IDSM2 in inline mode

Answered Question
Feb 12th, 2007

Hi All,

There are 2 vlans configured in the 7600 switch namely 200 and 300. In order to make the switch to pass these vlan traffic through IDSM(IPS inline mode), the following is been configured.intrusion-detection module 2 data-port 1 trunk allowed-vlan 200,300. Other than this, is there any configuration required for the same. The IOS in the 7600 switch is 12.2(18)SXF4.

Thanking You

Anantha Subramanian Natarajan

I have this problem too.
0 votes
Correct Answer by marcabal about 9 years 7 months ago

You can have up to 255 vlan pairs on Gig0/7 (date-port 1), and an additional 255 vlan pairs on Gig 0/8 (data-port 2).

But be aware that with version 5.0/5.1 on the IDSM-2 the IDSM-2 will treat all of these pairs as if they were on the same network. This can cause confusion on the sensor if packets are being routed and cross 2 or more inline vlan pairs.

So if you are going to deploy in situations where routing could cause the packets to traverse more than one inline vlan pair then I recommend running IPS version 6.0.

IPS 6.0 can support up to 4 virtual sensors. You can have a different siganture and filter configuration in each virtual sensor.

If only deploying 4 inline vlan pairs then you can place one inline vlan pair in each of the 4 virtual sensors.

If you are going to deploye more than 4 virtual sensors, there was also an additional feature added to IPS 6.0 tohelp handle it.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids13/cliguide/clianeng.htm#wp1038004

You would set the TCP Session Tracking Mode to either "Vlan Only" or "Interface and Vlan" and this woudl tell the IDSM-2 track the TCP Sessions uniquely per inline vlan pair and avoid the problem that 5.0/5.1 have.

InLine Interface Pair mode is very similar to InLine Vlan Pair. It will pair 2 vlans.

The difference is in how the Vlans get paired.

In Inline Interface Pair mode you would make both 0/7 and 0/8 (both data-port 1 and 2) access ports. Each port would belong to just a single vlan. You would place 0/7 on one vlan of the pair, and place 0/8 on the second vlan of the pair. The IDSM-2 woudl then monitor the traffic between the 2 vlans just like it does in InLine Vlan Pair mode. But instead of being passed back and forth on 2 vlans of a single trunk port they are passed back and forth between 2 access ports.

Since they are access ports you are limited to just the one set of vlans when doing InLine Interface Pair mode. While InLine Vlan Pair gives you up to 510 vlan pairs.

So I do not recommend using InLine Interface Pair Mode on the IDSM-2.

FYI: Though it does have an advantage when running on an Appliance. And Appliance can connect between 2 switches (an IDSM-2 can not becuase it is inside the switch). That trunk connection between the 2 switches can carry 4094 vlans. So placing an Appliance in InLine INterface Pair mode between 2 switches on a trunk port does have some advantages.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
marcabal Mon, 02/12/2007 - 08:50

I assume that vlans 200 and 300 both are for the same IP Subnet and you want the IDSM-2 to do inline analysis on packets that the IDSM-2 will bridge between the 2 vlans?

If so then you do have the correct 7600 switch command to set that up.

Now you just need to follow it up with configuration on the IDSM-2 itself.

Session in to the IDSM-2 and run the "setup" command. Select "yes" to modify the virtual sensor and interface configuration.

You will need to create an InLine Vlan Pair Subinterface on Interface GigabitEthernet0/7 (which corresponds to data-port 1) and configure vlans 200 and 300 as the 2 vlans for the Pair.

(NOTE: If running IPS 6.0 you would need to create the InLine Vlan Pair in the interface configuration, and then assign it to vs0 in the virtual sensor configuration. With IPS 5.1 the setup command does both at the same time.)

anasubra_2 Mon, 02/12/2007 - 09:29

Thanks for the reply......

Vlan 200 and 300 are in different IP subnet and would like the IPS to inspect packet inline for the traffic passing between 200 and 300. Consider this is the case, what would be the configuration difference ?

marcabal Mon, 02/12/2007 - 10:36

If vlan 200 and vlan 300 are in different subnets, then the IPS can not be used to pass traffic between the 2 subnets. You need a router or firewall to route the traffic between the 2 subnets.

