IDSM on catalyst 6500 to provide IOS Inline mode support

Similar Messages

• IDSM2 on 6500-IOS inline mode support?

  Hi,
  I have an IDSM-2 running IPS5.1(1d) software (recently upgraded from 4.x) that is sitting on a 6500 IOS.
  The IPS device manager shows gi0/7 and gi0/8 as both in Promiscuous mode. There is no option to change the mode to inline and pair them.
  Is it so that IDSM-2 currently supports only Promiscuous mode?
  If so, then this module is still acting as an IDS despite running IPS5.1. Isn't it? What is the advantage that I get after upgrading it from 4.x to 5.1?
  -- Vasanth

  There are 2 pieces to the puzzle.
  There is the IDSM-2 version and what it supports, but also the Cat 6K Native IOS version and what it supports.
  IDSM-2 v5.1(1d) supports
  a) Promiscuous mode,
  b) InLine Interface Pair mode (2 interfaces are paired for inline monitoring), and also
  c) InLine Vlan Pair mode (2 vlans on a single interface are paired for inline monitoring, you will also see it called inline-on-a-stick)
  But for these features to be used, the switch code must also support configuring the switch side of the IDSM-2 for each of these 3 features.
  Native IOS Versions prior to 12.2(18)SXE will support only Promiscuous mode on the IDSM-2.
  12.2(18)SXE and later versions will support InLine Interface Pair mode on the IDSM-2.
  No Native IOS versions currently support InLine Vlan Pair mode on the IDSM-2 (a new Native IOS versions with this support is currently in development).
  So to get Inline (IPS) functionality you need to be running a Native IOS version 12.2(18)SXE or later, and on the IDSM-2 run IPS versions 5.1 (or even the older 5.0).
  (NOTE: Cat OS 8.5(1) does support all 3 modes of the IDSM-2. So if you are using Cat OS instead of Native IOS, then run version 8.5(1) to have access to all of the features of IPS 5.1(1) on the IDSM-2)
  If you are running a Native IOS version prior to 12.2(18)SXE then the IDSM-2 can only be operated in Promiscuous mode even if 5.1(1) is loaded on the IDSM-2.
  However, even in promiscuous mode the IPS 5.1(1) software does have a few advantages.
  There are several engines, and engine parameters that are only supported in the 5.1 version and not the 4.0 version. So there are several signatures that are either a) not even created for 4.x sensors, or b) the 4.x signature is not as precise as the 5.x signature in the new engines.
  (These new engines have proved invaluable in writing signatures to detect some of the new attacks that have come out over the past year.)
  There are of course other advantages as well:
  For example:
  1) Risk Rating to better aid in prioritization of alerts.
  2) More flexible fitlering mechanism for alerts that allows for fitlering individual actions
  The 2 features above are just 2 of the new features that have been added in 5.0 and 5.1 that apply to both promiscuous and inline modes.

• Configuring the Catalyst 6500 Switch for IPS Inline Operation of the IDSM

  I understand how to configure the Catalyst 6500 switch so that the monitoring ports are access ports in two separate VLAN's for inline operation.
  However, I don't see any documentation that describes how the desired VLAN traffic gets forced through the IPS.
  In promiscuous mode, you can use VACL's to copy/capture and forward the desired traffic to the IDSM for analysis. I'm not seeing how to get the desired traffic through the IPS.
  Note that the host 6500 is running native IOS 12.2(18)SXE.
  Thanks for any assistance.

  A tranparent firewall is a fairly good comparison.
  Let's say you have vlan 10 with 100 PCs and 1 Router for the network.
  If you want to apply a transparent firewall on that vlan you can not simply put one interface of the firewall on vlan 10. Nothing would go through the firewall.
  Instead you have to create a new vlan, let's say 1010. Now you place one interface of the firewall on vlan 10 and the other on vlan 1010. Still nothing is going through the firewall. So now you move that Router from vlan 10 to vlan 1010. All you do is change the vlan, the IP Address and netmask of the router stay the same.
  The transparent firewall bridges vlan 10 and vlan 1010. The PCs on vlan 10 ae still able to communicate to and through the router, but must go through the transparent firewall to do so.
  The firewall is transparent because it does not IP Route between 2 vlans, instead the same IP subnet exists on both vlans and the firewall transparently beidges traffic between the 2 vlans.
  The transparent firewall can do firewalling between the PCs on vlan 10 and the Router on vlan 1010. But is PC A on vlan 10 talks to PC B on vlan 10, then the transparent firewall does not see and can not block that traffic.
  An InLine sensor is very similar to the transparent firewall and will bridge between the 2 vlans. And similarly an InLine sensor is able to InLine monitor traffic between PCs on vlan 10 and the Router on vlan 1010, but will not be able to monitor traffic between 2 PCs on vlan 10.
  Now the router on one vlan and the PCs on the other vlan is a typical deployment for inline sensors, but your vlans do not Have to be divided that way. You could choose to place some servers in one vlan, and desktop PCs in the other vlan. You subdivide the vlans in what ever method makes sense for your deployment.
  Now for monitoring multiple vlans the same principle still applies. You can't monitor traffic between machines on the same vlan. So for each of the vlans you want to monitor you will need to create a new vlan and split the machines between the 2 vlans.
  In your case with Native IOS you are limited to only 1 pair of vlans for InLine monitoring, but your desired deployment would require 20 vlan pairs.
  The 5.1 IPS software has now the capability to handle the 20 pairs, but the Native IOS software does not have the capability to send the 40 vlans (20 pairs) to the IDSM-2.
  The Native IOS changes are in testing right now, but I have not heard a release date for those changes.
  Now Cat OS has already made these changes. So here is a basic breakdown of what you could do in Cat OS and you can use in preparation for a Native IOS deployment when it gets released.
  For vlans 10-20, and 300-310 that you want monitored you will need to break each of those vlans in to 2 vlans.
  Let's say we make it simple and add 500 to each vlan in order to create the new vlan for each pair.
  So you have the following pairs:
  10/510, 11/511, 12/512, etc...
  300/800, 301/801, 302/802, etc....
  You set up the sensor port to trunk all 40 vlans:
  set trunk 5/7 10-20,300-310,510-520,800-810
  (Then clear all other vlans off that trunk to keep things clean)
  In the IDSM-2 configuration create the 20 inline vlan pairs on interface GigabitEthernet0/7
  Nw on each of the 20 original vlans move the default router for each vlan from the original vlan to the 500+ vlan.
  At this point you should ordinarily be good to go. The IDSM-2 won't be monitoring traffic that stays within each of the original 20 vlans, but Would monitor traffic getting routed in and out of each of the 20 vlans.
  Because of a switch bug you may have to have an additional PC moved to the same vlan as the router if the switch/MSFC is being used as the router and you are deploying with an IDSM-2.

• IDSM-2 IPS (5.x) / Cat IOS questions

  Is my understanding correct that a Catalyst 6500 running Cat IOS supports only Promiscious mode and that Cat IOS does not support IDSM-2 (5.x) Inline mode?
  Are there any plans to incorporate Inline Mode (5.x) under Cat IOS in the future, or am I missing something here?

  An upcoming version of CatIOS code will definately support inline mode.
  The IPS 5.0 code, as you're aware, was the first version of IDS code to support inline mode. With the standalone sensors, running it inline requires a physical cabling change. With the IDSM-2 in particular though, you need to be able to configure the Cat-IOS code to push traffic through the device in inline mode.
  Unfortunately getting new versions of CatIOS code out the door is not that easy, since there are about 10,000 other features (not just IPS) in the code that are also wanting to be updated, plus other new features, plus all the testing and re-testing that needs to go on before a release. Supporting inline IPS is just one of many major features scheduled for the switch software.
  The Release Notes for IPS 5.0 code do say the following:
  IDSM-2 only supports inline mode for Catalyst Software 8.4.4(1) with Supervisor Engine 1a, Supervisor Engine 2, Supervisor Engine 32, and Supervisor Engine 720. Inline support for Cisco IOS will be added at a later date.

