IDSM-2 sensing ports errorDisabled

Hi - I have a number of IDSM-2 cards I've recently upgraded from 4.x code to 5.1.1 IPS code. Since the upgrade, I am having frequent issues with the sensing interfaces (gigabitEthernet0/7 and 0/8) going errorDisabled. Of course I am not able to do a "set port enable" on those, so a reset of the card is required to get it going again. I've noticed if I don't span any traffic to the ports, they stay up (and stay useless as well). This is happening in 4 cards, all in CAT6500 switches. Are there any suggestions you can offer? Thanks!

James, Not that this will make you feel any better but this is the exact problem I'm running into at a customer site. Coincidently, they had just upgraded to 5.1.1 code also. Of course the port counters on the Cat6500 stay clean- they errdisable with a reason of "other". The Cat6500 is running CatOS 8.4.
Has anyone else run into this and know of the cause?
You help is appreciated.

Similar Messages

  • IDSM-2 -Sensing Interfaces go down and up continously

    Hi there.
    Apparently the sensing interfaces of our Cisco IDSM-2 are having issues with link status.
    Recently I've getting these events
    in the console of the catalyst switch where IDSM-2 is installed:
    %LINK-SP-3-UPDOWN: Interface GigabitEthernet2/7, changed state to down
    %LINK-SP-3-UPDOWN: Interface GigabitEthernet2/7, changed state to up
    Not getting too much information with that led me to look into the IDS logs and we got:
    GigabitEthernet0/7 : Link is down.
    Inline data bypass has started
    A few milliseconds later:
    Inline data bypass has stopped
    We are getting this up and down link status messages every two hours.I've already checked on possible attacks on time ranges around the time we get these messages and there seems not to be any that pose a risk of shutting down a gigabit interface.
    Could this be a normal behavior every now and then?
    Thanks

    There's nothing you can do to speed it up. It just has to run and finish. Don't interrupt it.
    Regards
    TD

  • IDSM-2 data-ports

    Hi,
    I have taken over managing a 6500 IDSM-2 implementation, as far as I can see it has been configured in
    Promiscuous  Mode with a single virtual sensor assigned to both data ports 0/7 & 0/8.
    The switch has been configured with the following commands:
    intrusion-detection module 8 management-port access-vlan 507
    intrusion-detection module 8 data-port 1 access-vlan 507
    monitor session 66 source vlan 501 - 509 , 518 - 520 , 601 - 613
    monitor session 66 destination intrusion-detection-module 8 data-port 2
    can anyone tell me why the second command utilsed data port 1 and the bottom command utilises data port 2, is this valid and recommended?
    Thanks
    D

    So a little bit about IDSM architecture.
    IDSM has one management or command and control port (gig0/2) and 2 data ports (gig0/7 & gig0/8)
    These ports on IDSM connect to the 6500 over the backplane.
    IDSM Gig0/7 connects to Data-port 1 on 6500.
    IDSM Gig0/8 connects to Data-port 2 on 6500.
    The configuration involves two things:
    1. Configuring IDSM (Date, Time, Assigning virtual sensors to interfaces, signature tuning etc...)
    2. Configuring 6500 to send traffic to IDSM.
    Are you planning to put the IDSM in promiscuous or inline mode ?
    The configuration on the 6500 is different for both the modes.
    Configuration:
    intrusion-detection module 8 management-port access-vlan 507
    This puts the management port in vlan 507
    intrusion-detection module 8 data-port 1 access-vlan 507
    Puts data-port 1 in vlan 507. This is typically done in inline mode.
    monitor session 66 source vlan 501 - 509 , 518 - 520 , 601 - 613
    monitor  session 66 destination intrusion-detection-module 8 data-port 2
    This is a span configuration which is sending a copy of the data from the vlans to data-port 2.
    This is done when IDSM operates in promiscuous mode.
    So in your case, the correct configuration on 6500 to send traffic to IDSM depends which mode you want the IDSM to run in.
    Please check the link below which will explain how to configure 6500 for promiscuous or inline mode IDSM configuration.
    http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_idsm2.html
    Let me know if you have any questions.
    - Sid

  • IDSM2 with FWSM with contexts

    Hiya,
    I'm not a Security guy so keep it simple!
    If deploying a FWSM with multiple contexts, and you have an IDSM-2 installed:
    Does the IDSM be split into contexts to match the FWSM contexts
    If not, does it monitor the backplane traffic and it does not matter or care about the multiple contexts.

    Hi .. by looking at your diagram .. I suggest to try placing the IDSM-2 so that traffic is inspected after the firewall policies have been checked otherwise you might end up inspecting traffic that will be blocked by the firewall anyway. You also need to create what is called boundary VLANs so that your IDSM bridges the traffic between the inline VLANs... Confused ..?
    It gets a bit "blue" when you try inspecting inline on a module. For example lets say you have Context1 with Interfaces VLAN10 (outside) and VLAN20 (inside). You would have to create another VLAN30 (boundary VLAN). You then need to allocate the devices ONLY ( not the ASA's interface ) from VLAN20 to VLAN30 ( Only change VLAN membership and not the IP scheme ). Next on one of the IDSM-2 sensing ports you need to create a VLAN inline pair ( it uses subinterfaces ) which bridges VLAN20 <-> VLAN30. In that way traffic to/from your inside devices will travers the IDSM-2 before reaching its destination
    I suggest you to create a test context, allocate the 2 VLANS, Create the VLAN inline pair on the IDSM-2 and test.. Once you are happy you can replicate the same configuration for the production contexts.
    Below a brief example what you need to do for each context
    sensor# configure terminal
    sensor(config)# service interface
    sensor(config-int)# physical-interfaces GigabitEthernet0/2
    sensor(config-int-phy)# admin-state enabled
    sensor(config-int-phy)# description INT1
    sensor(config-int-phy)# subinterface-type inline-vlan-pair
    sensor(config-int-phy-inl)# subinterface 1
    sensor(config-int-phy-inl-sub)# vlan1 52
    sensor(config-int-phy-inl-sub)# vlan2 53
    sensor(config-int-phy-inl-sub)# description pairs vlans 52 and 53
    sensor(config-int-phy-inl-sub)# show settings
    subinterface-number: 1
    description: VLANpair1 default:
    vlan1: 52
    vlan2: 53
    sensor(config-int-phy-inl-sub)# exit
    sensor(config-int-phy-inl)# exit
    sensor(config-int-phy)# exit
    sensor(config-int)# exit
    Apply Changes:?[yes]:
    I hope it helps ... please rate it if it does !!!

  • IDSM on catalyst 6500 to provide IOS Inline mode support

    I am currently evaluating what kind of method to apply in my 6500. I would like to ask if IOS Version 12.2(33)SXI2a  support inline mode and inline vlan pair mode with IDSM-2???what configuration should be done with the switch in order for the multiple vlan traffic to flow with an inline interface of the IDSM2??? In my case I have 16 user vlans and 1 server vlan on catalyst 6500...The task is to protect the servers from users....The requirement is to configure inline mode to monitor the traffic from these 16 vlans when they access the servers...But as we know the IDSM-2 has only two logical sensing ports...So my question is how will you configure the switch to forward the traffic from these 16 vlans to the IDSM-2 module via only ONE sensing port, since the other sensing port will be configured in the server vlan???  Because as far as i know, when you configure inline mode on IOS,you will have to configure the sensing ports in access mode( While in CatOS, you configure these as TRUNK ports)...But this will work when you have only two vlans...But in my case, I have 16 vlans to monitor in inline mode..Please suggest any solution.
    Any urgent reply will be much grateful...
    Many Thanks in advance

