cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
296
Views
0
Helpful
1
Replies

IDSM-2 capture configuration

gautamzone
Level 1
Level 1

Hi friends,

I have enabled capture on the IDSM data-port 1 (Gig0/7). Now, i want to use data port 2 (Gig 0/8) also to capture another segment.

A snippet of my current config is as follows:

ip access-list extended MATCHALL

permit ip any any

vlan access-map CAPTUREALL 10

match address MATCHALL

action forward capture

vlan-filter CAPTUREALL vlan-list x

intrusion-detection module 3 management-port access-vlan 5

intrusion-detection module 3 data-port 1 capture

intrusion-detection module 3 data-port 1 capture allowed-vlan 1-4094

intrusion-detection module 3 data-port 1 autostate include

intrusion-detection module 3 data-port 1 portfast enable

My question is:

If i enable data port 2, then how do i bind a VACL to data port 2 only?

Thanks a lot

Gautam

1 Reply 1

marcabal
Cisco Employee
Cisco Employee

You can't bind a VACL to a particular data port.

You can only tell a capture port what vlans to monitor. The capture port will monitor all captured packets from those vlans regardless of what VACL was used to mark those packets as capture packets.

Your data-port 1 is already monitoring all 4094 vlans so there are no additional vlans that data-port 2 would need to capture packets for.

If your switch does routing then your configuration is correct. Even though the VACL is applied to a limited set of a vlan-list X, the packets marked for capture could wind up being routed to any vlan and so all vlans have to be monitored.

NOW you could add additional vlans to your exising vlan-list, or even create another VACL and apply it to a separate vlan list. BUT in either case your data-port 1 would already be configured for monitoring them.

If your switch is NOT doing routing (pretty rare these days), then you do have an alternative. You can change the "capture allowed-vlan" list for data-port 1 to be the same "vlan-list X" that your VACL is assigned to. Then you can create a new VACL and assign it to a list Y, and configure data-port 2 to be a capture port for allowed-vlan list Y.

But this really doesn't gain you a whole lot. You could just simply add vlan list Y to data-port 1 and still monitor everything with data-port 1.

Data-port 2 doesn't really gain you much as you as a 2nd capture port.

Where data-port 2 comes in handy is when you want to do a different type of monitoring.

Data-port 2 could be setup as a Span or Rspan destination port.

OR data-port 2 coudl be setup for InLine monitoring with InLine Vlan Pairs.

It is only when you need the second type of monitoring that you can really make use of data-port 2.

For capturing traffic on additional vlans you can just continue to use data-port 1.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: