Multiple IDSM-2 in C6500

Similar Messages

• IDSM in redundant switching environment

  I have two 6500 switches/routers trunked to each other serving various devices. The two switches are installed for the purpose of redundancy and same VLANs are configured on both. My question is related to deploying IDSM-2 blades in this environment. Can I just use single blade in one switch and still be able to monitor desired VLANs traffic through VACL or SPAN/VSPAN/RSPAN or do I need two IDSM blades; one in each switch. Has anyone deployed IDS in this environment and what are the benefits of deploying 2 (one is each) versus 1.

  RSPAN is generally the method of choice for these types of configurations.
  The packets from both switches can then be monitored by a single IDSM-2 in one switch.
  You can also provide some redundancy by placing a second IDSM-2 in the other switch, and have both IDSM-2s monitoring the exact same traffic (each IDSM-2 is monitoring packets from both switches).
  You will get duplicate alarms (one from each IDSM-2) when both are running, but it will ensure you do not miss any alarms if one of the switches should happen to go down for maintenance or power loss.
  There are other deployment options, but these depend on some specifics that you will need to analyze:
  Do you have assymmetric traffic?
  Quite often in these types of setups, both the switches are carrying traffic at the same time, and on occasion the client traffic will go through one switch, but the server response traffic will come through the other switch. For the IDSM-2 to properly track these connections it needs to see traffic from both switches. So if assymetric traffic patterns exist, then RSPAN needs to be used so both switches can be monitored by a single IDSM-2.
  If assymetric traffic does not exist, then the IDSM-2 does not need to monitor both switches.
  You could deploy an IDSM-2 in each switch. Then using either span or VACL Capture the IDSM-2 could monitor just the traffic flowing through the switch where it is located.
  What are the traffic rates?
  The IDSM-2 has an upper performance limitation of 600Mbps. If you are forced to use RSPAN because of assymteric traffic patterns, then you will only have the ability to monitor 600Mbps and must choose wisely what will be RSPANed to the IDSM-2.
  If you do not have assymetric patterns then you can at least use 2 IDSM-2s (one in each switch) and possibly more (see below).
  If the traffic being routed by the switch/msfc?
  If no traffic is being routed by the switch, and you do not have assymetric traffic patterns then you are in luck. This is the easiest deployment scenario. You can have multiple IDSM-2s in each switch. Each IDSM-2 would be configured to monitor one or more vlans using VACL Capture. The performance limitations are 600 Mbps times the numbers of IDSM-2s you purchase and can fit in the switch.
  If traffic is being routed, however. You once again run into a situation where a single IDSM-2 has to monitor all of the vlans in the switch (when using VACL Capture). There is an interaction between the routing features of the switch/msfc which force a single IDSM-2 (per switch if no assymetric traffic patterns) to be used to monitor all of the vlans in that switch.
  And you are now limited to the 600 Mbps limitation (or 2*600Mbps if you place one in each switch and there are no assymetric traffic patterns).

• Can I use IDSM-2 to monitor in inline-mode multiple pair of vlans?

  my customer wants to have IDSM-2 in inline mode for monitoring VLANs that are routed through the PIX firewalls.
  These VLANs are defined on the Cat 6500 switch where the IDSM-2 resides.
  They want to have one external vlan to be paired with 4 internal vlans.
  As far as I know the inline VLAN pairs configuration only support one to one vlan pairing.
  What's the best of doing this?