• Compatible 6500 IOS version to support IDSM-2 Inline mode

  The 6500 model WS-SUP720-3BXL with IOS version 12.2(18)SXD4,
  and IDS card WS-SVC-IDSM-2 with sw 5.0(2)is compatible to run on inline mode.
  Regards,
  Viraj

  Good day,
  Hi, You need minimum sup-bootdisk:s3223-advipservicesk9_wan-mz.122-18.SXF7.bin IOS to enable INLINE mode on 6500 series.
  as per my knowledge,
  the latest IOS is
  sup-bootdisk:s3223-adventerprisek9_wan-mz.122-18.SXF13.bin.
  for IDSM-2, if u upgrade to Engine 2 IOS, U can get update with E2 signatures and also U can manage from New Management Console like Cisco IPS manager Express 6.1.
  I hope this will satisfy.

• IPS 45xx/43xx/42xx appliance and Catalyst 6500 Inline Mode issues

  Hello to everyone!
  We have recently got our new IPS 4510 appliance and for now there is a task to develop a connection scheme to our backbone multilayer switch (Catalyst 6500).
  There are several server's and user's VLANs connected to 6500.
  6500 performs inter-vlan routing.
  The main task is to "insert" IPS appliance between traffic path from any VLAN to server's VLANs.
  The additional task is to provide failover in "fail-open" manner (We have only one 4510 appliance. So if 4510 fails then traffic should continue passing without inspections).
  As I understood from this document https://supportforums.cisco.com/docs/DOC-12206 the only way to implement Inline Mode when using multilayer switch is to "take out" default gateway address for inspected subnet on the other VLAN's SVI.
  If we replace IDSM-2 with IPS appliance I suppose we can use hardware bypass feature as a failover measure (in case if IPS fails then traffic between bridged VLANs will still be forwarded).
  But what if there are several VLANs that should be monitored?
  As I understand in such schema we will need to use addtional interface-inline-pair for each monitored VLAN.
  But what if we have 20 VLANs for servers and 50 VLANs for users?
  Can using of VLAN-group mode handle this problem?
  I am not sure but using of VLAN-groups cannot provide bridging between two different VLANs. Am I right?
  And will using of VLAN-group make hardware-bypass feature useless?
  I tryed to simulate the first scenario in Cisco Packet Tracer (i used a bridge to simulate an IPS appliance in interface-pair inline mode):
  May be this is a bug of Packet Tracer but traffic went through IPS only if it was sent from VLAN 10 to VLAN100.
  The return traffic from VLAN 100 to VLAN 10 went through the Catalyst directly.
  When Catalyst recieved the frame it said:
  "The frame destination MAC address matches the MAC address of the active VLAN interface."
  After that it decapsulates the PDU from the Ethernet frame and send IP packet directly to VLAN 10.
  Does it mean that there is a need to change SVI's mac address?
  Thanks for any advice in advance.

  Here is my guess of how to realise my scenario:
  Config on Cat6k should looks something like this:
  ip routing
  interface Ge1/0
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10-12,110-112
  switchport mode trunk
  switchport nonegotiate
  switchport vlan mapping enable
  switchport vlan mapping 110 10
  switchport vlan mapping 111 11
  switchport vlan mapping 112 12
  interface Ge1/1
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10-12
  switchport mode trunk
  switchport nonegotiate
  interface vlan 2
  ip address 10.0.2.1 255.255.255.0
  interface vlan 3
  ip address 10.0.3.1 255.255.255.0
  interface Vlan4
  ip address 10.0.4.1 255.255.255.0
  interface Vlan110
  ip address 10.0.10.1 255.255.255.0
  interface Vlan111
  ip address 10.0.11.1 255.255.255.0
  interface Vlan112
  ip address 10.0.12.1 255.255.255.0
  no interface Vlan10
  no interface Vlan11
  no interface Vlan12
  IPS should operate in VLAN-group inline mode. We could separate traffic by VLAN tag to inspect with different virtual sensors or we use one VS for all trunk traffic.
  Traffic routed from any VLAN to VLANs 10-12 should go through IPS.
  In case if IPS gets powered off - hardware-bypass feature should provide bridging between trunk ports.
  In theory it should work.
  Remained to test it in practice
  Thoughts / suggestions?    

