IDSM2 on 6500-IOS inline mode support?

Hi,
I have an IDSM-2 running IPS5.1(1d) software (recently upgraded from 4.x) that is sitting on a 6500 IOS.
The IPS device manager shows gi0/7 and gi0/8 as both in Promiscuous mode. There is no option to change the mode to inline and pair them.
Is it so that IDSM-2 currently supports only Promiscuous mode?
If so, then this module is still acting as an IDS despite running IPS5.1. Isn't it? What is the advantage that I get after upgrading it from 4.x to 5.1?
-- Vasanth

There are 2 pieces to the puzzle.
There is the IDSM-2 version and what it supports, but also the Cat 6K Native IOS version and what it supports.
IDSM-2 v5.1(1d) supports
a) Promiscuous mode,
b) InLine Interface Pair mode (2 interfaces are paired for inline monitoring), and also
c) InLine Vlan Pair mode (2 vlans on a single interface are paired for inline monitoring, you will also see it called inline-on-a-stick)
But for these features to be used, the switch code must also support configuring the switch side of the IDSM-2 for each of these 3 features.
Native IOS Versions prior to 12.2(18)SXE will support only Promiscuous mode on the IDSM-2.
12.2(18)SXE and later versions will support InLine Interface Pair mode on the IDSM-2.
No Native IOS versions currently support InLine Vlan Pair mode on the IDSM-2 (a new Native IOS versions with this support is currently in development).
So to get Inline (IPS) functionality you need to be running a Native IOS version 12.2(18)SXE or later, and on the IDSM-2 run IPS versions 5.1 (or even the older 5.0).
(NOTE: Cat OS 8.5(1) does support all 3 modes of the IDSM-2. So if you are using Cat OS instead of Native IOS, then run version 8.5(1) to have access to all of the features of IPS 5.1(1) on the IDSM-2)
If you are running a Native IOS version prior to 12.2(18)SXE then the IDSM-2 can only be operated in Promiscuous mode even if 5.1(1) is loaded on the IDSM-2.
However, even in promiscuous mode the IPS 5.1(1) software does have a few advantages.
There are several engines, and engine parameters that are only supported in the 5.1 version and not the 4.0 version. So there are several signatures that are either a) not even created for 4.x sensors, or b) the 4.x signature is not as precise as the 5.x signature in the new engines.
(These new engines have proved invaluable in writing signatures to detect some of the new attacks that have come out over the past year.)
There are of course other advantages as well:
For example:
1) Risk Rating to better aid in prioritization of alerts.
2) More flexible fitlering mechanism for alerts that allows for fitlering individual actions
The 2 features above are just 2 of the new features that have been added in 5.0 and 5.1 that apply to both promiscuous and inline modes.

Similar Messages

  • IDSM on catalyst 6500 to provide IOS Inline mode support

    I am currently evaluating what kind of method to apply in my 6500. I would like to ask if IOS Version 12.2(33)SXI2a  support inline mode and inline vlan pair mode with IDSM-2???what configuration should be done with the switch in order for the multiple vlan traffic to flow with an inline interface of the IDSM2??? In my case I have 16 user vlans and 1 server vlan on catalyst 6500...The task is to protect the servers from users....The requirement is to configure inline mode to monitor the traffic from these 16 vlans when they access the servers...But as we know the IDSM-2 has only two logical sensing ports...So my question is how will you configure the switch to forward the traffic from these 16 vlans to the IDSM-2 module via only ONE sensing port, since the other sensing port will be configured in the server vlan???  Because as far as i know, when you configure inline mode on IOS,you will have to configure the sensing ports in access mode( While in CatOS, you configure these as TRUNK ports)...But this will work when you have only two vlans...But in my case, I have 16 vlans to monitor in inline mode..Please suggest any solution.
    Any urgent reply will be much grateful...
    Many Thanks in advance