I presume that since 200 and 300 are different subnets that you already have a router or firewall that routes between the 2 networks?

You won't be replacing it, but instead will be deploying the IPS on one side of it.

So for example with vlan 200 you would want to place the IPS between the machines on vlan 200 and the router's interface on vlan 200.

To do this with an IDSM-2, you have move the router's interface to a Brand New Vlan.

So create a Brand New Vlan 201.

Then trunk 200 and 201 to your IDSM-2.

Then in the IDSM-2 create a vlan pair of 200 and 201.

Now move the IP Address of the Router/Switch from vlan 200 to vlan 201.

So the switch is now ONLY layer 2 on vlan 200, and is now layer 3 with an IP on vlan 201.

So now logically it looks like this:

vlan200 -- IDSM-2 -- vlan201 -- Router -- vlan300

So for packets that need to go from vlan 200 to vlan 300 the packets have to first pass through the IDSM-2 to vlan 201 before the router/switch will route them to vlan 300.

Packets that need to go from vlan 300 to vlan 200 will get routed from 300 to 201, and have to pass through the IDSM-2 before making it into vlan 200 to the end machine.

But keep in mind that if you also have a vlan 400, then packets between 200 and 400 will Also have to pass through the IDSM-2.

So the IDSM-2 is not specifically monitoring packets between vlan 200 and vlan 300. Instead it is monitoring all packets between vlan 200 and the router for vlan 200. So it monitors all packets between vlan 200 and any other vlan where those packets could be routed to/from.

anasubra_2 Mon, 02/12/2007 - 12:20

Thank you very much ......Was able to test the above in the lab switches with IDSM2......Is there any limitations on number of VLAN pairs on the IDSM side ? also is there a way to implement the same in the interface pair mode ?

Correct Answer
marcabal Mon, 02/12/2007 - 13:02

You can have up to 255 vlan pairs on Gig0/7 (date-port 1), and an additional 255 vlan pairs on Gig 0/8 (data-port 2).

But be aware that with version 5.0/5.1 on the IDSM-2 the IDSM-2 will treat all of these pairs as if they were on the same network. This can cause confusion on the sensor if packets are being routed and cross 2 or more inline vlan pairs.

So if you are going to deploy in situations where routing could cause the packets to traverse more than one inline vlan pair then I recommend running IPS version 6.0.

IPS 6.0 can support up to 4 virtual sensors. You can have a different siganture and filter configuration in each virtual sensor.

If only deploying 4 inline vlan pairs then you can place one inline vlan pair in each of the 4 virtual sensors.

If you are going to deploye more than 4 virtual sensors, there was also an additional feature added to IPS 6.0 tohelp handle it.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids13/cliguide/clianeng.htm#wp1038004

You would set the TCP Session Tracking Mode to either "Vlan Only" or "Interface and Vlan" and this woudl tell the IDSM-2 track the TCP Sessions uniquely per inline vlan pair and avoid the problem that 5.0/5.1 have.

InLine Interface Pair mode is very similar to InLine Vlan Pair. It will pair 2 vlans.

The difference is in how the Vlans get paired.

In Inline Interface Pair mode you would make both 0/7 and 0/8 (both data-port 1 and 2) access ports. Each port would belong to just a single vlan. You would place 0/7 on one vlan of the pair, and place 0/8 on the second vlan of the pair. The IDSM-2 woudl then monitor the traffic between the 2 vlans just like it does in InLine Vlan Pair mode. But instead of being passed back and forth on 2 vlans of a single trunk port they are passed back and forth between 2 access ports.

Since they are access ports you are limited to just the one set of vlans when doing InLine Interface Pair mode. While InLine Vlan Pair gives you up to 510 vlan pairs.

So I do not recommend using InLine Interface Pair Mode on the IDSM-2.

FYI: Though it does have an advantage when running on an Appliance. And Appliance can connect between 2 switches (an IDSM-2 can not becuase it is inside the switch). That trunk connection between the 2 switches can carry 4094 vlans. So placing an Appliance in InLine INterface Pair mode between 2 switches on a trunk port does have some advantages.

Actions

This Discussion