    Hi Mubin,
       If you're looking to monitor all the traffic from the user VLANs to the server VLANs then the simplest way to configure the IDSM-2 would be inline on the server VLAN segment.  All traffic destined to the servers (from the users or anywhere else) has to traverse that VLAN.  Assuming you have something like this to start:
    VLAN 100-120 (users) ====== Switch ------ VLAN 200 (servers)
    you'd drop the IDSM-2 inline on VLAN 200 by using a helper VLAN:
    VLAN 100-120 (users) ====== Switch ----- VLAN 201 (server gateway) ----- IDSM-2 (bridging 201 to 200) ----- VLAN 200 (servers)
    To do this you'll need to perform the following steps:
    1.  Designate a new VLAN to use as a helper VLAN for your current server VLAN.  I'll use 201 for this example and assume your current server VLAN is 200.
    Create the helper VLAN on the switch:
    switch# conf t
    switch(config)# vlan 201
    2.  Configure the IDSM-2 to bridge the helper VLAN and the server VLAN (200-201)
    sensor# conf t
    sensor(config)# service interface
    sensor(config-int)# phsyical-interface GigabitEthernet0/7
    sensor(config-int-phy)# admin-state enabled
    sensor(config-int-phy)# subinterface-type inline-vlan-pair
    sensor(config-int-phy-inl)# subinterface 1
    sensor(config-int-phy-inl-sub)# vlan1 200
    sensor(config-int-phy-inl-sub)# vlan2 201
    sensor(config-int-phy-inl-sub)# description Server-Helper pair
    sensor(config-int-phy-inl-sub)# exit
    sensor(config-int-phy-inl)# exit
    sensor(config-int-phy)# exit
    sensor(config-int)# exit
    Apply Changes:?[yes]:
    3.  Configure the switch to trunk the helper and server VLANs to the IDSM-2 module.  I assume the module is in slot 5 in the example.  Replace the 5 with the correct slot for your deployment:
    switch# conf t
    switch(config)# intrusion-detection module 5 data-port 1 trunk allowed-vlan 200,201
    switch(config)# intrusion-detection module 5 data-port 1 autostate include
    *Warning! This next step may cause an outage if everything is configured correctly.  You'll probably want to schedule a window to do this.*
    4.  Finally, force the traffic from the server VLAN through the IDSM-2 by moving the server VLAN gateway from VLAN 200 (where it is currently) to the helper VLAN you created.  To do this, remove the SVI from VLAN 200 and apply the same IP address to VLAN 201.  I assume the current server gateway is 192.168.1.1/24
    switch# conf t
    switch(config)#int vlan 200
    switch(config-int)#no ip addr
    switch(config-int)#int vlan 201
    switch(config-int)#ip addr 192.168.1.1 255.255.255.0
    switch(config-int)#exit
    switch(config)#exit
    switch# wr mem
    Now, when the servers try to contact 192.168.1.1 (their gateway) they'll have to be bridged through the IDSM-2 to reach VLAN 201 and in the process all traffic destined to them or sourced from them will be inspected.  Do not put any hosts or servers in the helper VLAN (201) or they will not be inspected.
    Best Regards,
    Justin

  • Basic configuration IDSM-2

    Hello,
    I have some experience with sensors but this is my first time configuring a C6500 with IDSM-2, and I have some design questions. The first question is this: can I mix the use of VACL and SPAN to capture traffic in the same configuration?
    Customer is actually using VACL to capture traffic from some machines, but he now wants to monitor all the traffic that comes from and external partner through a VPN concentrator, so I assume for this case I should use SPAN to monitor the VPN's port: am I right?
    The config that the customer has is more or less the following:
    intrusion-detection module 1 data-port 1 capture intrusion-detection module 1 data-port 1 capture allowed-vlan 1 intrusion-detection module 1 data-port 2 capture allowed-vlan 1
    vlan access-map ids 10
    match ip address in
    action forward capture
    vlan access-map ids 20
    match ip address out
    action forward
    vlan filter ids vlan-list 1
    ip access-list extended in
    permit ip any host 192.168.1.1
    permit ip host 192.168.1.1 any
    ip access-list extended out
    permit ip any any
    If I want to use SPAN, which is the limitation in the number of source ports I can put in the "monitor session" command?
    Should I send this "span" traffic to the sensing interface 8 (data-port 2) or can I still sending it to the data-port 1 (sensing interface 7)?
    Why there are two sensing interfaces?
    Thanks in advance...
    Ruben