• Hi, I have a Catalyst 6500 with X6K-SUP2-2ge, the IOS and bootlader image been wiped out, it starts in ROMmon SP mod end can't switch to RP to start download the IOS using Xmodem, though it shouldn't work in ROMmon SP omde but the xmodem is not gving the

  Hi, I have a Catalyst 6500 with X6K-SUP2-2ge, the IOS and bootlader image been wiped out, it starts in ROMmon SP modw and I can't switch to RP to start download the IOS using Xmodem, though Xmodem shouldn't work in ROMmon SP mode but the it's not gving the
  not executable message, the slot0: and disk0: are not accessable can't see the files inside, when I try the dir slot0: or dir disk0: it says it can't be opened and when I try to boot from them there's noting as well, what can I do to load an IOS image to the booflash: or slot0: ,each time I load the image using Xmodem at the end it gives me *** System received a Software forced crash ***
  signal=0x17, code=0x5, context=0x0
  When I run the command:
  rommom1> boot bootflash:
  boot: cannot determine first file name on deice "bootflash:"
  rommon2> boot slot0:
  boot: cannot open "slot0:"
  boot: cannot dtermine first file name on device "slot0:"
  BTW  System Bootstrap, version 7.1
  I''m looking to format the PCMCIA using a PC and format it to FAT16 and copy the boot image into it and then try to load from the PCMCIA afterward if it works I'll format it using the Supervisor engine 2.
  Any one have another new idea I can use, thanks in advance

  This is a potentially complex issue.
  Is this SUP configured to run as IOS native or CatOS Hybrid?
  While in ROMMON can you do the 'dev' command and see whad drives are recognized. Then 'dir' the drives that the SUP recognizes.
  Can you provide the screen captures as it boots?
  You would be bette served by hacing a TAC case.

• After upgrading ios Cisco Catalyst 6500 Series Supervisor Engine 2T to the latest release the ASA-SM module is not recognized

  after upgrading ios Cisco Catalyst 6500 Series Supervisor Engine 2T to the latest release the ASA-SM module is not recognized it is disabled. the FPD
  is not recognized any more. reverted back to previous ios with no luck

  Duplicate post.
  Being discussed actively in this thread.

• After upgrading ios Cisco Catalyst 6500 Series Supervisor Engine 2T ASA-SM is disabled

  after upgrading ios Cisco Catalyst 6500 Series Supervisor Engine 2T to the latest release the ASA-SM module is not recognized it is disabled. the FPD
  is not recognized any more.  reverted back to previous ios with no luck

  What IOS are you running on your Supervisor 2T? As long as it's 15.0(1)SY1 or later you should be OK. (Reference).
  If it's not working with that I'd try reload of the ASA SM module (from IOS cli - e.g. "hw-module <module#> reset" and, failing that, "no power-enable module <module#>" followed by "power-enable module <module#>) while the new Supervisor is installed. Watch the log for relevant messages during that process.

• Catalyst 6500 Stack

  Hi,
  I have heard of Cisco releasing new IOS software that will effectively stack Catalyst 6500 switches. Intitially it was called "Satellite".
  Does anyone know about this and when it will be released? Any ideas on how it works?
  My main reason for this is Multi-Chassis EtherChannel on 6513's.
  Thanks.

  The IDSM-2 module is capable of both IDS (promiscuous mode) AND IPS (inline mode).
  So if you need IPS (inline mode) you still just buy the same IDSM-2 but configure it for InLine Interface Pair or InLine Vlan Pair mode instead of configuring for Promiscuous mode.

• IDSM-2 and inline mode

  Hello
  I have a question about IDSM-2 (in catalyst 6500) and ips 6.0.3 and inline mode. I wanted to create vlan groups, so i could have inline ips with many virtual sensors for subinterfaces (vlans range).
  I tied to:
  set trunk 5/7 1-4095 (on swith)
  set trunk 5/8 1-4095 (on swith)
  and in IDSM-2 in CLI:
  i created inline interface (using 5/7 and 5/8 ports), but after that i could not create in physical interface vlan groups. Why ?
  How can i make my IDSM-2 card working inline with many virtual sensors (policies) per different vlans ?

  i found my answer in idsm-2 document "You can mix sensing modes on IDSM-2. For example, you can configure one data port for promiscuous mode and the other data port for inline VLAN pair mode. But because IDSM-2 only has two data ports and inline mode requires the use of both data ports as a pair, you cannot mix inline mode with either of the other two modes." but something else,for doing such thing suppos that i have sig 2004 configured for inline traffic to deny attacker inline then this action doesnt make any sense for some data in passive mode and suppos that for that kind of traffic which idsm-2 is operating in passive mode i want to just send an alert. so can i use deferent VS for doing this? thanks.