  Yes, you can very well use the IDSM for monitoring multiple VLANs.
  Refer to the configuration guide of the IDSM for more information
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df92.html

• How can i use IDSM-2 in inline mode for more than two VLANs?

  can i use the IDSM-2 in inline mode to be ips to more than two VLANS
  like this or it isn't
  intrusion-detection module 5 data port 1 access-vlan 10,20,30,40,50
  intrusion-detection module 5 data port 1 access-vlan 100,200
  thank u all for your help

  The IDSM-2 ports need to be configured as trunk ports with multiple vlans rather than as access ports.
  http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00807517eb.html#wp1068377
  And instead of creating an inline interface pair by pairing Gig0/7 with Gig0/8 within the IDSM-2 configuration, you would create inline vlan pairs.
  With an inline vlan pair you pair 2 vlans on the same interface.
  You can have up to 255 inline vlan pairs on each interface (assumining you keep the total traffic from all of the pairs within the IDSM-2s performance limit of around 500Mbps)
  How to create inline vlan pairs:
  http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00807517bb.html#wp1047852
  The other aspect you need to be aware of is that not all IOS versions will support configuring the IDSM-2 data ports as trunk ports for inline vlan pairs.
  Your best bet is to use 12.2(18)SXF4 or a later version on the 12.2(18)SXF train.
  The 12.2(33)SR train does not currently support the trunk feature for the IDSM-2.

• Configuring the Catalyst 6500 Switch for IPS Inline Operation of the IDSM

  I understand how to configure the Catalyst 6500 switch so that the monitoring ports are access ports in two separate VLAN's for inline operation.
  However, I don't see any documentation that describes how the desired VLAN traffic gets forced through the IPS.
  In promiscuous mode, you can use VACL's to copy/capture and forward the desired traffic to the IDSM for analysis. I'm not seeing how to get the desired traffic through the IPS.
  Note that the host 6500 is running native IOS 12.2(18)SXE.
  Thanks for any assistance.

  A tranparent firewall is a fairly good comparison.
  Let's say you have vlan 10 with 100 PCs and 1 Router for the network.
  If you want to apply a transparent firewall on that vlan you can not simply put one interface of the firewall on vlan 10. Nothing would go through the firewall.
  Instead you have to create a new vlan, let's say 1010. Now you place one interface of the firewall on vlan 10 and the other on vlan 1010. Still nothing is going through the firewall. So now you move that Router from vlan 10 to vlan 1010. All you do is change the vlan, the IP Address and netmask of the router stay the same.
  The transparent firewall bridges vlan 10 and vlan 1010. The PCs on vlan 10 ae still able to communicate to and through the router, but must go through the transparent firewall to do so.
  The firewall is transparent because it does not IP Route between 2 vlans, instead the same IP subnet exists on both vlans and the firewall transparently beidges traffic between the 2 vlans.
  The transparent firewall can do firewalling between the PCs on vlan 10 and the Router on vlan 1010. But is PC A on vlan 10 talks to PC B on vlan 10, then the transparent firewall does not see and can not block that traffic.
  An InLine sensor is very similar to the transparent firewall and will bridge between the 2 vlans. And similarly an InLine sensor is able to InLine monitor traffic between PCs on vlan 10 and the Router on vlan 1010, but will not be able to monitor traffic between 2 PCs on vlan 10.
  Now the router on one vlan and the PCs on the other vlan is a typical deployment for inline sensors, but your vlans do not Have to be divided that way. You could choose to place some servers in one vlan, and desktop PCs in the other vlan. You subdivide the vlans in what ever method makes sense for your deployment.
  Now for monitoring multiple vlans the same principle still applies. You can't monitor traffic between machines on the same vlan. So for each of the vlans you want to monitor you will need to create a new vlan and split the machines between the 2 vlans.
  In your case with Native IOS you are limited to only 1 pair of vlans for InLine monitoring, but your desired deployment would require 20 vlan pairs.
  The 5.1 IPS software has now the capability to handle the 20 pairs, but the Native IOS software does not have the capability to send the 40 vlans (20 pairs) to the IDSM-2.
  The Native IOS changes are in testing right now, but I have not heard a release date for those changes.
  Now Cat OS has already made these changes. So here is a basic breakdown of what you could do in Cat OS and you can use in preparation for a Native IOS deployment when it gets released.
  For vlans 10-20, and 300-310 that you want monitored you will need to break each of those vlans in to 2 vlans.
  Let's say we make it simple and add 500 to each vlan in order to create the new vlan for each pair.
  So you have the following pairs:
  10/510, 11/511, 12/512, etc...
  300/800, 301/801, 302/802, etc....
  You set up the sensor port to trunk all 40 vlans:
  set trunk 5/7 10-20,300-310,510-520,800-810
  (Then clear all other vlans off that trunk to keep things clean)
  In the IDSM-2 configuration create the 20 inline vlan pairs on interface GigabitEthernet0/7
  Nw on each of the 20 original vlans move the default router for each vlan from the original vlan to the 500+ vlan.
  At this point you should ordinarily be good to go. The IDSM-2 won't be monitoring traffic that stays within each of the original 20 vlans, but Would monitor traffic getting routed in and out of each of the 20 vlans.
  Because of a switch bug you may have to have an additional PC moved to the same vlan as the router if the switch/MSFC is being used as the router and you are deploying with an IDSM-2.

• IDSM-2 "redundancy" in a single chassis

  I understand how IDSM-2 redundancy could work having two 6500's...but what do you do when you are doing inline vlan pairs and the IDSM-2 fails and is no longer there to bridge the vlans together? How can the switch be setup to bridge the vlans in the event that the IDSM-2 fails?
  Also, instead of pairing all the vlans that have SVI's on the FWSM, could I just pair the FWSM's VLAN/SVI on the MSFC with another vlan and get the same effect as pairing all the vlans that are on the FWSM? Thanks.

  I havn't tried this inside a 6500 chassis, but this works externally:
  Set up your in-line sensors as multiple alternate paths connecting the two VLANs together and use spanning tree to assign one sensor path a higher STP cost. Once the primary sensor fails the traffic should re-route to the standby sensor. If you play with the STP settings you can get the switchover time down under a second.

• IPS mode with IDSM-2 module on Cat6K

  Hi,
  I have installed the IDSM-2 module on the Catalyst 6509 switch, now I was refering to the configuration guide for IPS 6.0 there are multiple modes I can configure like inline, inline vlan pair, Promiscuous & vlan group mode.. so I'm thinking which one would be the best solution...
  The catalyst 6509 is acting as the CORE/Distribution with multiple Vlan's (around 20 vlans) configured, and customer wants the IPS to be deployed in such a way that it covers the traffic from all the vlans..
  Also note that there is a redundant Cat6509 switch which also has got the IDSM-2 module installed, so can these both IDSM-2 modules be installed in active/standby or active/active combination...
  can someone through some lights on the same please...
  Regards
  Vijay.

  A sensor can enter bypass mode for several reasons, including, but not limited to:
  1) Analysis Engine reconfiguration
  2) Global  Correlation updates
  3) Daily Signature DB self purg
  4) sensorApp failure
  Most of these reasons are benign. I have written Supportability Enhancement CSCtg69012 so that each bypass log will show the reason for entering bypass mode.
  The bug is available via the CCO Bug Toolkit: http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs.
  You may review the bug and click on the "Save Bug" button at the bottom of the page to receive email updates as changes are made to the bug's state.
  To fully diagnose your issue, I suggest opening a TAC case where we will request a "show tech," including debug level logs. This will allow us to see what is triggering the sensor to enter bypass mode.
  Thank you,
  Blayne Dreier
  Cisco TAC IDS Team
  **Please check out our Podcast**
  TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

• IDSM-2 email question

  I have a 6500 with an IDSM-2.  I'm getting request for email notification on certain signature hits and need to know if it's possible before spending a lot of time configuring.. Thanks in advance for any replies...
  Here's the scenairo:
  I currently have the IDSM-2 inline on the outside of our network.... 
  Internet ---> Router----> IDSM-2---FWSM---> Router ---->internal network
  I know this is not the conventional way to use (by cisco's TAC eng), but it works in this solution.  I have multiple PAT addresses on the FWSM. If one is blocked by the IDSM-2 they'd like to get a notification. That would mean something inside is generating suspicious traffic outbound. They have internal systems that check this as well but they'd like an email just for the PATs only...
  All other blocks will go to through the normal notification processes....

  There isn't an option for Emailing alerts from the IPS Sensors (including the IDSM).
  You can configure all your blocking signatures to generate an SNMP Trap and have your SMNP Receiver alert you to the event.
  _ bob

• Idsm 2- IPS Deployment

  I would like to configure an IDSM-2 in inline mode, I am having trouble about the deployment, I have a couple of questions;
  1. If you configure 2 VLANs (existing) as VLAN pairs does this mean the exist connection between the 2 VLANs is broken?
  ie they can only communicate to each other via IPS.
  2. Where is the best place to deploy this type of IPS?

  Hello
  1. If configure properly, it will definitely not break any connectivity (its a bump in the wire). Of course if some traffic is denied by any IPS signature itself, that is a different matter. Please see this example for more help:
  http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_configuration_example09186a0080876d9f.shtml
  2. Inline mode is deployed where you want proactive protection and the the IPS box you have has sufficient throughput and other resources that will allow it to monitor that segment of your network (or multiple segments for that matter..)
  Regards
  Farrukh

• IDSM-2 best practices

  Hi,
  How many types of signatures need to be enable while IDSM-2 deploying in Data Center behind FWSM?
  Thanks

  Thank you for your response!!!
  We are planning to deploy IDSM-2 at client site. Customer is asking few things:
  1. If we install it in promiscuous mode then what will be the best utilization and design for this module,
      how to configure it
  2. If we install it in inline mode then what will be the best utilization and design for this module, how to configure it.
  Let me to explain you few things:
  They have multiple vlans in Cisco 6509 Switch and the servers are placed behind the firewall (FWSM), they want to inspect all vlans traffic forwarding towards server farm. 
  To fulfill their requirements, we recommend them to install IDSM-2 in promiscuous mode, as this module has less throughput and also advise them to keep up to date the latest signatures in IDSM-2. On our recommendation, they want some experts to weight it or advise if some other best practices design to install IDSM-2 in their network.
  I really appreciate if you add your valuable inputs in this regard, as we have to deploy this module in coming weekend. Your early response will be highly appreciated.
  Thanks in advance!

• IDSM on catalyst 6500 to provide IOS Inline mode support

  I am currently evaluating what kind of method to apply in my 6500. I would like to ask if IOS Version 12.2(33)SXI2a  support inline mode and inline vlan pair mode with IDSM-2???what configuration should be done with the switch in order for the multiple vlan traffic to flow with an inline interface of the IDSM2??? In my case I have 16 user vlans and 1 server vlan on catalyst 6500...The task is to protect the servers from users....The requirement is to configure inline mode to monitor the traffic from these 16 vlans when they access the servers...But as we know the IDSM-2 has only two logical sensing ports...So my question is how will you configure the switch to forward the traffic from these 16 vlans to the IDSM-2 module via only ONE sensing port, since the other sensing port will be configured in the server vlan???  Because as far as i know, when you configure inline mode on IOS,you will have to configure the sensing ports in access mode( While in CatOS, you configure these as TRUNK ports)...But this will work when you have only two vlans...But in my case, I have 16 vlans to monitor in inline mode..Please suggest any solution.
  Any urgent reply will be much grateful...
  Many Thanks in advance

  Hi Mubin,
     If you're looking to monitor all the traffic from the user VLANs to the server VLANs then the simplest way to configure the IDSM-2 would be inline on the server VLAN segment.  All traffic destined to the servers (from the users or anywhere else) has to traverse that VLAN.  Assuming you have something like this to start:
  VLAN 100-120 (users) ====== Switch ------ VLAN 200 (servers)
  you'd drop the IDSM-2 inline on VLAN 200 by using a helper VLAN:
  VLAN 100-120 (users) ====== Switch ----- VLAN 201 (server gateway) ----- IDSM-2 (bridging 201 to 200) ----- VLAN 200 (servers)
  To do this you'll need to perform the following steps:
  1.  Designate a new VLAN to use as a helper VLAN for your current server VLAN.  I'll use 201 for this example and assume your current server VLAN is 200.
  Create the helper VLAN on the switch:
  switch# conf t
  switch(config)# vlan 201
  2.  Configure the IDSM-2 to bridge the helper VLAN and the server VLAN (200-201)
  sensor# conf t
  sensor(config)# service interface
  sensor(config-int)# phsyical-interface GigabitEthernet0/7
  sensor(config-int-phy)# admin-state enabled
  sensor(config-int-phy)# subinterface-type inline-vlan-pair
  sensor(config-int-phy-inl)# subinterface 1
  sensor(config-int-phy-inl-sub)# vlan1 200
  sensor(config-int-phy-inl-sub)# vlan2 201
  sensor(config-int-phy-inl-sub)# description Server-Helper pair
  sensor(config-int-phy-inl-sub)# exit
  sensor(config-int-phy-inl)# exit
  sensor(config-int-phy)# exit
  sensor(config-int)# exit
  Apply Changes:?[yes]:
  3.  Configure the switch to trunk the helper and server VLANs to the IDSM-2 module.  I assume the module is in slot 5 in the example.  Replace the 5 with the correct slot for your deployment:
  switch# conf t
  switch(config)# intrusion-detection module 5 data-port 1 trunk allowed-vlan 200,201
  switch(config)# intrusion-detection module 5 data-port 1 autostate include
  *Warning! This next step may cause an outage if everything is configured correctly.  You'll probably want to schedule a window to do this.*
  4.  Finally, force the traffic from the server VLAN through the IDSM-2 by moving the server VLAN gateway from VLAN 200 (where it is currently) to the helper VLAN you created.  To do this, remove the SVI from VLAN 200 and apply the same IP address to VLAN 201.  I assume the current server gateway is 192.168.1.1/24
  switch# conf t
  switch(config)#int vlan 200
  switch(config-int)#no ip addr
  switch(config-int)#int vlan 201
  switch(config-int)#ip addr 192.168.1.1 255.255.255.0
  switch(config-int)#exit
  switch(config)#exit
  switch# wr mem
  Now, when the servers try to contact 192.168.1.1 (their gateway) they'll have to be bridged through the IDSM-2 to reach VLAN 201 and in the process all traffic destined to them or sourced from them will be inspected.  Do not put any hosts or servers in the helper VLAN (201) or they will not be inspected.
  Best Regards,
  Justin

• IDSM-2 - FWSM

  Hello,
  I have two questions on the IDSM-2:
  1- How can I inspect inline the FWSM outside/dmz interfaces?
  I followed this doc  http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_idsm2.html#wp1068377
  I understand that I'm bridging the L2 with the L3 Vlans, but on the FWSM how would that work ?
  I have 2 L2 vlans:
  Vlan 20 the outside with my ISP router on the segment.
  Vlan 60 the DMZ with a couple servers.
  My FWSM config:
  firewall multiple-vlan-interfaces
  firewall module 1 vlan-group 10
  firewall vlan-group 10  20,50,60,100
  interface Vlan20
  no ip address
  shutdown
  interface Vlan60
  no ip address
  shutdown
  2 - I also want to inspect my vlan 300 L2 with users and my 301 L3 as SVI
  intrusion-detection module 6 management-port access-vlan 100
  intrusion-detection module 6 data-port 1 trunk allowed-vlan 300,301
  This is correct right ?
  Thank you !