    Does it mean that I can only monitor completely (both directions)one port per monitoring session?
    Correct.
    Also, if I'm using data port 1 with VACL and data port 2 as destination for "monitor session 1", I suppose I cannot also use data port 2 as destination for "monitor session 2".
    An IDSM-2 Data Port can be the destination port for only a single monitor session.
    If this is true, this means that I can only monitor simultaneously rx and tx in a source port per catalyst box running this image.: am I right?
    Correct
    Does it makes sense to monitor only rx direction for ports connecting with FWs, VPNs and WAN routers or we should monitor both ways?
    If you are going to use port span, then you really need to monitor both tx+rx. The promiscuous sensor can be configured to work when monitoring just a single direction (like just rx), but the sensor will be prone to false positives and false negatives. The sensor really needs to see both directions of TCP connections in order to properly monitor them. To monitor single direction you configure the TCP Reassembly mode to be "asym" which is short for asymmetric. It is generally only used when the sensor is deployed in a network with asymmetric routes.
    I have noticed that in this case we cannot do what customers wants unless we upgrade customer's IOS to 12.2(18)SXE or later... With these new IOS is possible to have 128 tx or both sources!
    I haven't read the Span notes on the latest IOS releases. I am glad to hear that the number of both sources has been increased per session.
    Alternatives:
    The alternative to using "both" span on a port basis is to use an "rx" vlan span.
    But you have to be very carefull with "rx" spans.
    If the vlan is strictly layer 2 (no ip address assigned to the switch for that vlan), then an "rx" span for the vlan will work well. All traffic coming IN from a firewall will be seen as "rx" packets on the firewall port. All traffic going OUT to the firewall will be seen as "rx" packets from the other switch port where they are entering the vlan. So all packets IN and OUT of the firewall would be seen.
    BUT if the switch itself Does have an IP Address on that vlan, and the switch routes between that vlan and other vlans, then this is no longer true.
    The span works well on physical ports, but the switches IP Address is on a Virtual Interface in the vlan. This Virtual Interface does not play well with span in my past experience. The switch has a feature known as MLS (Multi-Layer Switching), The first packets for a TCP connection (the SYN and SYN ACK) are sent through the Virtual Interface for routing. An "rx" vlan span DOES catch these first packets coming from a Virtual Interface. BUT additional packets are affected by MLS. Instead of routing the packets through the Virtual Interface, the MLS kicks in and the packets are Switched in Hardware to the other vlan, and the packet never actually goes through the Virtual Interface. So the packet will NOT be seen by the "rx" span of the vlan.
    Most users DO use the switch for routing, and so my recommendation is generally to use both tx+rx with Port Span to get the traffic. BUT if you are NOT routing, then the alternative "rx" span on the Vlan will work as well.

  • IDSM-2 Deployment question?

    Hi,
    I have two 6500s in to different DCs both with a single IDSM-2 module, is it possible to the join the modules logically together so they are sharing the traffic analysis? Like you can if you put mulitple cards within the same 6500 chassis.
    Regards M

    Supervisor Engines in the Catalyst 6500 series chassis recognize IDSM2 devices that are running IPS 5.x and greater as EtherChannel devices. This lets you install up to eight IDSM2 devices in the same chassis.
    The IDSM2 in the Catalyst 6500 series switch has eight internal ports.  Only four of these ports are used. Port 1 is a TCP/IP reset port. Port 2  is the command and control port. Ports 7 and 8 are the sensing ports  for Catalyst software and data ports 1 and 2 for Cisco IOS software. The  other ports are not used.
    The backplane is 1000 Mbps, which is why the IDSM2 shows 1000 Mbps even  though it can only handle about 600 Mbps of performance. ECLB allows up  to eight IDSM2 devices to participate in the load balancing on either  port 7 or port 8.
    more information is available here
    http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_idsm2.html#wp1210166
    Regards,
    Sachin

  • IDSM-2, inline and Passive mode in same Module?