    Hi Mubin,
       If you're looking to monitor all the traffic from the user VLANs to the server VLANs then the simplest way to configure the IDSM-2 would be inline on the server VLAN segment.  All traffic destined to the servers (from the users or anywhere else) has to traverse that VLAN.  Assuming you have something like this to start:
    VLAN 100-120 (users) ====== Switch ------ VLAN 200 (servers)
    you'd drop the IDSM-2 inline on VLAN 200 by using a helper VLAN:
    VLAN 100-120 (users) ====== Switch ----- VLAN 201 (server gateway) ----- IDSM-2 (bridging 201 to 200) ----- VLAN 200 (servers)
    To do this you'll need to perform the following steps:
    1.  Designate a new VLAN to use as a helper VLAN for your current server VLAN.  I'll use 201 for this example and assume your current server VLAN is 200.
    Create the helper VLAN on the switch:
    switch# conf t
    switch(config)# vlan 201
    2.  Configure the IDSM-2 to bridge the helper VLAN and the server VLAN (200-201)
    sensor# conf t
    sensor(config)# service interface
    sensor(config-int)# phsyical-interface GigabitEthernet0/7
    sensor(config-int-phy)# admin-state enabled
    sensor(config-int-phy)# subinterface-type inline-vlan-pair
    sensor(config-int-phy-inl)# subinterface 1
    sensor(config-int-phy-inl-sub)# vlan1 200
    sensor(config-int-phy-inl-sub)# vlan2 201
    sensor(config-int-phy-inl-sub)# description Server-Helper pair
    sensor(config-int-phy-inl-sub)# exit
    sensor(config-int-phy-inl)# exit
    sensor(config-int-phy)# exit
    sensor(config-int)# exit
    Apply Changes:?[yes]:
    3.  Configure the switch to trunk the helper and server VLANs to the IDSM-2 module.  I assume the module is in slot 5 in the example.  Replace the 5 with the correct slot for your deployment:
    switch# conf t
    switch(config)# intrusion-detection module 5 data-port 1 trunk allowed-vlan 200,201
    switch(config)# intrusion-detection module 5 data-port 1 autostate include
    *Warning! This next step may cause an outage if everything is configured correctly.  You'll probably want to schedule a window to do this.*
    4.  Finally, force the traffic from the server VLAN through the IDSM-2 by moving the server VLAN gateway from VLAN 200 (where it is currently) to the helper VLAN you created.  To do this, remove the SVI from VLAN 200 and apply the same IP address to VLAN 201.  I assume the current server gateway is 192.168.1.1/24
    switch# conf t
    switch(config)#int vlan 200
    switch(config-int)#no ip addr
    switch(config-int)#int vlan 201
    switch(config-int)#ip addr 192.168.1.1 255.255.255.0
    switch(config-int)#exit
    switch(config)#exit
    switch# wr mem
    Now, when the servers try to contact 192.168.1.1 (their gateway) they'll have to be bridged through the IDSM-2 to reach VLAN 201 and in the process all traffic destined to them or sourced from them will be inspected.  Do not put any hosts or servers in the helper VLAN (201) or they will not be inspected.
    Best Regards,
    Justin

  • Compatible 6500 IOS version to support IDSM-2 Inline mode

    The 6500 model WS-SUP720-3BXL with IOS version 12.2(18)SXD4,
    and IDS card WS-SVC-IDSM-2 with sw 5.0(2)is compatible to run on inline mode.
    Regards,
    Viraj

    Good day,
    Hi, You need minimum sup-bootdisk:s3223-advipservicesk9_wan-mz.122-18.SXF7.bin IOS to enable INLINE mode on 6500 series.
    as per my knowledge,
    the latest IOS is
    sup-bootdisk:s3223-adventerprisek9_wan-mz.122-18.SXF13.bin.
    for IDSM-2, if u upgrade to Engine 2 IOS, U can get update with E2 signatures and also U can manage from New Management Console like Cisco IPS manager Express 6.1.
    I hope this will satisfy.

  • "The `Inline' mode also supports `Port-Channel'" ?

    Referring to this document:
    http://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns224/ns377/deployment_guide_c07-490578.html
    it states:
    "The `Inline' mode also supports `Port-Channel', which enables load-balancing and `high-availability' should one of the physical link fails"
    is this true? I have a WAVE-474 which comes with 1 onboard port and 2 inline ports. Can you configure those 2 inline ports in a port channel and then use it with WCCP? I don't believe you can. Not sure what the document is referring too.
    I also have WAVE-574's and that one can do port-channel using two onboard GIG interfaces + WCCP.