  You have to make an inline VLAN pair for each segement you want to monitor in the IDSM and add each of them to the trunk. For better separation of load, you could divide the VLANs over two different interfaces on the IDSM.
  Please search the forum, I have posted sample configs multiple times and let me know if you are not able to find those old posts.
  Please rate if helpful.
  Regards
  Farrukh

• IDSM-2

  Hello Dears,
  I'm planning to place IDSM-2 in INLINE VLAN PAIR mode rather than  promiscous  mode.Please correct my steps if i m wrong in below points.
  Steps to  configure 6500 switch with cisco IOS for IDSM-2
  router(config)#  intrusion-detection module 13 data-port 1 trunk  allowed-vlan all
  Steps to configure IDSM-2 for Inline  Vlan  pairing:
  when we Enter yes to modify the interface and  virtual sensor configuration.
  we select Edit Interface Configuration
  we select Add/Modify Inline Vlan Pairs.
  after that we should create as much Subinterfaces on gig0/7 OR  gig0/8 as much Vlan pair we have
  Set up the inline VLAN pair.
  sensor(config-int-phy)# subinterface-type inline-vlan-pair
  sensor(config-int-phy-inl)# subinterface 1
  sensor(config-int-phy-inl-sub)# vlan1 62
  sensor(config-int-phy-inl-sub)# vlan2 63
  sensor(config-int-phy)# subinterface-type inline-vlan-pair
  sensor(config-int-phy-inl)# subinterface 2
  sensor(config-int-phy-inl-sub)# vlan3 72
  sensor(config-int-phy-inl-sub)# vlan4 73
  Thanks

  Estela,
  I am not sure if I understood your questions correctly.
  This is difficult to explain by email.
  Please go through the link below to understand difference between 'inline interface pair mode ' and inline vlan pair mode'
  http://tools.cisco.com/squish/6F956
  Question 1:The above RED HIGLIGHTED line is confusing me ,We can assign vlan's in inline Interface pair mode as u have suggested me to use in ur above mail???  If so, then can we  use as much real vlan on port gig0/7 and as much virtual vlan on  gig0/8,so that IDSM-2 will bridge between them.Uptill now what i m  thinking is in inline interface pair mode supports only 1 set of vlan  and that to they are access ports.
  Answer:
  Inline interface pair is used when IPS ports are connected to access ports , correct.
  IDSM will bridge only 2 vlans in inline interface pair mode.
  Remember, IDSM in inline interface pair mode has no notions of vlans as such.
  The vlan assignment is done on the 6500 on ports connecting to the IDSM.
  For IDSM,  inline interface pair is like a wire connecting two ports.
  Whatever comes in on one interface, send it out of the other.
  The 6500 ports connecting to the ports on IDSM are access ports belonging in different vlans of the pair.
  Hence IDSM in theory bridges 2 vlans together.
  Question 2:ON what scenarios we need INLINE VLAN PAIR MODE THEN??
  Inline vlan pair is roughly analogous to 'Router on a stick '
  In inline vlan pair mode we have: One physical interface, and a pair of vlans per subinterface.
  Packets received on one of the paired VLANs are analyzed and then forwarded to the other VLAN in the pair.
  You can have multiple sub-interface pairs on a single physical interface.
  For a inline vlan pair mode, the IDSM port needs to be connected to a trunk port on the switch side.
  The following example might make it easier to understand
  E.g
  Gig 0/7 - Physical interface
  Inline vlan pair #1
  sub interface 1
  vlan 10
  vlan 20
  Inline vlan pair #2
  sub interface 2
  Vlan 30
  Vlan 40
  On 6500 switch, data-port 1 connects to gig0/7 over backplane.
  data-port 1 needs to be a trunk port.
  When traffic in vlan 10 is recieved on gig0/7 its forwarded out of same interface gig0/7 out of vlan 20
  When traffic in vlan 20 is recieved on gig0/7 its forwarded out of same interface gig0/7 out of vlan 10
  Sub interface 1 is used to associate the pair of vlans 10 and 20 to physical interface gig0/7
  When traffic in vlan 30 is recieved on gig0/7 its forwarded out of same interface gig0/7 out of vlan 40
  When traffic in vlan 40 is recieved on gig0/7 its forwarded out of same interface gig0/7 out of vlan 30
  Sub interface 2 is used to associate the pair of vlans 130 and 40 to physical interface gig0/7
  Question 3: In 1 virtual sensor  traffic is passed how many times to IDSM-2.for  Example in  inline vlan pair mode.if i want to allow inter-vlan routing  from vlan 100 to vlan 200.
  I did not understand the question. For inline interface pair, traffic flows through virtual sensor once for each direction.
  From x > y  one.
  From y back to > x two.
  Go through the design document I wrote and take a look at the packet walk for arp.
  https://supportforums.cisco.com/docs/DOC-12206
  INLINE VLAN PAIR: vlan 1 and vlan2 are real SVI interface  and vlan 100 and vlan 200 are virtual just for pairing.
  vlan 1 to  100
  vlan 2 to 200
  USER-PC                      SWITCH SVI           SWITCH SVI                       USER-PC
  vlan  100----IDSM--------int vlan1 SVI --- ----int vlan2  SVI-------IDSM----vlan 200
  Please correct the above steps for traffic flow.from 1 vlan to another.I hope the traffic is passing 2 times to IDSM-2
  Switch cannot have SVI for 2 vlans. It will do intervlan routing directly without the packet ever going through the IDSM.
  We need  one ip subnet, 2 vlans, and SVI only on one of them.
  Check " Normal intervlan routing " on the design doc: https://supportforums.cisco.com/docs/DOC-12206
  ALSO
  Question 4:I  m also going to place IDSM-2 with FWSM,any different configuration or  traffic flow will be the same, as it was hitting the switch SVI now it  will hit to FWSM SVI
  E.g scenario:
  Well say, inside vlan is 100 and outside vlan is 200.
  All hosts reside in inside vlan 100.
  Outside artificial vlan 200 is created to force traffic to go through IDSM.
  Then vlan 100 and vlan 200 share same common ip subnet.
  SVI only exists on vlan 200.
  6500 data port 1  is access port in vlan 100
  6500 data port 2 is access port in vlan 200
  IDSM gig0/7-gig0/8 are a inline interface pair.
  IDSM bridges vlan 100 & 200 together.
  Default gateway for all hosts in vlan 100 and 200 is SVI for 200.
  This SVI can be placed on FWSM, and FWSM can be put it routing mode.
  That way traffic is forced to go through to the FWSM after it passes through the IDSM and back to the switch.
  Sid Chandrachud
  TAC Security Solutions