    Hi,i have a question that it can be strange.in our network we have implemented idsm-2 module in our 6513 Switch in inline mode.without any discution about network design suppose that our network is going beyond IDSM-2 Throughput and then we want to use IDSM-2 for some traffic in Passive mode insted of inline to reduce drop probability in inline mode.i mean before this state we were using idsm-2 data port 1(in vlan pair mode),now can we use data port 2 for this purpus(capturing some traffic on data port 2 for passive operation)? in other word idsm-2 can operate in this way?

    i found my answer in idsm-2 document "You can mix sensing modes on IDSM-2. For example, you can configure one data port for promiscuous mode and the other data port for inline VLAN pair mode. But because IDSM-2 only has two data ports and inline mode requires the use of both data ports as a pair, you cannot mix inline mode with either of the other two modes." but something else,for doing such thing suppos that i have sig 2004 configured for inline traffic to deny attacker inline then this action doesnt make any sense for some data in passive mode and suppos that for that kind of traffic which idsm-2 is operating in passive mode i want to just send an alert. so can i use deferent VS for doing this? thanks.

  • How can i use IDSM-2 in inline mode for more than two VLANs?

    can i use the IDSM-2 in inline mode to be ips to more than two VLANS
    like this or it isn't
    intrusion-detection module 5 data port 1 access-vlan 10,20,30,40,50
    intrusion-detection module 5 data port 1 access-vlan 100,200
    thank u all for your help

    The IDSM-2 ports need to be configured as trunk ports with multiple vlans rather than as access ports.
    http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00807517eb.html#wp1068377
    And instead of creating an inline interface pair by pairing Gig0/7 with Gig0/8 within the IDSM-2 configuration, you would create inline vlan pairs.
    With an inline vlan pair you pair 2 vlans on the same interface.
    You can have up to 255 inline vlan pairs on each interface (assumining you keep the total traffic from all of the pairs within the IDSM-2s performance limit of around 500Mbps)
    How to create inline vlan pairs:
    http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00807517bb.html#wp1047852
    The other aspect you need to be aware of is that not all IOS versions will support configuring the IDSM-2 data ports as trunk ports for inline vlan pairs.
    Your best bet is to use 12.2(18)SXF4 or a later version on the 12.2(18)SXF train.
    The 12.2(33)SR train does not currently support the trunk feature for the IDSM-2.

  • How to recover IDSM-2 password (without know any password)

    Hi,
    We have a IDSM-2 system card in 6500 system. Unfortunately, we lost tracking the login/password. I have read Cisco doc# 13837. It req to know either admin username/password or service username/password to do password recovery. I do not have those info (and tried). The last method suggested is to re-image IDSM-2 (IOS). I am wondering there is a better way to recover password like other switch..(such as hold mode to reboot switch) without re-image. Here is the card info:
    "WS-SVC-IDSM-2 8 ports Intrusion Detection System Rev. 6.1"
    Any help would be greatly appreciated.
    gy

    A "re-image" is necessary, but it is not a standard re-image.
    Instead there is a special image file that ONLY sets the cisco password back to the default "cisco". It doesn't change anything else on the system.
    Download the password recovery image file WS-SVC-IDSM2-K9-a-6.1-password-recovery.bin.gz from:
    http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=6.1%281%29E1&mdfid=277997776&sftType=Intrusion+Prevention+System+%28IPS%29+System+Software&optPlat=&nodecount=29&edesignator=null&modelName=Cisco+Catalyst+6500+Series+Intrusion+Detection+System+%28IDSM-2%29+Services+Module&treeMdfId=268438162&modifmdfid=null&imname=&treeName=Security&hybrid=Y&imst=N
    To "install" this special password recovery file you will follow the System Re-Image instructions, but use this special file instead of the standard System Image file.
    http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_system_images.html#wp1031426
    This is discussed very briefly in the CLI guide:
    http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_troubleshooting.html#wp1139735