    Hi Roman,
    Your judgement was right. You can not configure inline interface in a port channel configuraiton.
    Here is the output from wae-612 running 4.1.5c . You will see that there is no option for port channel / channel-group with inline interface.
    WAE612-3(config)#int inlineGroup ?
      <1-4>/  Slot number
    WAE612-3(config)#int inlineGroup 1/0
    WAE612-3(config-if)#?
      autosense      Interface autosense
      bandwidth      Interface bandwidth
      encapsulation  Set encapsulation type for an interface
      exit           Exit from this submode
      failover       Modify failover parameters
      full-duplex    Interface fullduplex
      half-duplex    Interface halfduplex
      inline         VLAN's to intercept
      ip             Interface Internet Protocol Config commands
      no             Negate a command or set its defaults
      shutdown       Put the inline interface in passthrough mode
    WAE612-3(config-if)#exit
    WAE612-3(config)#int g 1/0
    WAE612-3(config-if)#?
      autosense      Interface autosense
      bandwidth      Interface bandwidth
      cdp            Cisco Discovery Protocol Interface Config commands
      channel-group  Configure EtherChannel group
      description    Interface specific description
      exit           Exit from this submode
      full-duplex    Interface fullduplex
      half-duplex    Interface halfduplex
      ip             Interface Internet Protocol Config commands
      mtu            Set the interface Maximum Transmission Unit (MTU)
      no             Negate a command or set its defaults
      shutdown       Shutdown the specific interface
      standby        Standby interface config commands
    WAE612-3(config-if)#
    Hope this helps.
    Regards.

  • IPS 45xx/43xx/42xx appliance and Catalyst 6500 Inline Mode issues

    Hello to everyone!
    We have recently got our new IPS 4510 appliance and for now there is a task to develop a connection scheme to our backbone multilayer switch (Catalyst 6500).
    There are several server's and user's VLANs connected to 6500.
    6500 performs inter-vlan routing.
    The main task is to "insert" IPS appliance between traffic path from any VLAN to server's VLANs.
    The additional task is to provide failover in "fail-open" manner (We have only one 4510 appliance. So if 4510 fails then traffic should continue passing without inspections).
    As I understood from this document https://supportforums.cisco.com/docs/DOC-12206 the only way to implement Inline Mode when using multilayer switch is to "take out" default gateway address for inspected subnet on the other VLAN's SVI.
    If we replace IDSM-2 with IPS appliance I suppose we can use hardware bypass feature as a failover measure (in case if IPS fails then traffic between bridged VLANs will still be forwarded).
    But what if there are several VLANs that should be monitored?
    As I understand in such schema we will need to use addtional interface-inline-pair for each monitored VLAN.
    But what if we have 20 VLANs for servers and 50 VLANs for users?
    Can using of VLAN-group mode handle this problem?
    I am not sure but using of VLAN-groups cannot provide bridging between two different VLANs. Am I right?
    And will using of VLAN-group make hardware-bypass feature useless?
    I tryed to simulate the first scenario in Cisco Packet Tracer (i used a bridge to simulate an IPS appliance in interface-pair inline mode):
    May be this is a bug of Packet Tracer but traffic went through IPS only if it was sent from VLAN 10 to VLAN100.
    The return traffic from VLAN 100 to VLAN 10 went through the Catalyst directly.
    When Catalyst recieved the frame it said:
    "The frame destination MAC address matches the MAC address of the active VLAN interface."
    After that it decapsulates the PDU from the Ethernet frame and send IP packet directly to VLAN 10.
    Does it mean that there is a need to change SVI's mac address?
    Thanks for any advice in advance.

