data-port 2 comes in handy is when you want to do a different type of monitoring.
Data-port 2 could be setup as a Span or Rspan destination port.
OR data-port 2 coudl be setup for InLine monitoring with InLine Vlan Pairs.
It is only when you need the second type of monitoring that you can really make use of data-port 2.
For capturing traffic on additional vlans you can just continue to use data-port 1.

Diverting traffic to IDSM for inline IPS mode

I have a catalyst 6500 swtich containing FWSM and IDSM-2 module. Vlan 1000 is the outside interface for the fwsm to which all bussiness servers are mapped (vlan 900, inside interface of fwsm).
I want to inline IPS all the traffic going to these bussiness servers.
I have no issue with IPS configuration.
Could you please guide me with a configuration for 6500 switch for diverting this traffic.
I can provide 6500 configs if required.
An example would be appreciated.

I'm not sure if this is relevant to your situation, but here is how I have a gateway 6K switch set up with an external 4255 IPS device. You should be able to substitute the IDMS2 though.
Internet -> port 1/2 Vlan 5 -> port 3/1 Vlan 5 -> 4255 vlan pair to -> port 3/2 Vlan 2 -> MSFC Route Module -> rest of vlans internal...
What I am doing in bringing my uplink in on a physical port that is in Vlan 5. I put one side of my IPS sensor into Vlan 5. These two ports are the only ports in Vlan 5. The IPS sensor port is vlan paired through the sensor to a port in Vlan 2. From this point, my MSFC route module has virtual interfaces for Vlan 2 and all of the rest of my internal Vlans. There is no route entry for Vlan 5, it is a pure switching vlan.
What I like about this setup is that the IPS is transparent. If I have a problem with my IPS device or if I am doing an image upgrade, I can move the vlan for port 1/2 into Vlan 2 and logically bypass the IPS device...taking it out of inline without having to change anything else in the switch config and only having to wait for the spanning tree to converge.
For the IDSM2, since the ports are trunk ports, you'd want to set the native vlan to the target vlan of each port and set the allowed vlans to just the target vlan of each port (ports 7 & 8).
Hope this is useful,
Scott

IDSM-2 Inline Configuration Setup

Similar Messages

Maybe you are looking for