  • New Trunking port Error Disabled on Nexus 5000

    I configured my Nexus 5000 ports as so
    Int Eth1000/1/48
    switchport mode trunk
    switchport trunk  allowed vlan 8
    speed 1000
    channel-group 7 mode active
    int Po7
    switchport mode trunk
    switchport trunk  allowed vlan 8
    vpc7
    speed 1000
    I configured my 3650 as so:
    int Gig0/23
    switchport trunk encapsulation dot1q
    switchport trunk  allowed vlan 8
    switchport mode trunk
    speed 1000
    channel-group 1 mode active
    Port channel 1
    switchport trunk encapsulation dot1q
    switchport trunk  allowed vlan 8
    switchport mode trunk
    speed 1000
    Both of these ports are connected Int Eth1000/1/48 and int Gig0/23. Int Eth1000/1/48 shut down and when I checked the logs on the N5K it said for the port   ErrorDisabled REASON BPDUguard. I did not configure bpdufilter or bpduguard on either side. What is causing it?
    I found 3 other ports the have bpdufilter on them  would that be it?
    Since the 3560 is an older switch how can I also ensure it get demoted to not be root bridge or secondary root bridge?

    Hi,
    1- You tried to bundle GE and E interfaces with LACP on both switch but you did not mention the other bundle members, however, it looks the etherchannel did not comes up and interfaces work separately.
    As a result, STP has prevented bridging loop and put one of them in errdisable state. I think you must check your etherchannel configuration.
    2- you can use "spanning-tree vlan <> priority 61400" on 3560 switch to make sure it won't be a root bridge.
    HTH
    Houtan

  • IDSM-2

    Hello Dears,
    I'm planning to place IDSM-2 in INLINE VLAN PAIR mode rather than  promiscous  mode.Please correct my steps if i m wrong in below points.
    Steps to  configure 6500 switch with cisco IOS for IDSM-2
    router(config)#  intrusion-detection module 13 data-port 1 trunk  allowed-vlan all
    Steps to configure IDSM-2 for Inline  Vlan  pairing:
    when we Enter yes to modify the interface and  virtual sensor configuration.
    we select Edit Interface Configuration
    we select Add/Modify Inline Vlan Pairs.
    after that we should create as much Subinterfaces on gig0/7 OR  gig0/8 as much Vlan pair we have
    Set up the inline VLAN pair.
    sensor(config-int-phy)# subinterface-type inline-vlan-pair
    sensor(config-int-phy-inl)# subinterface 1
    sensor(config-int-phy-inl-sub)# vlan1 62
    sensor(config-int-phy-inl-sub)# vlan2 63
    sensor(config-int-phy)# subinterface-type inline-vlan-pair
    sensor(config-int-phy-inl)# subinterface 2
    sensor(config-int-phy-inl-sub)# vlan3 72
    sensor(config-int-phy-inl-sub)# vlan4 73
    Thanks