    Here is my guess of how to realise my scenario:
    Config on Cat6k should looks something like this:
    ip routing
    interface Ge1/0
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 10-12,110-112
    switchport mode trunk
    switchport nonegotiate
    switchport vlan mapping enable
    switchport vlan mapping 110 10
    switchport vlan mapping 111 11
    switchport vlan mapping 112 12
    interface Ge1/1
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 10-12
    switchport mode trunk
    switchport nonegotiate
    interface vlan 2
    ip address 10.0.2.1 255.255.255.0
    interface vlan 3
    ip address 10.0.3.1 255.255.255.0
    interface Vlan4
    ip address 10.0.4.1 255.255.255.0
    interface Vlan110
    ip address 10.0.10.1 255.255.255.0
    interface Vlan111
    ip address 10.0.11.1 255.255.255.0
    interface Vlan112
    ip address 10.0.12.1 255.255.255.0
    no interface Vlan10
    no interface Vlan11
    no interface Vlan12
    IPS should operate in VLAN-group inline mode. We could separate traffic by VLAN tag to inspect with different virtual sensors or we use one VS for all trunk traffic.
    Traffic routed from any VLAN to VLANs 10-12 should go through IPS.
    In case if IPS gets powered off - hardware-bypass feature should provide bridging between trunk ports.
    In theory it should work.
    Remained to test it in practice
    Thoughts / suggestions?    

  • How can i use IDSM-2 in inline mode for more than two VLANs?

    can i use the IDSM-2 in inline mode to be ips to more than two VLANS
    like this or it isn't
    intrusion-detection module 5 data port 1 access-vlan 10,20,30,40,50
    intrusion-detection module 5 data port 1 access-vlan 100,200
    thank u all for your help

    The IDSM-2 ports need to be configured as trunk ports with multiple vlans rather than as access ports.
    http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00807517eb.html#wp1068377
    And instead of creating an inline interface pair by pairing Gig0/7 with Gig0/8 within the IDSM-2 configuration, you would create inline vlan pairs.
    With an inline vlan pair you pair 2 vlans on the same interface.
    You can have up to 255 inline vlan pairs on each interface (assumining you keep the total traffic from all of the pairs within the IDSM-2s performance limit of around 500Mbps)
    How to create inline vlan pairs:
    http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00807517bb.html#wp1047852
    The other aspect you need to be aware of is that not all IOS versions will support configuring the IDSM-2 data ports as trunk ports for inline vlan pairs.
    Your best bet is to use 12.2(18)SXF4 or a later version on the 12.2(18)SXF train.
    The 12.2(33)SR train does not currently support the trunk feature for the IDSM-2.

  • IDSM-2 load balancing on inline mode is it possible ..?

    Hi there .. I am currenty working on a project and need to find out as to whether etherchanelling load balancing can be configured between several IDSM-2 running on inline mode. The IPS 5.1 admin guide states that it is possible for IOS based switches having the IDSM-2 configured on promiscuous mode, however I have heard that it might also be possible to configure etherchannelling load balance when the IDSM-2 are on inline mode. Any help .. commments will be appreciated .. any links to refer to will be even better
    Thanks !!!

    To configure EtherChannel load balancing on IDSM-2, you must install Cisco IOS 12.2(18)SXE and have Supervisor Engine 720. Cisco IOS only supports promiscuous IDSM-2 EtherChanneling using VACL capture (not SPAN or monitor). Refer the URL
    http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df92.html#wp1044800

  • Idsm 2- Inline Mode Deployment

    I would like to configure an IDSM-2 in inline mode, I am having trouble about the deployment, I have a couple of questions;
    1. If you configure 2 VLANs (existing) as VLAN pairs does this mean the exist connection between the 2 VLANs is broken?
    ie they can only communicate to each other via IPS.
    2. Where is the best place to deploy this type of IPS?

    In an inline VLAN-pair scenario, the IDSM2 will bridge the VLANs together using VLAN tag swapping.  Below is a quick topo sketch of an inline design where this might be used.
    6500 MSFC--VL10--(inside) FWSM (outside)--VLAN 11--IDSM--VLAN 111--RTR--INTERNET
    In the example above, the FWSM outside and RTR inside interfaces sit on the same Layer 3 subnet but different Layer 2 VLANs.  The IDSM is positioned inline using an inline VLAN-pair.  Traffic leaving the FWSM towards the Internet will go into the trunk to the IDSM on VLAN 11.  The IDSM will then swap the VLAN tag to 111 before fowarding the packet down the trunk.  This process allows the traffic to be influenced into the IDSM for inspection.
    http://www.cisco.com/en/US/customer/docs/security/ips/7.0/configuration/guide/cli/cli_interfaces.html#wp1047718