• IDSM-2 virtualization with the exception of VLAN groups on inline interface

  Please comment the feature that the IDSM-2 supports virtualization with the exception of VLAN groups on inline interface pairs.
  (http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliAnEng.html)
  How can one configure VLAN groups on inline pairs? Please give an example by CLI.

  The IDSM-2 does support Inline Vlan Pairs as the previous responder described. You can have up to 250 inline vlan pairs on an interface.
  The IDSM-2 does NOT support Vlan Groups on an Inline Interface Pair.
  The Appliances do support Vlan Groups on an Inline Interface Pair because they can have a switch on one side, and another switch (or router, or firewall) on the other side. The 2 devices could then be Trunking multiple vlans through the Appliance.
  You cannot, however, do this with an IDSM-2.
  Vlan IDs are not modified when going through an Inline Interface Pair. Which means the same vlan must exist on both sides of the pair.
  The problem with the IDSM-2 is that for Inline Interface Pair to work each port must be an Access Port for a different vlan. So the Inline Interface Pair joins 2 different vlans. Since it cannot rewrite the vlan headers the packets Must enter the IDSM-2 WITHOUT vlan headers so they can be passed between the 2 different vlans. Since the packets won't have vlan header you can not make vlan groups.
  if you need to rewrite the vlan header (usually because you need more than 1 pair of vlans), then you use Inline Vlan Pairs on a single interface instead of Inline Intercface Pairs.