    Estela,
    I am not sure if I understood your questions correctly.
    This is difficult to explain by email.
    Please go through the link below to understand difference between 'inline interface pair mode ' and inline vlan pair mode'
    http://tools.cisco.com/squish/6F956
    Question 1:The above RED HIGLIGHTED line is confusing me ,We can assign vlan's in inline Interface pair mode as u have suggested me to use in ur above mail???  If so, then can we  use as much real vlan on port gig0/7 and as much virtual vlan on  gig0/8,so that IDSM-2 will bridge between them.Uptill now what i m  thinking is in inline interface pair mode supports only 1 set of vlan  and that to they are access ports.
    Answer:
    Inline interface pair is used when IPS ports are connected to access ports , correct.
    IDSM will bridge only 2 vlans in inline interface pair mode.
    Remember, IDSM in inline interface pair mode has no notions of vlans as such.
    The vlan assignment is done on the 6500 on ports connecting to the IDSM.
    For IDSM,  inline interface pair is like a wire connecting two ports.
    Whatever comes in on one interface, send it out of the other.
    The 6500 ports connecting to the ports on IDSM are access ports belonging in different vlans of the pair.
    Hence IDSM in theory bridges 2 vlans together.
    Question 2:ON what scenarios we need INLINE VLAN PAIR MODE THEN??
    Inline vlan pair is roughly analogous to 'Router on a stick '
    In inline vlan pair mode we have: One physical interface, and a pair of vlans per subinterface.
    Packets received on one of the paired VLANs are analyzed and then forwarded to the other VLAN in the pair.
    You can have multiple sub-interface pairs on a single physical interface.
    For a inline vlan pair mode, the IDSM port needs to be connected to a trunk port on the switch side.
    The following example might make it easier to understand
    E.g
    Gig 0/7 - Physical interface
    Inline vlan pair #1
    sub interface 1
    vlan 10
    vlan 20
    Inline vlan pair #2
    sub interface 2
    Vlan 30
    Vlan 40
    On 6500 switch, data-port 1 connects to gig0/7 over backplane.
    data-port 1 needs to be a trunk port.
    When traffic in vlan 10 is recieved on gig0/7 its forwarded out of same interface gig0/7 out of vlan 20
    When traffic in vlan 20 is recieved on gig0/7 its forwarded out of same interface gig0/7 out of vlan 10
    Sub interface 1 is used to associate the pair of vlans 10 and 20 to physical interface gig0/7
    When traffic in vlan 30 is recieved on gig0/7 its forwarded out of same interface gig0/7 out of vlan 40
    When traffic in vlan 40 is recieved on gig0/7 its forwarded out of same interface gig0/7 out of vlan 30
    Sub interface 2 is used to associate the pair of vlans 130 and 40 to physical interface gig0/7
    Question 3: In 1 virtual sensor  traffic is passed how many times to IDSM-2.for  Example in  inline vlan pair mode.if i want to allow inter-vlan routing  from vlan 100 to vlan 200.
    I did not understand the question. For inline interface pair, traffic flows through virtual sensor once for each direction.
    From x > y  one.
    From y back to > x two.
    Go through the design document I wrote and take a look at the packet walk for arp.
    https://supportforums.cisco.com/docs/DOC-12206
    INLINE VLAN PAIR: vlan 1 and vlan2 are real SVI interface  and vlan 100 and vlan 200 are virtual just for pairing.
    vlan 1 to  100
    vlan 2 to 200
    USER-PC                      SWITCH SVI           SWITCH SVI                       USER-PC
    vlan  100----IDSM--------int vlan1 SVI --- ----int vlan2  SVI-------IDSM----vlan 200
    Please correct the above steps for traffic flow.from 1 vlan to another.I hope the traffic is passing 2 times to IDSM-2
    Switch cannot have SVI for 2 vlans. It will do intervlan routing directly without the packet ever going through the IDSM.
    We need  one ip subnet, 2 vlans, and SVI only on one of them.
    Check " Normal intervlan routing " on the design doc: https://supportforums.cisco.com/docs/DOC-12206
    ALSO
    Question 4:I  m also going to place IDSM-2 with FWSM,any different configuration or  traffic flow will be the same, as it was hitting the switch SVI now it  will hit to FWSM SVI
    E.g scenario:
    Well say, inside vlan is 100 and outside vlan is 200.
    All hosts reside in inside vlan 100.
    Outside artificial vlan 200 is created to force traffic to go through IDSM.
    Then vlan 100 and vlan 200 share same common ip subnet.
    SVI only exists on vlan 200.
    6500 data port 1  is access port in vlan 100
    6500 data port 2 is access port in vlan 200
    IDSM gig0/7-gig0/8 are a inline interface pair.
    IDSM bridges vlan 100 & 200 together.
    Default gateway for all hosts in vlan 100 and 200 is SVI for 200.
    This SVI can be placed on FWSM, and FWSM can be put it routing mode.
    That way traffic is forced to go through to the FWSM after it passes through the IDSM and back to the switch.
    Sid Chandrachud
    TAC Security Solutions

  • IDSM-2: hints for initial network setup?