  • Router NME IPS - use promiscuous and inline mode simultaneous

    Hi all,
    we are using the IPS module NME-IPS-K9 on a Cisco 2951 router. We like to use the IPS in promiscuous and inline mode simultaneous. For example traffic from a client to a server should pass through the IPS. But the IPS should only recieve a copy of the VoIP traffic.
    In the interface configuration mode the following command is set.
         ids-service-module monitoring promiscuous access-list 101
    If I try to set a interface to inline mode I get the following message:
         "Only either Inline or Promiscuous
         monitoring is supported on the router at one time.
         Please remove Promiscuous monitoring on all interfaces
         before configuring Inline monitoring. Only either Inline or Promiscuous
         monitoring is supported on the router at one time.
         Please remove Promiscuous monitoring on all interfaces
         before configuring Inline monitoring."
    Is there any way to use promiscuous and inline monitoring at the same time? Is there a firmware update available which includes this feature? Any other idears?
    IOS version of the router: 15.0(1)M4
    IPS version:  7.0(2)E4
    Kind Regards

    In promiscuous mode your sensor doesn't affect the traffic but it only listen and analyze it.
    In inline mode you direct all your traffic on this network segment you want to protect to IPS and it analyze it and block some actions according to your settings.
    It is the main difference. Which mode to prefer must be your decision.

  • Can I use IDSM-2 to monitor in inline-mode multiple pair of vlans?

    my customer wants to have IDSM-2 in inline mode for monitoring VLANs that are routed through the PIX firewalls.
    These VLANs are defined on the Cat 6500 switch where the IDSM-2 resides.
    They want to have one external vlan to be paired with 4 internal vlans.
    As far as I know the inline VLAN pairs configuration only support one to one vlan pairing.
    What's the best of doing this?

    Yes, you can very well use the IDSM for monitoring multiple VLANs.
    Refer to the configuration guide of the IDSM for more information
    http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df92.html

  • IDSM-2 and inline mode

    Hello
    I have a question about IDSM-2 (in catalyst 6500) and ips 6.0.3 and inline mode. I wanted to create vlan groups, so i could have inline ips with many virtual sensors for subinterfaces (vlans range).
    I tied to:
    set trunk 5/7 1-4095 (on swith)
    set trunk 5/8 1-4095 (on swith)
    and in IDSM-2 in CLI:
    i created inline interface (using 5/7 and 5/8 ports), but after that i could not create in physical interface vlan groups. Why ?
    How can i make my IDSM-2 card working inline with many virtual sensors (policies) per different vlans ?

    i found my answer in idsm-2 document "You can mix sensing modes on IDSM-2. For example, you can configure one data port for promiscuous mode and the other data port for inline VLAN pair mode. But because IDSM-2 only has two data ports and inline mode requires the use of both data ports as a pair, you cannot mix inline mode with either of the other two modes." but something else,for doing such thing suppos that i have sig 2004 configured for inline traffic to deny attacker inline then this action doesnt make any sense for some data in passive mode and suppos that for that kind of traffic which idsm-2 is operating in passive mode i want to just send an alert. so can i use deferent VS for doing this? thanks.

  • IDSM-2 Inline mode

    Hi,
    I am working with the IDSM-2, We have Cisco 6509 with CSM & FWSM, We are planning IDSM-2 in Inline mode and now i want to monitor the traffic which is coming through Outside Interface of the FW context ( Which is nothing but a VLAN A, VLAN B, Vlan C. on MSFC )
    Data flow :-- ISP RTR---INternal RTR---FWSM---IDSM---MSFC---CSM---
    IDSM version is 5.1(4)S257.0,
    This will support only Two VLAN (IN and OUT) on access mode.
    My problem is I don't know how to scan the traffic of 3 numbers of VLAN (A,B,C).
    Cisco 6509 --- Version 12.2(18)SXF7,