• Span Port Session in Catalyst 6500 & 4500 series

  Hi,
  May I know the maximum monitor session for latest Catalyst 6500 & 4500 series?
  Thanks

  Hi,
  See the below links wich provide all details about the SPAN sessions:
  6500
  http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/span.html#wp1036881
  4500
  http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sg/configuration/guide/span.html#wp1020415
  Regards,

• Catalyst 6500 and IPS

  I have a catalyst 6500 switch on my network and I know it supports an IDS module.What I am not sure is an IPS.
  Could somebody who knows be kind enough to tell me if there is the support of IPS in the Catalyst 6500 switch.

  The IDSM-2 module is capable of both IDS (promiscuous mode) AND IPS (inline mode).
  So if you need IPS (inline mode) you still just buy the same IDSM-2 but configure it for InLine Interface Pair or InLine Vlan Pair mode instead of configuring for Promiscuous mode.

• How can i use IDSM-2 in inline mode for more than two VLANs?

  can i use the IDSM-2 in inline mode to be ips to more than two VLANS
  like this or it isn't
  intrusion-detection module 5 data port 1 access-vlan 10,20,30,40,50
  intrusion-detection module 5 data port 1 access-vlan 100,200
  thank u all for your help

  The IDSM-2 ports need to be configured as trunk ports with multiple vlans rather than as access ports.
  http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00807517eb.html#wp1068377
  And instead of creating an inline interface pair by pairing Gig0/7 with Gig0/8 within the IDSM-2 configuration, you would create inline vlan pairs.
  With an inline vlan pair you pair 2 vlans on the same interface.
  You can have up to 255 inline vlan pairs on each interface (assumining you keep the total traffic from all of the pairs within the IDSM-2s performance limit of around 500Mbps)
  How to create inline vlan pairs:
  http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00807517bb.html#wp1047852
  The other aspect you need to be aware of is that not all IOS versions will support configuring the IDSM-2 data ports as trunk ports for inline vlan pairs.
  Your best bet is to use 12.2(18)SXF4 or a later version on the 12.2(18)SXF train.
  The 12.2(33)SR train does not currently support the trunk feature for the IDSM-2.

• How to remove the WiSM2 from the Catalyst 6500 series switch?

  Hello, can you explain to me how to safely remove the WiSM2 from the Catalyst 6500 series switch?
  According to the documentation "Catalyst 6500 Series Wireless Services Module 2 Installation and Verification Note":
  To remove the WiSM2, perform these steps:
  Step1     Shut down the module by one of these methods:
  In privileged mode from the router prompt, enter the hw-mod module mod shutdown command. NoteIf you enter this command to shut down the module, you must enter the following commands in global configuration mode to restart (power down, and then power up) the module:
  Router# no power enable module modRouter# power enable module mod
  If the module does not respond to any commands, press the SHUTDOWN button located on the front panel of the module.
  Step2     Verify that the WiSM2 shuts down. Do not remove the module from the switch until the POWER LEDis off.
  But, in the case of Step1 (1st methods) I do not see a option "shutdown"  in the command "hw-mod module 3"...
  All I prompted to enter is:
  c6500#hw-module module 3 ?
  boot           Specify boot options for the module through Power Management Bus control register
  reset          Reset specified component
  simulate  Simulate options for the module
  Is it hidden options? IOS version of c6500 is 12.2(33)SXJ1
  In the case of Step2 (2nd methods) there is not any button on the front panel of the module?
  And yet, it is better to remove the module configuration manually or use the command module clear-config prior to removing the module?

  Good catch.
  Which one is true, will get back to you on this if i've something soon.
  http://www.cisco.com/en/US/docs/wireless/module/wism2/installation/note/WiSM_2.html#wp34727
  The above link is procedure to remove wism2. This procedure doesn’t look like wism2 is hot swapable.
  http://www.cisco.com/en/US/docs/wireless/module/wism2/installation/note/WiSM_2.html#wp34621
  All modules, including the supervisor engine (if you have redundant supervisor engines), support hot swapping. You can add, replace, or remove modules without interrupting the system power or causing other software or interfaces to shut down. For more information about hot-swapping modules, see the Catalyst 6500 Series Switch Module Installation Guide.