• Basic configuration IDSM-2

  Hello,
  I have some experience with sensors but this is my first time configuring a C6500 with IDSM-2, and I have some design questions. The first question is this: can I mix the use of VACL and SPAN to capture traffic in the same configuration?
  Customer is actually using VACL to capture traffic from some machines, but he now wants to monitor all the traffic that comes from and external partner through a VPN concentrator, so I assume for this case I should use SPAN to monitor the VPN's port: am I right?
  The config that the customer has is more or less the following:
  intrusion-detection module 1 data-port 1 capture intrusion-detection module 1 data-port 1 capture allowed-vlan 1 intrusion-detection module 1 data-port 2 capture allowed-vlan 1
  vlan access-map ids 10
  match ip address in
  action forward capture
  vlan access-map ids 20
  match ip address out
  action forward
  vlan filter ids vlan-list 1
  ip access-list extended in
  permit ip any host 192.168.1.1
  permit ip host 192.168.1.1 any
  ip access-list extended out
  permit ip any any
  If I want to use SPAN, which is the limitation in the number of source ports I can put in the "monitor session" command?
  Should I send this "span" traffic to the sensing interface 8 (data-port 2) or can I still sending it to the data-port 1 (sensing interface 7)?
  Why there are two sensing interfaces?
  Thanks in advance...
  Ruben

  Does it mean that I can only monitor completely (both directions)one port per monitoring session?
  Correct.
  Also, if I'm using data port 1 with VACL and data port 2 as destination for "monitor session 1", I suppose I cannot also use data port 2 as destination for "monitor session 2".
  An IDSM-2 Data Port can be the destination port for only a single monitor session.
  If this is true, this means that I can only monitor simultaneously rx and tx in a source port per catalyst box running this image.: am I right?
  Correct
  Does it makes sense to monitor only rx direction for ports connecting with FWs, VPNs and WAN routers or we should monitor both ways?
  If you are going to use port span, then you really need to monitor both tx+rx. The promiscuous sensor can be configured to work when monitoring just a single direction (like just rx), but the sensor will be prone to false positives and false negatives. The sensor really needs to see both directions of TCP connections in order to properly monitor them. To monitor single direction you configure the TCP Reassembly mode to be "asym" which is short for asymmetric. It is generally only used when the sensor is deployed in a network with asymmetric routes.
  I have noticed that in this case we cannot do what customers wants unless we upgrade customer's IOS to 12.2(18)SXE or later... With these new IOS is possible to have 128 tx or both sources!
  I haven't read the Span notes on the latest IOS releases. I am glad to hear that the number of both sources has been increased per session.
  Alternatives:
  The alternative to using "both" span on a port basis is to use an "rx" vlan span.
  But you have to be very carefull with "rx" spans.
  If the vlan is strictly layer 2 (no ip address assigned to the switch for that vlan), then an "rx" span for the vlan will work well. All traffic coming IN from a firewall will be seen as "rx" packets on the firewall port. All traffic going OUT to the firewall will be seen as "rx" packets from the other switch port where they are entering the vlan. So all packets IN and OUT of the firewall would be seen.
  BUT if the switch itself Does have an IP Address on that vlan, and the switch routes between that vlan and other vlans, then this is no longer true.
  The span works well on physical ports, but the switches IP Address is on a Virtual Interface in the vlan. This Virtual Interface does not play well with span in my past experience. The switch has a feature known as MLS (Multi-Layer Switching), The first packets for a TCP connection (the SYN and SYN ACK) are sent through the Virtual Interface for routing. An "rx" vlan span DOES catch these first packets coming from a Virtual Interface. BUT additional packets are affected by MLS. Instead of routing the packets through the Virtual Interface, the MLS kicks in and the packets are Switched in Hardware to the other vlan, and the packet never actually goes through the Virtual Interface. So the packet will NOT be seen by the "rx" span of the vlan.
  Most users DO use the switch for routing, and so my recommendation is generally to use both tx+rx with Port Span to get the traffic. BUT if you are NOT routing, then the alternative "rx" span on the Vlan will work as well.