    Hello team:
    I was asked to carry out a very basic configuration of a brand new IDSM-2 on a CAT6500. According to the documentation, once in the Supervisor´s CLI, I must execute a "session" command to the slot in which the IDSM is located.
    Once there, I have to follow the wizard to add IP, mask and gateway. Having this configured, the module´s management interface should be visible from the rest of the network, but I do not see how this happens, since the module should use one of the switch´s VLANs, and I haven´t found how this is configured.
    Question: ¿how will this IDSM link itself to the switch´s layer 3 engine? I do not see how its layer 2 will match any available VLAN in the host LAN switch...
    Any help will be greatly appreciated
    Rogelio Alvez
    Argentina

    I think what you need to add is a command on the 6500 that puts the IDSM-2 management port in a particular vlan.  For example:
    intrusion-detection module 9 management-port access-vlan 101
    This would place the management port for the iDSM-2 card in slot 9 in vlan 101.  The host-ip that you define on the IDSM-2 card itself would then need to be valid for this vlan.
    Steve

  • Spanned port for IDS

    We're about to get an IDS system which will require a spanned port on the inside of our network. Inside our network we have a few 6500's so I'd span a port on one of our core switches...my question is, there is definetly more then 1GB of traffic going through the core at any time...how would I get all this traffic to the IDS system? Would I just create an etherchannel and use it as a destination, and plug all the ports into the IDS?

    Thanks for that link. According to that link you have to have seperate IDS's attached to the etherchannel (one per port):
    "The IPS appliances must be in on-a-stick mode, meaning that the IPS appliance can only use one sensing port on that Catalyst switch. That port is trunked so that the IPS appliance has an inbound and outbound path to and from the switch."
    Am I reading that wrong? Can I have one IPS with three or four ports attached to the same switch in an etherchannel?
    It's starting to sound like I'm going to have to limit what ports I source...which means the IDS could potentially miss a threat or report it later then it could....

  • Interface bouncing after S219 install on 4250 IDS/4.1

    I installed the S219 updates on one of our client's IDSes. After the install, the eth0 (sniffing) interface started bouncing. I'm getting the following errors constantly (i.e. 2300 in 2 hours)
    evError: eventId=1084139354956127055 severity=warning
    originator:
    hostId: xxxxx.blah.com
    appName: kernel
    appInstanceId:
    time: offset=-300 timeZone=EST 1141813394351496000
    errorMessage: name=errSyslog e1000: eth0 NIC Link is Down
    evError: eventId=1084146174954547201 severity=warning
    originator:
    hostId: xxxxx.blah.com
    appName: kernel
    appInstanceId:
    time: offset=-300 timeZone=EST 1141816178210210000
    errorMessage: name=errSyslog e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex
    Just a thought, but perhaps it somehow got forced in 1000/full? Should I try setting it to auto/auto? If so, do I do that from the service account? And what commands would I issue?
    Thanks all!

    The error message is generated by the sensor the sensing process (SensorApp) should always be running. If it is not, you do not receive any alerts. If the interface is down, make sure the sensing port is connected properly:
    a. Make sure the sensing port is connected properly on the appliance.
    See the chapter on your appliance in the Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1.
    b. Make sure the sensing port is connected to the correct SPAN or VACL capture port on the IDSM-2.

Maybe you are looking for

  • I just updated to iOS 8 on my iPad 2 and got an error then factory reset! Now I cannot see my Purchased Apps

    I just updated to iOS 8 on my iPad 2 and due to a unforeseen error on iTunes I had to do factory reset. I was using my friend's iMac iTunes to download and update, instead of OTA. Now I'm unable to see my previously purchased apps (some even disconti

  • MacBook Pro will not boot

    MacBook Pro will not boot. Just get grey screen. When I hold down control + R, I get blank blue screen.

  • Idoc file to create master data in APO

    Hi Experts, I will be getting an idoc file let say zmatmas02 its extended idoc type with extended segments i need to upload this file into an APO system can i use the program RSEINB00 to upload the idoc file , if so what are the steps i need to do, o

  • Vendor X in  not defined in Company code  Y

    Hi Guys, I did the setting in OBYA (intercompany settings) for the two company codes X and Y. However, when I am psoting the doc by FB01 getting the error "Vendor X in  not defined in Company code  Y". In OBYA, it show the setting. thnks

  • Elements 11 and LR3 Compatible??

    I can't get the "Photo> Edit In" feature in LR3 top work with Elements 11. ASre the two compatible, or do I need to upgrade to LR4?? I can see Adobe CS6 without an issues...