Configuring IDSM2 and 7600 switch to capture routed interface traffic

Unanswered Question
Apr 13th, 2007

We are trying to use VACL to capture routed interface traffic to the IDSM2 to monitor. The below is the sample configuration

intrusion-detection module 3 data-port 2 capture

!

vlan access-map <name> 10

match ip address <ACL name>

action forward capture

!

vlan filter <name> interface Serial1/0/0/25:0

!

ip access-list extended <ACL NAME >

permit ip any any

With the above configuration we are not able to see the captured traffic in the IDSM2.Is it something we are missing in the switch or IDSM side

Kindly let us know

Thanking You

Regards

Anantha Subramanian Natarajan

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
marcabal Fri, 04/13/2007 - 09:55

You have not told the IDSM-2 which vlans to look on for the capture packets.

Add:

intrusion-detection mofule 2 data-port 2 capture allowed-vlan 1-4094

Understand that the serial interfaces in the user's configuration do not have vlans assigned to them. However, the switch will internally assign them a "hidden" vlan, and the IP address assigned to the serial interface is actually assigned to the "hidden" vlan.

The IDSM-2 needs to monitor this "hidden" vlan. But since you don't know what vlan number is used you have to tell the IDSM-2 to watch All vlans to ensure it monitors the one the switch decided to use.

So the IDSM-2 needs to monitor the "hidden" vlan assigned to the serial interface.

It must ALSO however, monitor any vlan to which that traffic may be routed TO.

If traffic comes in the serial interface on the "hidden" vlan and gets routed to vlan 20 for example. Then the IDSM-2 must monitor the "hidden" vlan as well as vlan 20.

Even though the VACL is only applied to the serial interface (actually applied to the "hidden" vlan), the IDSM-2 still has to have vlan 20 in it's allowed-vlan list for the capture port.

So setting "allowed-vlan" to 1-4094 ensures you monitor whichever vlan the switch chooses for the "hidden" vlan as well as ensuring that the IDSM-2 also monitors any vlan to which the traffic may be routed to.

anasubra_2 Fri, 04/13/2007 - 10:37

Hi Marcabal,

Thankyou very much ...It worked !!!!

Regards

Anantha Subramanian Natarajan

Actions

This Discussion