    Hi Udaya,
    I am not able to find out any subinterface.
    I think it is available from IPS 5.1 and this one is IPS5.0(2)
    IDSM2CORE2(config-int)# show settin
    physical-interfaces (min: 0, max: 999999999, current: 3)
    name: GigabitEthernet0/2
    media-type: backplane
    description:
    admin-state: enabled
    duplex: auto
    speed: auto
    alt-tcp-reset-interface
    none
    name: GigabitEthernet0/7
    media-type: backplane
    description:
    admin-state: enabled
    duplex: auto
    speed: auto
    alt-tcp-reset-interface
    interface-name: System0/1
    name: GigabitEthernet0/8
    media-type: backplane
    description:
    admin-state: enabled
    duplex: auto
    speed: auto
    alt-tcp-reset-interface
    interface-name: System0/1
    command-control: GigabitEthernet0/2
    inline-interfaces (min: 0, max: 999999999, current: 0)
    bypass-mode: auto
    interface-notifications
    missed-percentage-threshold: 0 percent
    notification-interval: 30 seconds
    idle-interface-delay: 30 seconds

  • IDSM-2 Inline mode operation - cat6000 Hybrid

    Hello, is the inline mode operation on the IDSM-2 IPS 5.1 only supported with catos 8.4(1)?
    Thanks!

    I agree, the IPS 5.1 release notes http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps4077/prod_release_note09186a0080574954.html#wp1068104 says it requires 8.5(1) go figure.

  • Changing IPS from promiscous mode to Inline mode

    Hi Experts,
    We are changing our IPS (aip-ssm10) mode of operation from promiscous to Inline mode. Is there any caveats or anything i need to take into consideration before doing the switch? Is there a possibility to roll back incase something doesn't go the way we planned?
    I look forward to your responses.

    changing from promiscous to inline and back is done with the ips-command in the ASA MPF-config. So if you run into problems you can easily switch back.
    What you should do before changing to inline:
    - check your alerts for false positives and eliminate them first.
    - if you can't eliminate all, make sure that the risk-rating doesn't exeed the threshold for the automatic deny-action if configured.
    - and of course keep monitoring your events after the switch to inline.
    Sent from Cisco Technical Support iPad App

  • Possible to use inline mode with Port Channel

    Hi,
    Just wondering if anyone has used inline mode with Port Channel configuration placing WAE device between router and switch. Any tips or gotcahs to be concerned about. We currently have inline mode running at this location but site would want redudancy built in through port channel.
    kind regards,
    Nigel

    Hi Nigel,
    This is not supported :
    Taken from here :
    http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/waas/waas/v531/command/reference/cmdr/glob_cfg.html#wp1532575
    Best regards
    Finn Poulsen

Maybe you are looking for

  • How do I connect to the internet with the "Manual" PPPoE option?

    Hi, I have a Time Capsule and a PC with Windows XP SP3, Airport utility 5.3.2 I connect to the ISP using a secureID - a password that changes every minute. This means that if I use the "Always On" option, then once the connection breaks the time caps

  • YouTube videos stop playing/loading after 10-15 seconds

    Starting about 2 weeks ago, YouTube videos no longer play or fully load for me (and, from scanning both here and in google, it appears for LOTS of people on both Macs and PCs). A video will begin to load and play normally for the first 10 to 15 secon

  • Upgraded to 5.5-- GPU Hack now doesn't work

    With Premiere CS5 (Master Suite) the GPU hack outlined here worked great with my NVidia 470M card installed in my Sager 7280. But that changed with the 5.5 Master Suite upgrade. To start with, I was unable-- after 5 tries-- to install 5.5 without get

  • Error on start up - Internal failure - A secure network communication has not been cleaned up properly

    when i start with firefox 4 beta 6 an error message pops up saying internal failure. A secure network communication has not been cleaned up properly. Please explain what does it mean and how can a secure network be established.

  • Help with constant BSOD

    I keep getting BSOD.  At first I had windows vista installed, I tried updating everything, bios, memory drivers, graphics drivers, again still BSOD.  I downgrading to windows XP(because of this and other reasons).  I still get BSOD. The messages asso